主页 / server / 问题 / 1069561
Accepted
Jethro
Asked: 2021-07-15 02:08:18 +0800 CST

禁用 src/dest 检查的 ECS Fargate 网络接口

  • 772

创建 AWS ECS Fargate 服务时,有没有办法将生成的网络接口的Source/dest check字段设置为false

该服务是按照ECS Fargate 入门指南设置的。该服务正在运行一个 squid 代理,我认为它需要能够接受发往其他 IP 的流量,类似于 NAT。

尽管拥有完整的管理员权限,但在创建后更改 src/dest 检查字段会导致权限被拒绝错误:

未能更新 eni-12345abcde 的源/目标检查:您没有访问指定资源的权限。

我认为该消息具有误导性,并且在附加网络接口时无法修改(或删除)它们,正如我在尝试删除接口时看到的类似,尽管有权限这样做。

有没有办法设置或修改 ECS Fargate 服务的网络接口以跳过 src/dest 检查?

networking amazon-web-services amazon-ecs aws-fargate

1 个回答

  1. Best Answer
    ➢ The task ENI is fully managed by Amazon ECS. Amazon ECS creates the ENI and attaches it to the host Amazon EC2 instance with the specified security group. 
     The task sends and receives network traffic over the ENI in the same way that Amazon EC2 instances do with their primary network interfaces. Each task ENI is assigned a private IPv4 address by default. 
     If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, the task ENI will also receive an IPv6 address. Each task can only have one ENI.

    These ENIs are visible in the Amazon EC2 console for your account, but they cannot be detached manually or modified by your account. 
    This is to prevent accidental deletion of an ENI that is associated with a running task. 
    You can view the ENI attachment information for tasks in the Amazon ECS console or with the DescribeTasks API operation. When the task stops or if the service is scaled down, the task ENI is detached and deleted.

    我们不能修改 ECS 任务 ENI 的任何属性,因为它是由 ECS 自己管理的。

    根据文档[1],这些 ENI 完全由 ECS 管理,我们不能修改任务 ENI 的任何属性。

    因此,无法在 ECS 管理的容器 ENI 上禁用源/目标检查。

    参考文献:[1]:https ://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html

    这仅适用于awspvcFargate 使用的网络模式。

    据我所知,有两种可能的解决方法:

    1. 禁用实例 ENI 的 Source/dest 检查,然后配置从主实例 ENI 到 Docker 容器的路由。
    2. 请改用 ECS EC2,并选择不同的网络模式。
    • 1

相关问题