动态端口和AWS Applocation负载均衡器和ECS [英] Dynamic ports and AWS Applocation Load balancer and ECS

问题描述

ELB后面的Docker容器获得动态端口，这些端口已在ELB中自动注册，以便可以将流量重定向到它们.

Docker containers behind ELB get dynamic ports which are auto registered with ELB so that they can get traffic redirected to them.

为了使您的Web服务器可被ELB访问，您必须打开所有来自安全组内部的端口1024-65535.

In order to make your web servers accessible to ELB you have to open all these ports 1024 - 65535 originating from within your security group.

是否有一种方法不必向某个端口范围开放安全组，而只需向ELB正在使用的设备开放?

Is there a way to not to have to open up a security group to a range of port but only to the pots that ELB is using?

推荐答案

AWS从未修改安全组，因为这可能会导致冲突和安全问题.唯一的例外是诸如Elastic Beanstalk之类的服务.您可能必须执行论坛上所说的并允许端口范围.

Security groups are never modified by AWS as this might cause conflicts and security issues. The only exception would be services such as Elastic Beanstalk. You'd likely have to do what the forum says and allow port ranges.

每个 http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html

The default ephemeral port range is 49153 to 65535, and this range is used for Docker versions prior to 1.6.0. For Docker version 1.6.0 and later, the Docker daemon tries to read the ephemeral port range from /proc/sys/net/ipv4/ip_local_port_range; if this kernel parameter is unavailable, the default ephemeral port range is used. You should not attempt to specify a host port in the ephemeral port range, because these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.

The default ephemeral port range is 49153 to 65535, and this range is used for Docker versions prior to 1.6.0. For Docker version 1.6.0 and later, the Docker daemon tries to read the ephemeral port range from /proc/sys/net/ipv4/ip_local_port_range; if this kernel parameter is unavailable, the default ephemeral port range is used. You should not attempt to specify a host port in the ephemeral port range, because these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.

如果您实际上在乎什么端口，据我所知，您有一些选择:

If you actually care about what ports, you have a few options as far as I can see:

1. 不专门使用ALB和转发端口，因此可以在ELB安全组中指定它们.
2. 将ALB与应用程序放在同一安全组中，并使用内部安全组规则，例如TCP 0-65535表示sg-foo，其中sg-foo是ALB和应用程序所在的安全组
3. 将ALB放置在安全组sg-foo中，并在sg-app上放置规则(其中sg-app是您的应用程序所在的安全组)，并允许来自sg-foo内部sg-app <的流量TCP 0-65535/li>

1. Not use ALB and forward ports specifically so you can specify them in the ELB security group.
2. Place the ALB in the same security group as your applications and use internal security group rules such as TCP 0-65535 for sg-foo where sg-foo is the security group both the ALB and apps are in
3. Place the ALB in security group sg-foo, and put a rule on sg-app (where sg-app is the security group your applications are in) and allow traffic TCP 0-65535 from sg-foo inside sg-app

这篇关于动态端口和AWS Applocation负载均衡器和ECS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！