Skip to content

Network mode bridge #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akmhmgc wants to merge 3 commits into
base: improvement
Choose a base branch
from
Open

Network mode bridge #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4aab8d4
[WIP]
akmhmgc Aug 27, 2024
2c96edf
feat: execute ecs task in bridge network mode
akmhmgc Aug 27, 2024
f40ae97
feat: add network mode bridge
akmhmgc Aug 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion alb.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ resource "aws_lb_target_group" "nginx_tg" {
port = 80
Copy link
Owner Author

@akmhmgc akmhmgc Aug 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

動的ポートマッピングの場合ecs-service-schedulerというユーザーが動的にターゲットグループ割り当て時にポートを決定しているのでここのポート指定は結局上書きされるので、ターゲットグループ作成時のポートは実はなんでも良い

image image

ref: https://dev.classmethod.jp/articles/dynamic-portmapping-elb-ecs/

デフォルトでは、ロードバランサーはターゲットグループの作成時に指定したプロトコルとポート番号を使用して、リクエストをターゲットにルーティングします。または、ターゲットグループへの登録時にターゲットへのトラフィックのルーティングに使用されるポートを上書きすることもできます。
ルーティング設定

protocol = "HTTP"
vpc_id = aws_vpc.main.id
target_type = "ip"
target_type = "instance"
}
Copy link
Owner Author

@akmhmgc akmhmgc Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bridge modeの場合インスタンスとポート番号さえわかれば良い
一方で、awsvpcの場合タスクごとでENIが異なるのでインスタンスとポート番号だけだとリクエストの送り先が定まらない


resource "aws_lb_listener" "nginx_listener" {
Expand Down
7 changes: 7 additions & 0 deletions ec2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ resource "aws_security_group" "ecs_instance_sg" {
name_prefix = "ecs-instance-sg-"
vpc_id = aws_vpc.main.id

ingress {
from_port = 32768
to_port = 60999
Comment on lines +43 to +44
Copy link
Owner Author

@akmhmgc akmhmgc Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ロードバランサーからコンテナインスタンスへのインバウンドトラフィックを受け入れるルールを追加します。セキュリティグループとネットワークアクセスコントロールリスト (ネットワーク ACL) では、ロードバランサーからインスタンスへのトラフィックをエフェメラルポート範囲で受け入れる必要があります。
https://repost.aws/ja/knowledge-center/dynamic-port-mapping-ecs

上記のように、受け入れる必要があるのはエフェメラルポートだけで十分

多くの Linux カーネル (Amazon Linux カーネルを含む) は、ポート 32768~61000 を使用します。
https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/nacl-ephemeral-ports.html

とあるが、

sysctl net.ipv4.ip_local_port_range

でエフェメラルポートは確認可能

protocol = "tcp"
security_groups = [aws_security_group.nginx_sg.id]
}

egress {
from_port = 0
to_port = 0
Expand Down
12 changes: 4 additions & 8 deletions ecs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ resource "aws_iam_role" "ecs_task_exec" {

resource "aws_ecs_task_definition" "nginx_task" {
family = "nginx_task"
network_mode = "awsvpc"
network_mode = "bridge"
execution_role_arn = aws_iam_role.ecs_task_exec.arn
requires_compatibilities = ["EC2"]
cpu = "256"
Expand All @@ -34,7 +34,7 @@ resource "aws_ecs_task_definition" "nginx_task" {
portMappings = [
{
containerPort = 80
hostPort = 80
hostPort = 0
Copy link
Owner Author

@akmhmgc akmhmgc Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

動的ポートマッピングによってホスト側のエフェメラルポートを動的に割り当ててくれる

}
]
logConfiguration = {
Expand Down Expand Up @@ -72,13 +72,9 @@ resource "aws_ecs_service" "nginx_service" {
name = "nginx_service"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.nginx_task.arn
desired_count = 2
desired_count = 3
launch_type = "EC2"
network_configuration {
subnets = [aws_subnet.sub.id]
security_groups = [aws_security_group.ecs_http_sg.id]
}
depends_on = [aws_lb_target_group.nginx_tg]
depends_on = [aws_lb_target_group.nginx_tg]
load_balancer {
target_group_arn = aws_lb_target_group.nginx_tg.arn
container_name = "nginx"
Expand Down