CODEWITHSUNDEEP
amazon-web-servicesamazon-ecsamazon-vpc
Daniel Hornik
Daniel Hornik

Reputation: 2522

aws-vpc containers do not have access to the internet

I created ECS service in AWS ECS cluster. My container uses the awsvpc network mode. The service has no load balancer.

But it cannot touch any public internet resources.

When I go to the ECS instance and ssh into docker container I cannot wget any public resources.

root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38--  http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app#

EC2 instance security group:

Inbound: 

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16     
SSH             TCP             22              sg-5c260123 (mgmt-bastion)  
Custom TCP Rule TCP             51678           sg-0784b8f53ab37c234 (mgmt-jenkins-sg)

Outbound:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

Service security group:

Inbound: 

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16

Outbound:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

Could you help me debug it, how to allow for internet access, please?

Upvotes: 21

Views: 10260

Answers (2)

Daniel Hornik
Daniel Hornik

Reputation: 2522

I fixed the issue by adding one entry in the Route table for subnet where the ECS task is created in.

Destination       Target 
10.3.0.0/16       local
0.0.0.0/0         nat-02dcc4c6b32bdae00

Upvotes: 4

Pacifist
Pacifist

Reputation: 3203

From the AWS Documentation :

The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.

Upvotes: 18

Related Questions