aws-vpc 容器无法访问互联网
aws-vpc containers do not have access to the internet
我在 AWS ECS 集群中创建了 ECS 服务。
我的容器使用 awsvpc 网络模式。该服务没有负载平衡器。
但它不能触及任何 public 互联网资源。
当我转到 ECS 实例并通过 ssh 进入 docker 容器时,我无法获取任何 public 资源。
root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *^C
root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38-- http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app#
EC2 实例安全组:
入站:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
SSH TCP 22 sg-5c260123 (mgmt-bastion)
Custom TCP Rule TCP 51678 sg-0784b8f53ab37c234 (mgmt-jenkins-sg)
出站:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
服务安全组:
入站:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
出站:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
能帮我调试一下吗,请问怎么允许上网?
The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.
我通过在创建 ECS 任务的子网的路由 table 中添加一个条目解决了这个问题。
Destination Target
10.3.0.0/16 local
0.0.0.0/0 nat-02dcc4c6b32bdae00
我在 AWS ECS 集群中创建了 ECS 服务。 我的容器使用 awsvpc 网络模式。该服务没有负载平衡器。
但它不能触及任何 public 互联网资源。
当我转到 ECS 实例并通过 ssh 进入 docker 容器时,我无法获取任何 public 资源。
root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *^C
root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38-- http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app#
EC2 实例安全组:
入站:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
SSH TCP 22 sg-5c260123 (mgmt-bastion)
Custom TCP Rule TCP 51678 sg-0784b8f53ab37c234 (mgmt-jenkins-sg)
出站:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
服务安全组:
入站:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
出站:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
能帮我调试一下吗,请问怎么允许上网?
The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.
我通过在创建 ECS 任务的子网的路由 table 中添加一个条目解决了这个问题。
Destination Target
10.3.0.0/16 local
0.0.0.0/0 nat-02dcc4c6b32bdae00