Which ports does the ECS agent use? Amazon ECS Container Agent Configuration refers to ECS_RESERVED_PORTS. Are these the one which the ECS agent listens, hence need to be open in the ECS EC2 security group?
ECS_RESERVED_PORTS Example values: [22, 80, 5000, 8080] Default value on Linux: [22, 2375, 2376, 51678, 51679, 51680] Default value on Windows: [53, 135, 139, 445, 2375, 2376, 3389, 5985, 51678, 51679]
Hence no security group inbound port configuration required for ECS Container Agent.
AWS ECS Developer Guide - Setting Up with Amazon ECS - Create a Security Group
Amazon ECS container instances do NOT require any inbound ports to be open. However, you might want to add an SSH rule so you can log into the container instance and examine the tasks with Docker commands. You can also add rules for HTTP and HTTPS if you want your container instance to host a task that runs a web server. Container instances do require external network access to communicate with the Amazon ECS service endpoint. Complete the following steps to add these optional security group rules.
I hope for better AWS terminologies. ECS Container Instance is EC2 instance, not Docker Container Instance. It can be confusing using "Container Instance" as it can be either a Docker container instance or an EC2 instance. Why not use "ECS EC2 Instance" to be specific then it would not cause any confusion. API Gateway lambda proxy integration and API Gateway lambda integration which do not give any clue about the difference between them, etc etc.