By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot access fargate task with public ip through UDP or ping

0

Hi, I have a cloudformation stack created through aws sam using this template

  ContainerRepository:
    Type: AWS::ECR::Repository
    Properties:
      EmptyOnDelete: true
      RepositoryPolicyText: '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": [
                "ecr:*"
            ]
        }
    ]
}'

  GameServerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/ecs/${AWS::StackName}-container'
      RetentionInDays: 7

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Cpu: 256
      Memory: 512
      ExecutionRoleArn: !Ref AllowAllRoleArn
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      RuntimePlatform:
        CpuArchitecture: X86_64
        OperatingSystemFamily: LINUX
      TaskRoleArn: !Ref AllowAllRoleArn
      ContainerDefinitions:
        - Name: !Sub '${AWS::StackName}-container'
          Essential: true
          Image: !GetAtt ContainerRepository.RepositoryUri
          PortMappings:
            - ContainerPort: 13333
              Protocol: udp
          RestartPolicy:
            Enabled: false
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Sub '/ecs/${AWS::StackName}-container'
              awslogs-region: !Ref AWS::Region
              awslogs-stream-prefix: ecs

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Sub '${AWS::StackName}-cluster'
      CapacityProviders:
        - FARGATE
        - FARGATE_SPOT
      DefaultCapacityProviderStrategy:
        - CapacityProvider: FARGATE_SPOT
          Base: 1
          Weight: 1
      ClusterSettings:
        - Name: containerInsights
          Value: enabled
      Configuration:
        ExecuteCommandConfiguration:
          Logging: DEFAULT

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true

  InternetGateway:
    Type: AWS::EC2::InternetGateway

  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/16
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      MapPublicIpOnLaunch: true

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC

  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable

  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable UDP access for game server
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
        - IpProtocol: -1
          CidrIpv6: "::/0"
      SecurityGroupEgress:
        - IpProtocol: "-1"
          CidrIp: 0.0.0.0/0
        - IpProtocol: "-1"
          CidrIpv6: "::/0"
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-sg'

My dockerfile looks like this :

FROM ubuntu:23.10

WORKDIR /app

COPY . /app

RUN chmod +x ./GameServer

EXPOSE 13333/udp

CMD ["./GameServer"]

When I manually launch a task everything is created fine, I can see my gameserver being launched with the logs, however I cannot ping nor connect to my instance using its public IP. Did I do anything wrong ?

Thanks a lot.

Topics
Networking & Content DeliveryServerlessContainersManagement & Governance
Tags
Amazon VPCAWS FargateAWS CloudFormationAmazon Elastic Container Service
Language
English
tlegoc
asked a month ago62 views
1 Answer
0

Based on your configuration, there are a few reasons why you might not be able to ping or connect to your Fargate task using its public IP:

  1. Ping (ICMP) is not supported by default for Fargate tasks. The security group you've defined allows all traffic (-1 protocol), but Fargate does not support ICMP traffic, so you won't be able to ping the task.

  2. For UDP connections, make sure your client is trying to connect to the correct port (13333 in this case).

  3. Fargate tasks in public subnets with public IPs are designed primarily for outbound internet access. Inbound connections are typically handled through load balancers or service discovery.

  4. The task's network interface is not directly exposed to the internet. Even though it has a public IP, it's behind NAT, which can affect direct UDP connections.

To resolve this:

  1. For testing UDP connectivity, use a tool specifically designed for UDP rather than ping.

  2. Consider using an Application Load Balancer (ALB) or Network Load Balancer (NLB) in front of your Fargate service to handle inbound connections. An NLB would be more suitable for UDP traffic.

  3. If you need direct access to the task, you might want to consider using EC2 instances instead of Fargate, as they provide more network flexibility.

  4. Ensure that your game client is correctly configured to use the public IP and port of your Fargate task.

  5. Double-check that your container is actually listening on the specified port (13333) and that it's bound to 0.0.0.0 instead of localhost.

Remember that Fargate is designed with certain network restrictions for security reasons, which can make direct UDP connections challenging in some scenarios.
Sources
Unable to resolve a DNS in AWS ECS Fargate | AWS re:Post
Connect ECS Fargate Service/Task from public | AWS re:Post
ECS Fargate tasks- How to avoid assignment of public IPv4? | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content