EC2 instance cannot communicate with ECS service

Question

I'm new to AWS networking and ECS. I'm trying to get an EC2 instance to communicate with a container running on Fargate in ECS. I am unable to ping the public IP address of the task from the EC2 instance. I have checked the following:

• everything is in the same VPC
• subnets for the EC2 instance and container share the same route table which allows all local traffic for the relevant subnets
• all subnets have the same network ACL which allows all inbound and outbound traffic on all ports
• the security group for the ECS service has an inbound rule on the specified port with a source that is the security group of the EC2 instance
• the security group of the EC2 instance allows outbound traffic on all ports

Answer 1

I am unable to ping the public IP address of the task from the EC2 instance.

You have to use the private IP of the ECS task instead of the public IP for this to work. When you use the public IP, the request from the EC2 instance exits the VPC, goes out to the Internet, and back into the VPC, at which point the request is no longer associated with the EC2 instance's security group, so the inbound rule on the ECS task doesn't recognize the request and blocks it.

When you use the private IP, all traffic stays inside the VPC, and requests retain their association with their source security groups.

---

Also, note that ping isn't a good debugging tool here, because it uses the ICMP protocol, which is blocked by default in AWS security groups.