Networking
禁用 src/dest 檢查的 ECS Fargate 網路介面
創建 AWS ECS Fargate 服務時,有沒有辦法將生成的網路介面的
Source/dest check
欄位設置為false
?該服務是按照ECS Fargate 入門指南設置的。該服務正在執行一個 squid 代理,我認為它需要能夠接受發往其他 IP 的流量,類似於 NAT。
儘管擁有完整的管理員權限,但在創建後更改 src/dest 檢查欄位會導致權限被拒絕錯誤:
未能更新 eni-12345abcde 的源/目標檢查:您沒有訪問指定資源的權限。
我認為該消息具有誤導性,並且在附加網路介面時無法修改(或刪除)它們,正如我在嘗試刪除介面時看到的類似,儘管有權限這樣做。
有沒有辦法設置或修改 ECS Fargate 服務的網路介面以跳過 src/dest 檢查?
➢ The task ENI is fully managed by Amazon ECS. Amazon ECS creates the ENI and attaches it to the host Amazon EC2 instance with the specified security group. The task sends and receives network traffic over the ENI in the same way that Amazon EC2 instances do with their primary network interfaces. Each task ENI is assigned a private IPv4 address by default. If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, the task ENI will also receive an IPv6 address. Each task can only have one ENI. These ENIs are visible in the Amazon EC2 console for your account, but they cannot be detached manually or modified by your account. This is to prevent accidental deletion of an ENI that is associated with a running task. You can view the ENI attachment information for tasks in the Amazon ECS console or with the DescribeTasks API operation. When the task stops or if the service is scaled down, the task ENI is detached and deleted.
我們不能修改 ECS 任務 ENI 的任何屬性,因為它是由 ECS 自己管理的。
根據文件
$$ 1 $$,這些 ENI 完全由 ECS 管理,我們不能修改任務 ENI 的任何屬性。 因此,無法在 ECS 管理的容器 ENI 上禁用源/目標檢查。
參考:
$$ 1 $$: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html 這僅適用於
awspvc
Fargate 使用的網路模式。據我所知,有兩種可能的解決方法:
- 禁用實例 ENI 的 Source/dest 檢查,然後配置從主實例 ENI 到 Docker 容器的路由。
- 請改用 ECS EC2,並選擇不同的網路模式。