ECS Networking - (awsvpc, bridge, host, none)
Rajit Paul
Posted on May 9, 2022
Hi folks, Elastic Container Service is one of the container offerings from AWS. ECS helps us to run any number of docker containers across a managed cluster of EC2 instances. It helps to isolate our workloads and helps achieve faster time to market with efficient scaling in place. It is secure and you can easily migrate your on prem container workload to ECS and back.
Let's deep dive and look into the different network types on ECS and see how they are different from one another.
We have Four Network modes in ECS:
- awsvpc: It allocates a seperate Elastic Network Interface (ENI) to the task and also allocates a primary IPV4 address to it. The task networking behaves same as an EC2 instance networking.
In this you can see a warning which says the containers in the task will share an ENI and port mappings can only specify container ports.
We cannot set host port mappings as the network mode is awsvpc.
Once you create the service we can check in the task, an ENI is assigned to the task and all the containers inside it.
If we SSH into the instance and curl the private IP associated to the task ENI, we can access the website running on the container.
In this network mode we cannot access the website using the Task Host (EC2) Public or Private IP.
- bridge: In Bridge Network mode, the task makes use of the built-in Docker VNet (Virtual Network) which also allows the task to communicate with other tasks.
Once we select the bridged network mode for the task we can see an associated host port mapping available with the container port.
If we check task networking the container does not have any additional network as it uses only the Docker Virtual Network.
We shall access the website running on the container using the DockerHost IP (Amazon EC2).
- host: Host network mode facilitates the task to bypass the Docker built-in VNet (Virtual Network) and maps the container port directly to the task host (Amazon EC2) ENI. As a result, we cannot run multiple instances of the same task when Port Mappings are used and the network mode is host.
The container shall be using in this case the instance network stack.
We can access the website running on the container using the Docker Host Public IP (EC2 Instance Public IP).
- none: Blackhole, the task does not have any external network connectivity.
You shall see a message stating that the container will not have any external connectivity in the network section of the task.
I hope this has helped you get an idea of ECS networking. Follow me for more blogs on AWS & DevOps.
Feel free to connect with me on LinkedIn!
Posted on May 9, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.