为了使私有子网中的Fargate服务正常工作,我创建了一个ECR vpc端点,一个S3网关端点和一个日志vpc端点。
但是,在创建ECR终结点之后,我在公共子网中的服务无法再提取容器:CannotPullContainerError: Error response from daemon
公共子网中的服务已自动分配了公共IP。
如果我关闭了为ECR终结点启用的专用dns名称,则公共服务将再次运行,但是现在专用子网中的服务无法拉出其容器...
我想念什么?
创建启用了私有DNS名称的ECR vpc端点后,来自公共Fargate服务的CannotPullContainerError
•
问答
pllpll2003 回答:创建启用了私有DNS名称的ECR vpc端点后,来自公共Fargate服务的CannotPullContainerError
我设法通过以下方法解决了这个问题:
vpc.tf
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
create_vpc = var.create_vpc
// other config ...
enable_s3_endpoint = true
enable_ecr_dkr_endpoint = true
ecr_dkr_endpoint_private_dns_enabled = true
ecr_dkr_endpoint_security_group_ids = aws_security_group.vpc_endpoints.*.id
}
resource "aws_security_group" "vpc_endpoints" {
count = var.create_vpc ? 1 : 0
name = "PrivateLink endpoints security group"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "ingress_https" {
count = var.create_vpc ? 1 : 0
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [module.vpc.private_subnets_cidr_blocks]
description = "HTTPS access to VPC Endpoints"
security_group_id = aws_security_group.vpc_endpoints[0].id
}
ecs-security-groups.tf
variable "private_subnets_cidr_blocks" {}
resource "aws_security_group" "ecs" {
count = var.create ? 1 : 0
name = "${var.name}-ecs"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "egress_https_vpc" {
count = var.create ? 1 : 0
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.private_subnets_cidr_blocks
description = "HTTPS access to VPC Endpoints"
security_group_id = aws_security_group.ecs[0].id
}
作为参考,当端点和ECS服务上的安全组均未配置为允许CannotPullContainerError: Error response from daemon之间的流量时,我得到了上面提到的HTTPS
HTH