ECS with AutoScalingGroup cannot use awsvpcTrunking

0

We have an ECS cluster with an autoscaling group (EC2 - m5.large). We want to place more than 3 tasks per instance using the awsvpcTrunking feature, with no luck. We have followed the ENI developer guide (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-eni.html) taking into account:

  • We use Amazon Linux 2023 ec2 image ami. This are the networking settings: Enter image description here
  • In the Account Settings AWSVPC Trunking is turned on: Enter image description here

As you can see 2 task started and the remaining are in provisioning state: Enter image description here Enter image description here

asked a year ago852 views
2 Answers
1

Hello,

Please make sure that the requirements for using the ENI trunking feature are being considered.

Your account must have the AWSServiceRoleForECS service-linked role for ECS.

Also, only new Amazon EC2 instances launched after enabling awsvpcTrunking receive the increased ENI limits and the trunk network interface. Previously launched instances do not receive these features regardless of the actions taken.

You may check the detailed ENI trunking considerations in the link below :

[+] ENI trunking considerations - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-eni.html#eni-trunking-considerations

Further, you may go through the following documents for information related to "awsvpcTrunking" :

Also, please refer to the document below for Amazon ECS cluster auto scaling : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-auto-scaling.html

Thank You!

AWS
answered a year ago
0

It's quite confusing but this is NOT a global or account level setting despite it being implied. When it says "AWSVPC Trunking Turned On", it's ONLY showing how it's currently set for the user or role you are logged into the AWS console as.

You are likely launching the ecs cluster instance (ec2) with a different IAM role attached. You can tell by going to EC2, clicking your ecs instance, click security and look at the "IAM Role". If that's different to what's displayed on the EC2 > Account Setting then under Account Info (which lists the IAM user or role you are assuming) then that's your problem.

If that is the case, make sure your role policy has ecs:PutAccountSetting allowed. Then you can run aws ecs put-account-setting --name awsvpcTrunking --value enabled --region yourregion on the ec2 instance, or include that command in the user data when you launch the instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html).

Let me know if that helps, or if I can clarify anything further. I had the same problem today.

joshua
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions