Security group configuration for fargate task accesing ec2 not working

Question

I have quite wierd problem with an AWS setup which I thought would be starightforward.

I have a fargate Task which is run from a lambda function. The awsvpc config for this fargate task is as follows:

'awsvpcConfiguration': {
                'subnets': [
                    'subnet-toing',
                    'subnet-xxxx',
                    'subnet-yyyy'
                ],
                'securityGroups': [
                    'sg-toing'
                ],
                'assignPublicIp': 'ENABLED'
            }

The fargate task runs a docker image that connects to a EC2 instance (with it's IP mapped to db.toing.kp) which runs a db on, lets say port n. My ec2 instance's security group is configured to allow requests from sg-toing on port n. The ec2 instance runs on the subnet-toing subnet. All the subnets are from the same VPC.

Just as extra info: in my EC2 instance, the hosts file has a line to resolve requests on its subnet. Let's say the instance local ip is 172.x.y.z. There is a line:

172.x.y.z. db.toing.kp

This is basically for replication tasks, so the DB data won't go all over the internet to connect to the replicas.

So the problem is that when I try to run the fargate task it cannot connect to the EC2 instance, the connection times out.

However, if I remove the firewall rule for connections from the sg-toing security group and allow all, everything works as expected. Can someone please explain why the EC2 instance would not accept connections from the fargate task with this config? Thanks in advance.

Answer 1

Your sg-toing is configured to accepts requests from port n. But you host entry sends requests to 172.x.y.z , not 172.x.y.z:n

If you can connect to your db, using the ip:port, without the host entry, there won't be an issue.

I hope this helps.