问题描述
我创建了一个 Fargate 集群和两个任务定义(task1 和 task2)。 Task1 触发并启动 task2。这一切都在私有子网中完成。我对 task2 分配了一个公共 ip 有问题,即使它被明确定义为位于私有子网中。当 task1 尝试通过 ssh 进入 task2 时它会失败,因为安全组不允许连接到公共 ip。 Task2 定义了一个适当的私有 ip,它位于私有子网的 CIDR 内。但出于某种原因,task1 似乎优先考虑公共 ip。有什么办法可以关闭公共 ip 声明。
简单来说,
一切都使用 cloudformation 进行设置:
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Sub ecs-service-${ServiceName}
Cluster:
Fn::ImportValue: !Sub "ecs-cluster-${ServiceName}-Cluster"
DesiredCount: !Ref DesiredCount
LaunchType: FARGATE
TaskDeFinition: !Ref RunnerTaskDeFinition
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: disABLED
subnets:
- !Ref subnetId
SecurityGroups:
- !Ref SecurityGroup
Task1:
Type: AWS::ECS::TaskDeFinition
Properties:
Family: !Ref ServiceName
ExecutionRoleArn: !Ref TaskRole
TaskRoleArn: !Ref TaskRole
RequiresCompatibilities:
- FARGATE
cpu: !Ref Fargatecpu
Memory: !Ref FargateMemory
NetworkMode: awsvpc
ContainerDeFinitions:
- Name: task-1
Image: !Ref RunnerUri
PortMappings:
- ContainerPort: !Ref ContainerPort
- ContainerPort: 22
- ContainerPort: 443
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ServiceName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
Task2:
Type: AWS::ECS::TaskDeFinition
Properties:
Family: task-2
ExecutionRoleArn: !Ref TaskRole
TaskRoleArn: !Ref TaskRole
RequiresCompatibilities:
- FARGATE
cpu: !Ref Fargatecpu
Memory: !Ref FargateMemory
NetworkMode: awsvpc
ContainerDeFinitions:
- Name: task-2
Image: !Ref CIUri
PortMappings:
- ContainerPort: 80
- ContainerPort: 22
- ContainerPort: 443
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Sub ${ServiceName}-task-2
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Sub ${ServiceName}-task-2
解决方法
您正在获取公共 IP,因为您的私有子网已设置为分配公共 IP。您可以将 disable it 作为其私有子网,因此无需启用此选项。