I created ECS service in AWS ECS cluster. My container uses the awsvpc network mode. The service has no load balancer.
But it cannot touch any public internet resources.
When I go to the ECS instance and ssh into docker container I cannot wget any public resources.
root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *^C
root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38-- http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app#
EC2 instance security group:
Inbound:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
SSH TCP 22 sg-5c260123 (mgmt-bastion)
Custom TCP Rule TCP 51678 sg-0784b8f53ab37c234 (mgmt-jenkins-sg)
Outbound:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
Service security group:
Inbound:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
Outbound:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
Could you help me debug it, how to allow for internet access, please?
From the AWS Documentation :
The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.