amazon-web-services - aws-vpc 容器无法访问互联网

Question

我在 AWS ECS 集群中创建了 ECS 服务。
我的容器使用 awsvpc 网络模式。该服务没有负载均衡器。

但它不能触及任何公共(public)互联网资源。

当我转到 ECS 实例并 ssh 进入 docker 容器时，我无法获取任何公共(public)资源。

root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38--  http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app# 

EC2 实例安全组:

入境:

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16     
SSH             TCP             22              sg-5c260123 (mgmt-bastion)  
Custom TCP Rule TCP             51678           sg-0784b8f53ab37c234 (mgmt-jenkins-sg)

出境:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

服务安全组:

入境:

Type            Protocol        Port Range      Source                      Description
All TCP         TCP             0 - 65535       10.3.0.0/16

出境:

Type            Protocol        Port Range      Source                      Description
All traffic     All             All             0.0.0.0/0

你能帮我调试一下吗，请问如何允许互联网访问？

Answer 1

来自 AWS Documentation :

The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.