问题
I have a task definition that configured to use awsvpc network mode. according to this:
Only private subnets are supported for the awsvpc network mode. Because tasks do not receive public IP addresses, a NAT gateway is required for outbound internet access, and inbound internet traffic should be routed through a load balancer.
I set up a NAT gateway in a public subnet(that has internet gateway) and config route table in the private subnet to send the traffic to NAT gateway. But when I want to create a task that resides in private subnet I get:
Run tasks failed Reasons : ["ATTRIBUTE"]. Learn more
If I choose the public subnet that the EC2 itself uses, It creates the task. But I cannot access the internet inside of my tasks.
My final goal is to get access to the internet from my tasks in the EC2.
UPDATE: My task definition:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::783294628224:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/TEST-Task-Definition",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 8500,
"protocol": "tcp",
"containerPort": 8500
},
{
"hostPort": 8501,
"protocol": "tcp",
"containerPort": 8501
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 500,
"volumesFrom": [],
"stopTimeout": null,
"image": "<MY ECR REPOSITORY ADDRESS FOR IMAGE 1>",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": "root",
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": true,
"name": "backend"
},
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/TEST-Task-Definition",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 500,
"volumesFrom": [],
"stopTimeout": null,
"image": "<MY ECR REPOSITORY ADDRESS FOR IMAGE 2>",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": "root",
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": true,
"name": "frontend"
}
],
"memory": null,
"taskRoleArn": "arn:aws:iam::783294628224:role/ecsTaskExecutionRole",
"family": "TEST-Task-Definition",
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": "awsvpc",
"cpu": null,
"proxyConfiguration": null,
"volumes": [],
"placementConstraints": []
}
回答1:
I finally succeeded to fix my problem. As far as I know, when using awsvpc network mode in Task Definition, the tasks(or service) must create in the EC2 subnet. Additionally, if you want your tasks to have access to the internet, you should create a NAT gateway in another subnet which has a default route to Internet Gateway that resides in your VPC. In the task/service/EC2 subnet you have to add a default route to the NAT gateway. The only problem that occurs is that you cannot ssh to your EC2 anymore. If you want to ssh to your EC2, I think you should set up a Load Balancer.
回答2:
If you don't use https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
Make sure you have set agent parameter environment key ECS_ENABLE_TASK_ENI as true
来源:https://stackoverflow.com/questions/55575476/ecs-cluster-cannot-run-tasks-in-private-subnet-when-using-ec2