创建 AWS ECS Fargate 服务时,是否有办法将生成的网络接口的Source/dest check字段设置为false?
该服务是在ECS Fargate 入门指南。该服务正在运行 squid 代理,我相信它需要能够接受发往其他 IP 的流量,类似于 NAT。
尽管具有完全的管理员权限,但在创建后更改 src/dest 检查字段仍会导致权限被拒绝错误:
无法更新 eni-12345abcde 的源/目标检查:您无权访问指定的资源。
我认为该消息具有误导性,并且网络接口在连接时无法被修改(或删除),因为我在尝试删除接口时看到了类似的情况,尽管我有权限这样做。
有没有办法设置或修改 ECS Fargate 服务的网络接口以跳过 src/dest 检查?
答案1
➢ The task ENI is fully managed by Amazon ECS. Amazon ECS creates the ENI and attaches it to the host Amazon EC2 instance with the specified security group.
The task sends and receives network traffic over the ENI in the same way that Amazon EC2 instances do with their primary network interfaces. Each task ENI is assigned a private IPv4 address by default.
If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, the task ENI will also receive an IPv6 address. Each task can only have one ENI.
These ENIs are visible in the Amazon EC2 console for your account, but they cannot be detached manually or modified by your account.
This is to prevent accidental deletion of an ENI that is associated with a running task.
You can view the ENI attachment information for tasks in the Amazon ECS console or with the DescribeTasks API operation. When the task stops or if the service is scaled down, the task ENI is detached and deleted.
我们无法修改 ECS 任务 ENI 的任何属性,因为它由 ECS 本身管理。
按照文档[1],这些 ENI 完全由 ECS 管理,我们无法修改任务 ENI 的任何属性。
因此,无法在 ECS 管理的容器 ENI 上禁用源/目标检查。
参考文献:[1]:https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
这仅适用于awspvc网络模式,由Fargate使用。
据我所知,有两种可能的解决方法:
- 禁用实例 ENI 上的 Source/dest 检查,然后配置从主实例 ENI 到 Docker 容器的路由。
- 改用ECS EC2,并选择不同的网络模式。