Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Nginx task on ecs not accessible through public ip

0

I have a docker build that I can access and run locally. After I successfully deploy this image to my ecs fargate cluster task I try and access it using the public ip address. It just hangs and eventually fails. So far I've checked the security group and its using the default for my vpc which is set to allow all inbound and outbound. Same for the nacl. Not sure what to try next

Topics
ServerlessContainers
Tags
AWS FargateAmazon Elastic Container Service
Language
English
asked 2 years ago942 views
4 Answers
1
Accepted Answer

Ok I just created a new rule that allow http on port 80 but from 0.0.0.0/0 that works

answered 2 years ago
EXPERT
reviewed 2 years ago
1

Hello.

If you look at the security group rules in the image, the security group is referenced in the inbound rule.
In other words, although port numbers etc. are allowed, access is not possible unless the connection source uses the default security group.
So, if you want to continue using that security group, you need to add an inbound rule with the source set to 0.0.0.0/0.
When launching a single task, you can select your own security group by opening "Networking".
By default, the VPC's "default" security group is selected.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/standalone-task-create.html
a

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
0

You said you checked the security groups. Its worth to double check.

Make sure the SG is attached to the correct port. Are you using HTTP or HTTPS?

Are your task definitions mapped correctly to the ports?

Make sure the tasks are assigend to public IPs. Check the Nginx config. Is it configured to listen to all network interfaces?

Do you have logs of your container health? docker logs <container_id>.

Are you using a load balancer? Make sure it is configured correctly.

Check these steps in order.

answered 2 years ago
  • jsoneaday
    2 years ago

    My security group is set to all traffic, protocol and port ranges. I'm using http. My task def is mapped to port 80, which is what my nginx.conf is mapped to. My task is assigned an igw via the route table. Yes my nginx config is set to listen 0.0.0.0:80; As far as logs I have the nginx logs going out to stdout but I don't see them, but I think that's because nothing is able to hit it. I have an api server on the same container and those logs show on startup because it doesn't need anything to hit it. I am not using a load balancer yet, but will do so once I fix this issue. Right now I'm just trying to hit my container on port 80

0

Ok found the issue but have no idea why it would even occur. Did a reachability analysis on both the inbound and the outbound. The outbound from the eni to the igw works. But coming in from the igw to the eni fails. ENI_SG_RULES_MISMATCH: None of the ingress rules in the following security groups apply: sg-c82491b7. See sg-c82491b7. This makes no sense to me as the sg is the default, I never set it, and is also used by my ecs service and tasks. In addition that sg inbound is open to all types and ports. Do I need to create a new sg just for my eni? This is my inbound default sg Enter image description here

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content