使用 EC2 时，ECS 集群无法在私有子网中运行任务 [英] ECS cluster cannot run tasks in private subnet when using EC2

问题描述

我有一个配置为使用 awsvpc 网络模式的任务定义.根据这个:

I have a task definition that configured to use awsvpc network mode. according to this:

awsvpc 网络模式仅支持私有子网.由于任务不接收公共 IP 地址，因此 NAT 网关是出站互联网访问和入站互联网流量所需应该通过负载平衡器路由.

Only private subnets are supported for the awsvpc network mode. Because tasks do not receive public IP addresses, a NAT gateway is required for outbound internet access, and inbound internet traffic should be routed through a load balancer.

我在公共子网(具有 Internet 网关)中设置了 NAT 网关，并在私有子网中配置路由表以将流量发送到 NAT 网关.但是当我想创建一个驻留在私有子网中的任务时，我得到:

I set up a NAT gateway in a public subnet(that has internet gateway) and config route table in the private subnet to send the traffic to NAT gateway. But when I want to create a task that resides in private subnet I get:

Run tasks failed Reasons : ["ATTRIBUTE"]. Learn more

如果我选择 EC2 本身使用的公有子网，它会创建任务.但是我无法在我的任务中访问互联网.
我的最终目标是通过我在 EC2 中的任务访问互联网.

If I choose the public subnet that the EC2 itself uses, It creates the task. But I cannot access the internet inside of my tasks.
My final goal is to get access to the internet from my tasks in the EC2.

更新:我的任务定义:

{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::783294628224:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/TEST-Task-Definition",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 8500,
"protocol": "tcp",
"containerPort": 8500
},
{
"hostPort": 8501,
"protocol": "tcp",
"containerPort": 8501
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 500,
"volumesFrom": [],
"stopTimeout": null,
"image": "<MY ECR REPOSITORY ADDRESS FOR IMAGE 1>",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": "root",
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": true,
"name": "backend"
},
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/TEST-Task-Definition",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 500,
"volumesFrom": [],
"stopTimeout": null,
"image": "<MY ECR REPOSITORY ADDRESS FOR IMAGE 2>",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": "root",
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": true,
"name": "frontend"
}
],
"memory": null,
"taskRoleArn": "arn:aws:iam::783294628224:role/ecsTaskExecutionRole",
"family": "TEST-Task-Definition",
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": "awsvpc",
"cpu": null,
"proxyConfiguration": null,
"volumes": [],
"placementConstraints": []
}

推荐答案

我终于成功解决了我的问题.据我所知，在任务定义中使用 awsvpc 网络模式时，任务(或服务)必须在 EC2 子网中创建.此外，如果您希望您的任务能够访问 Internet，您应该在另一个子网中创建一个 NAT 网关，该网关具有到驻留在您的 VPC 中的 Internet 网关的默认路由.在任务/服务/EC2 子网中，您必须向 NAT 网关添加默认路由.发生的唯一问题是您无法再通过 ssh 连接到您的 EC2.如果您想通过 ssh 连接到您的 EC2，我认为您应该设置一个负载均衡器.

I finally succeeded to fix my problem. As far as I know, when using awsvpc network mode in Task Definition, the tasks(or service) must create in the EC2 subnet. Additionally, if you want your tasks to have access to the internet, you should create a NAT gateway in another subnet which has a default route to Internet Gateway that resides in your VPC. In the task/service/EC2 subnet you have to add a default route to the NAT gateway. The only problem that occurs is that you cannot ssh to your EC2 anymore. If you want to ssh to your EC2, I think you should set up a Load Balancer.

这篇关于使用 EC2 时，ECS 集群无法在私有子网中运行任务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！