I have two ECS clusters, both running fargate 1.3 tasks (lets call them task A and task B). Both tasks have network type awsvpc and both have auto assigned public IPs. Furthermore, both clusters/tasks are in the same VPC. Task A is associated with security group A, task B is associated with security group B (as well as a load balancer that is also connected with the security group). I am trying to making an http request from task A to task B. I'm 100% sure I have the security groups set up properly, namely:
security group A:
security group B:
When I try to make the request from A to B, I get a time out error. I know it is a security group error, because if I create an ingress rule with Source = everywhere, it works. Furthermore, if I go in and check the public IP address of fargate task A, and add that IP address to the ingress of security group B, it also works.
What is happening here?
Since you're using public (Internet) IPs, the traffic is going outside of the VPC and back in, at which point the fact that the traffic originated from security group A is lost. You need to use private IPs to keep all network traffic within the VPC.