注册 EC2 实例到没有 public ip 的 ECS 集群
Register EC2 instance to ECS cluster without public ip
我很难将在我的 VPC 和私有子网(没有连接到它的互联网网关)上创建的实例添加到 ECS 集群。
目前,我设法做到这一点的唯一方法是添加 public IP 并配置 NAT instance/gateway。
如何使用带有私有子网的 ECS 集群?
要在 ECS 上注册您的实例,您需要实例的外部连接。
私有子网上实例的传出连接需要 NAT,但不需要 Public IP。
ECS 在您的每个服务器中启动一个容器,该容器需要连接到管理状态的服务,为此,您私有子网上的实例需要通过 NAT 连接到外部世界。
这个问题很难回答。 ECS 只是根据您的配置启动 Ec2 实例。如果您在没有 public IP 的子网中启动它们,它们将不会拥有它们。您必须有适当的基础设施才能访问它们,例如 NAT、VPN 等。ECS 集群没有特殊配置。如果您可以访问您的 EC2 实例,您应该可以访问 ECS 实例。
我想我已经在 AWS 文档中找到了答案,看来我需要使用 NAT instance/Gateway :(
另一个 and also the official documentaion
"...容器实例需要外部网络访问才能与 Amazon ECS 服务端点进行通信,因此如果您的容器实例 运行 在私有 VPC 中,则它们需要网络地址转换 (NAT) 实例以提供此访问权限。有关更多信息,请参阅 Amazon VPC 用户指南中的 NAT 实例。“
我还试图通过将集群部署到私有子网来阻止对 ECS 实例的 public 请求,后来发现我需要一个 NAT server/gateway,它的成本约为 1 美元一个日。
如果您只想阻止对 ECS 实例的狡猾嗅探请求,您可以更新 ECS 实例的安全组,同时将它们保留在 public 子网中。这将为您每天节省 30 美元。
AWS 上的 VPC endpoint for ECS is now available. It's not officially announced, yet (in state "Coming soon" public 容器路线图)。
如果他们没有另外说明,它的成本最低约为 22$/month(PrivateLink costs us-east 中的 3 个可用性区域,没有流量成本)。
PrivateLinks is now available, for both ECS & ECR
使用 PrivateLinks,您可以在没有 public ip 的情况下注册和操作您的 EC2 实例和 Fargate 到 ECS 集群,还可以从 ECR 访问图像。
需要端点:
EC2 启动类型:
com.amazonaws.region.ecs-agent
com.amazonaws.region.ecs-telemetry
com.amazonaws.region.ecs
Fargate 启动类型:
只需要 ECR 和 cloudwatch 端点(如下所述)
EC2 启动类型:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.ecr.api
com.amazonaws.region.s3 (S3 gateway endpoint)
Fargate 启动类型:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.s3 (S3 gateway endpoint)
此外,如果您使用 awslogs 驱动程序,您还需要添加 cloudwatch endpoint。
com.amazonaws.Region.logs.
症状
I created an Amazon Elastic Container Service (Amazon ECS) cluster in a private subnet through the Amazon ECS console using the cluster creation wizard. However, my container instances aren't registered to the ECS cluster. How can I resolve this issue?
an unusual behavior I got to see while launching an ECS Cluster in a private subnet through the ECS Console. The instance launched in this cluster was still having a public IP instead of residing in the private subnet.
原因
If you created a cluster with the Amazon ECS console using the cluster creation wizard in a private subnet, your container instances are launched with a public IP address. As result, the container instances can't register to the ECS cluster, because they can't communicate with the ECS endpoint.
when an ECS Cluster is launched it creates a CloudFormation stack to create a AutoScaling Group and AutoScaling LaunchConfiguration, which by default has the following property set: associatePublicIpAddress. This forces your Instance to have a Public IP associated on launch.
To reconfigure the environment to launch container instances without a public IP address, complete the following steps.
解决方案
There are two ways of doing this —
1. Create an empty cluster using the ECS Console and then manually create Auto Scaling Group and Launch Configuration to attach with the empty cluster.
But it may seem a lengthy approach to some people(like me!) for the cluster creation. No worries, there is a simpler way of doing the same with the use of few commands. Here’s the second alternative-
2. Use the ecs-cli to create the cluster which provides an option —no-associate-public-ip-address with ecs-cli up command. If you haven’t used the ecs-cli before then you can get stared in three simple steps-
1. Open the AWS CloudFormation console.
2. In the Stack Name column, select the stack that includes the cluster that you previously created.
3. Choose the Template tab.
4. Copy the template, and then paste it into a code editor.
5. In the AWS::AutoScaling::LaunchConfiguration section of the template, change the AssociatePublicIpAddress property to false.
...
6. On the Configure Instance Details page, complete the following steps:
...
e. Set the Auto-assign Public IP field depending on whether you want your instance to be accessible from the public internet. If your instance should be accessible from the internet, verify that the Auto-assign Public IP field is set to Enable. If not, set this field to Disable.
VPC 端点
不要忘记为 ECS 任务 awslogs 日志驱动程序(如果您使用它)创建到 ECR、S3、ECS 和 Cloudwatch 的 VPC 端点。
- Setting up AWS PrivateLink for Amazon ECS, and Amazon ECR
- Amazon ECR Interface VPC Endpoints (AWS PrivateLink)
- Amazon ECS Interface VPC Endpoints (AWS PrivateLink)
尽可能避免 NAT
NAT 仅拥有它们而不使用它可能会花费您很多钱,因为 AWS 会按小时加按 GB 使用量向您收费。如果为了高可用每个 AZ 都有一个,它的成本是好几倍。
我很难将在我的 VPC 和私有子网(没有连接到它的互联网网关)上创建的实例添加到 ECS 集群。
目前,我设法做到这一点的唯一方法是添加 public IP 并配置 NAT instance/gateway。
如何使用带有私有子网的 ECS 集群?
要在 ECS 上注册您的实例,您需要实例的外部连接。
私有子网上实例的传出连接需要 NAT,但不需要 Public IP。
ECS 在您的每个服务器中启动一个容器,该容器需要连接到管理状态的服务,为此,您私有子网上的实例需要通过 NAT 连接到外部世界。
这个问题很难回答。 ECS 只是根据您的配置启动 Ec2 实例。如果您在没有 public IP 的子网中启动它们,它们将不会拥有它们。您必须有适当的基础设施才能访问它们,例如 NAT、VPN 等。ECS 集群没有特殊配置。如果您可以访问您的 EC2 实例,您应该可以访问 ECS 实例。
我想我已经在 AWS 文档中找到了答案,看来我需要使用 NAT instance/Gateway :(
另一个
"...容器实例需要外部网络访问才能与 Amazon ECS 服务端点进行通信,因此如果您的容器实例 运行 在私有 VPC 中,则它们需要网络地址转换 (NAT) 实例以提供此访问权限。有关更多信息,请参阅 Amazon VPC 用户指南中的 NAT 实例。“
我还试图通过将集群部署到私有子网来阻止对 ECS 实例的 public 请求,后来发现我需要一个 NAT server/gateway,它的成本约为 1 美元一个日。
如果您只想阻止对 ECS 实例的狡猾嗅探请求,您可以更新 ECS 实例的安全组,同时将它们保留在 public 子网中。这将为您每天节省 30 美元。
AWS 上的 VPC endpoint for ECS is now available. It's not officially announced, yet (in state "Coming soon" public 容器路线图)。
如果他们没有另外说明,它的成本最低约为 22$/month(PrivateLink costs us-east 中的 3 个可用性区域,没有流量成本)。
PrivateLinks is now available, for both ECS & ECR
使用 PrivateLinks,您可以在没有 public ip 的情况下注册和操作您的 EC2 实例和 Fargate 到 ECS 集群,还可以从 ECR 访问图像。
需要端点:
EC2 启动类型:
com.amazonaws.region.ecs-agent
com.amazonaws.region.ecs-telemetry
com.amazonaws.region.ecs
Fargate 启动类型:
只需要 ECR 和 cloudwatch 端点(如下所述)
EC2 启动类型:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.ecr.api
com.amazonaws.region.s3 (S3 gateway endpoint)
Fargate 启动类型:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.s3 (S3 gateway endpoint)
此外,如果您使用 awslogs 驱动程序,您还需要添加 cloudwatch endpoint。
com.amazonaws.Region.logs.
症状
I created an Amazon Elastic Container Service (Amazon ECS) cluster in a private subnet through the Amazon ECS console using the cluster creation wizard. However, my container instances aren't registered to the ECS cluster. How can I resolve this issue?
an unusual behavior I got to see while launching an ECS Cluster in a private subnet through the ECS Console. The instance launched in this cluster was still having a public IP instead of residing in the private subnet.
原因
If you created a cluster with the Amazon ECS console using the cluster creation wizard in a private subnet, your container instances are launched with a public IP address. As result, the container instances can't register to the ECS cluster, because they can't communicate with the ECS endpoint.
when an ECS Cluster is launched it creates a CloudFormation stack to create a AutoScaling Group and AutoScaling LaunchConfiguration, which by default has the following property set: associatePublicIpAddress. This forces your Instance to have a Public IP associated on launch.
To reconfigure the environment to launch container instances without a public IP address, complete the following steps.
解决方案
There are two ways of doing this —
1. Create an empty cluster using the ECS Console and then manually create Auto Scaling Group and Launch Configuration to attach with the empty cluster. But it may seem a lengthy approach to some people(like me!) for the cluster creation. No worries, there is a simpler way of doing the same with the use of few commands. Here’s the second alternative-
2. Use the ecs-cli to create the cluster which provides an option—no-associate-public-ip-addresswithecs-cli upcommand. If you haven’t used the ecs-cli before then you can get stared in three simple steps-
1. Open the AWS CloudFormation console.
2. In the Stack Name column, select the stack that includes the cluster that you previously created.
3. Choose the Template tab.
4. Copy the template, and then paste it into a code editor.
5. In the AWS::AutoScaling::LaunchConfiguration section of the template, change the AssociatePublicIpAddress property to false.
...
6. On the Configure Instance Details page, complete the following steps:
...
e. Set the Auto-assign Public IP field depending on whether you want your instance to be accessible from the public internet. If your instance should be accessible from the internet, verify that the Auto-assign Public IP field is set to Enable. If not, set this field to Disable.
VPC 端点
不要忘记为 ECS 任务 awslogs 日志驱动程序(如果您使用它)创建到 ECR、S3、ECS 和 Cloudwatch 的 VPC 端点。
- Setting up AWS PrivateLink for Amazon ECS, and Amazon ECR
- Amazon ECR Interface VPC Endpoints (AWS PrivateLink)
- Amazon ECS Interface VPC Endpoints (AWS PrivateLink)
尽可能避免 NAT
NAT 仅拥有它们而不使用它可能会花费您很多钱,因为 AWS 会按小时加按 GB 使用量向您收费。如果为了高可用每个 AZ 都有一个,它的成本是好几倍。