【发布时间】:2021-07-28 03:41:33
【问题描述】:
我创建了一个 Fargate 集群和两个任务定义(task1 和 task2)。 Task1 触发并启动 task2。这一切都在私有子网中完成。我对 task2 分配公共 ip 有疑问,即使它明确定义为在私有子网中。当 task1 尝试 ssh 到 task2 时,由于安全组不允许连接到公共 IP,它失败了。 Task2 定义了一个正确的私有 ip,它位于私有子网的 CIDR 内。但由于某种原因 task1 似乎优先考虑公共 ip。有什么方法可以关闭公共 ip 声明。
简单来说,
一切都是使用 cloudformation 设置的:
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Sub ecs-service-${ServiceName}
Cluster:
Fn::ImportValue: !Sub "ecs-cluster-${ServiceName}-Cluster"
DesiredCount: !Ref DesiredCount
LaunchType: FARGATE
TaskDefinition: !Ref RunnerTaskDefinition
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
Subnets:
- !Ref SubnetId
SecurityGroups:
- !Ref SecurityGroup
Task1:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Ref ServiceName
ExecutionRoleArn: !Ref TaskRole
TaskRoleArn: !Ref TaskRole
RequiresCompatibilities:
- FARGATE
Cpu: !Ref FargateCpu
Memory: !Ref FargateMemory
NetworkMode: awsvpc
ContainerDefinitions:
- Name: task-1
Image: !Ref RunnerUri
PortMappings:
- ContainerPort: !Ref ContainerPort
- ContainerPort: 22
- ContainerPort: 443
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ServiceName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
Task2:
Type: AWS::ECS::TaskDefinition
Properties:
Family: task-2
ExecutionRoleArn: !Ref TaskRole
TaskRoleArn: !Ref TaskRole
RequiresCompatibilities:
- FARGATE
Cpu: !Ref FargateCpu
Memory: !Ref FargateMemory
NetworkMode: awsvpc
ContainerDefinitions:
- Name: task-2
Image: !Ref CIUri
PortMappings:
- ContainerPort: 80
- ContainerPort: 22
- ContainerPort: 443
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Sub ${ServiceName}-task-2
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Sub ${ServiceName}-task-2
【问题讨论】:
标签: amazon-web-services amazon-cloudformation amazon-ecs aws-fargate