动态端口和 AWS Applocation 负载均衡器和 ECS [英] Dynamic ports and AWS Applocation Load balancer and ECS

问题描述

ELB 后面的 Docker 容器获得动态端口，这些端口自动注册到 ELB，以便它们可以将流量重定向到它们.

Docker containers behind ELB get dynamic ports which are auto registered with ELB so that they can get traffic redirected to them.

为了让 ELB 可以访问您的 Web 服务器，您必须打开所有这些端口 1024 - 65535 源自您的安全组.

In order to make your web servers accessible to ELB you have to open all these ports 1024 - 65535 originating from within your security group.

有没有办法不必向一系列端口开放安全组，而只向 ELB 使用的罐开放?

Is there a way to not to have to open up a security group to a range of port but only to the pots that ELB is using?

推荐答案

AWS 从不修改安全组，因为这可能会导致冲突和安全问题.唯一的例外是 Elastic Beanstalk 等服务.您可能必须按照论坛所说的进行操作并允许端口范围.

Security groups are never modified by AWS as this might cause conflicts and security issues. The only exception would be services such as Elastic Beanstalk. You'd likely have to do what the forum says and allow port ranges.

每个 http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html

<代码>默认的临时端口范围是 49153 到 65535，此范围用于 1.6.0 之前的 Docker 版本.对于 Docker 1.6.0 及更高版本，Docker 守护进程尝试从/proc/sys/net/ipv4/ip_local_port_range 读取临时端口范围；如果此内核参数不可用，则使用默认的临时端口范围.您不应尝试在临时端口范围内指定主机端口，因为这些是为自动分配保留的.通常，低于 32768 的端口不在临时端口范围内.

如果你真的关心什么端口，就我所见，你有几个选择:

If you actually care about what ports, you have a few options as far as I can see:

1. 不要专门使用 ALB 和转发端口，以便您可以在 ELB 安全组中指定它们.
2. 将 ALB 放在与应用程序相同的安全组中，并使用内部安全组规则，例如 TCP 0-65535 用于 sg-foo 其中 sg-foo 是 ALB 和应用程序所在的安全组
3. 将 ALB 放在安全组 sg-foo 中，并在 sg-app 上放置规则(其中 sg-app 是安全组组您的应用程序)并允许来自 sg-app
内的 sg-foo 的流量 TCP 0-65535

1. Not use ALB and forward ports specifically so you can specify them in the ELB security group.
2. Place the ALB in the same security group as your applications and use internal security group rules such as TCP 0-65535 for sg-foo where sg-foo is the security group both the ALB and apps are in
3. Place the ALB in security group sg-foo, and put a rule on sg-app (where sg-app is the security group your applications are in) and allow traffic TCP 0-65535 from sg-foo inside sg-app

这篇关于动态端口和 AWS Applocation 负载均衡器和 ECS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！