问题
I'm having hard times adding instances that are created in my VPC and on a private subnet(no internet gateway attached to it) to ECS cluster.
Right now the only way I've managed to do this was by adding a public IP and have a NAT instance/gateway configured.
How do you use ECS clusters with private subnets?
回答1:
I guess I've found the answer on the AWS documentation and it seems I need to use a NAT instance/Gateway :(
Another source and also the official documentaion
"...Container instances need external network access to communicate with the Amazon ECS service endpoint, so if your container instances are running in a private VPC, they need a network address translation (NAT) instance to provide this access. For more information, see NAT Instances in the Amazon VPC User Guide."
回答2:
PrivateLinks is now available, for both ECS & ECR
With PrivateLinks you can register and operate your EC2 instance and Fargate to ECS cluster without public ip and can also access images from ECR.
Endpoint Required:
For ECS:
EC2 Launch type:
com.amazonaws.region.ecs-agent
com.amazonaws.region.ecs-telemetry
com.amazonaws.region.ecs
Fargate Launch Type:
Just needs ECR & cloudwatch endpoints (mentioned below)
For ECR:
EC2 Launch type:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.ecr.api
com.amazonaws.region.s3 (S3 gateway endpoint)
Fargate Launch Type:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.s3 (S3 gateway endpoint)
Additionally if you use awslogs driver, you have add cloudwatch endpoint as well.
com.amazonaws.Region.logs.
回答3:
For registering your instance on ECS, you need external connectivity from the instances.
NAT is needed for outgoing connections from the instances on private subnet, but Public IP is not needed.
ECS launches a container in each of your servers which needs to connect to a service for managing state, and for this your instances on your private subnet need connectivity to outer world through NAT.
回答4:
This question is hard to answer. ECS just literally launches Ec2 instances to your configuration. If you launch them in a subnet with no public IPs they won't have them. You have to have infrastructure in place to reach them such as NAT, VPN, etc. There's no special configuration for ECS clusters. If you can reach your EC2 instances you should be able to reach the ECS instances.
回答5:
I Was also trying to block public requests to the ECS instances by deploying the cluster into a private subnet, and later found out I need a NAT server/gateway, which costs about 1 dollar a day.
If you just want to block the dodgy sniffing requests to your ECS instances, you can update the security group for your ECS instances while keeping them in a public subnet. That will save you $30/day.
回答6:
A VPC endpoint for ECS is now available. It's not officially announced, yet (in state "Coming soon" on AWS' public container roadmap).
It will cost minimum around 22$/month (PrivateLink costs for 3 availability zones in us-east, without traffic costs), if they don't state it otherwise.
来源:https://stackoverflow.com/questions/38599701/register-ec2-instance-to-ecs-cluster-without-public-ip