aws-vpc 容器无法访问互联网 [英] aws-vpc containers do not have access to the internet

问题描述

我在 AWS ECS 集群中创建了 ECS 服务.我的容器使用 awsvpc 网络模式.该服务没有负载平衡器.

I created ECS service in AWS ECS cluster. My container uses the awsvpc network mode. The service has no load balancer.

但它不能触及任何公共互联网资源.

But it cannot touch any public internet resources.

当我进入 ECS 实例并通过 ssh 进入 docker 容器时，我无法获取任何公共资源.

When I go to the ECS instance and ssh into docker container I cannot wget any public resources.

root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38--  http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app# 

EC2 实例安全组:

入站:

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16     
SSH             TCP             22              sg-5c260123 (mgmt-bastion)  
Custom TCP Rule TCP             51678           sg-0784b8f53ab37c234 (mgmt-jenkins-sg)

出站:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

服务安全组:

入站:

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16

出站:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

你能帮我调试一下吗，如何允许上网?

Could you help me debug it, how to allow for internet access, please?

推荐答案

来自 AWS 文档:

awsvpc 网络模式不为使用 EC2 启动类型的任务提供具有公共 IP 地址的任务 ENI.要访问 Internet，必须在配置为使用 NAT 网关的私有子网中启动使用 EC2 启动类型的任务.有关更多信息，请参阅 Amazon VPC 用户指南中的 NAT 网关.入站网络访问必须使用私有 IP 地址或 DNS 主机名从 VPC 内进行，或者从 VPC 内通过负载均衡器进行路由.在公共子网内启动的任务没有出站网络访问权限.

The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.

这篇关于aws-vpc 容器无法访问互联网的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！