By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Cannot access ECS service unless inbound rule allows all traffic

0

Hello, I have created an ECS service. Specifically I've created it following these instructions https://github.com/dagster-io/dagster/tree/master/examples/deploy_ecs

The service was created properly and I can access it. However, it was created with a security group that has a 0.0.0.0/0 TCP inbound rule. When I remove the rule, and replace it with rules for my specific IP address, I can no longer access my application. I've verified that it is the correct IP address; I've tried multiple IP addresses from multiple people at multiple physical locations; I've tried with devices that don't have firewalls or vpns or proxies; I've tried IPV4 and IPV6. I tried enabling access logs within the load balancer but that seems like the wrong approach as it only logs TLS not TCP.

I don't have any other ideas for what could be causing this issue. As soon as I re-add the 0.0.0.0/0 rule it works again, which seems to eliminate a lot of the possible issues I've come accross. I'm new to ECS and would appreciate some help!

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryElastic Load BalancingSecurity Group
Language
English
austeane
asked 4 months ago92 views
1 Answer
0

As you are using a load balancer, You will need to put your IP address in the security group of the load balancer not the SG on the ecs service

The security group on the ecs service only needs to allow IP from your internal network load balancer. You which is the load balancer IP addresses.

profile picture
EXPERT
Gary Mclean
answered 4 months ago
  • austeane
    4 months ago

    Hm, I'm using a Network Load Balancer which I think doesn't have any security group attached.

  • Gary Mclean EXPERT
    4 months ago

    Ok that makes sense. So your ecs security group will have to allow the ip addresses from your NLB. These will be internal ip addresses from the subnet that your NLB is attached too. You can’t lock this down to your own IP addresses!!

    The only way round this is too move to an ALB with your Ecs services registered to target groups and follow my answer to support what your trying to achieve.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content