I have 3 aws accounts with almost identical cloudformation. In 2 of them I am able to run up to 8 ecs services per ec2 instance. Each service has it's own ENI, this ENI is not attached to anything and not attached to the ec2 instance. Everything works.
In 1 of my aws accounts, each ecs service is trying to attach its ENI to the ec2 instance and so I now see the unable to place a task because no container instance met all of its requirements."RESOURCE:ENI" error and I'm unable to deploy more than 2 services per instance. This is because each ec2 instance has a limit to the ENIs you can attach.
VPC trunking is not on in the working accounts, so my question is why now are the ecs services attaching their ENIs to the ec2 instance? is there an option somewhere that says "don't attach your ENI to anything". Is it maybe normal to attach the ENIs and actually my working accounts should be attaching them but they aren't?
The answer is that vpc trunking was actually on in the other accounts. Just because you can't see the vpctrunking option checked in ecs account settings doesn't mean that another user/role might have vpctrunking set to on.
Or maybe vpctrunking will appear to be on when you check account settings in ecs but that only displays the setting for your user and not for the role the ecs ec2 instances are using.
I needed to set account wide vpc trunking and more importantly properly read documentation.