Docker containers behind ELB get dynamic ports which are auto registered with ELB so that they can get traffic redirected to them.
In order to make your web servers accessible to ELB you have to open all these ports 1024 - 65535 originating from within your security group.
Is there a way to not to have to open up a security group to a range of port but only to the pots that ELB is using?
Security groups are never modified by AWS as this might cause conflicts and security issues. The only exception would be services such as Elastic Beanstalk. You'd likely have to do what the forum says and allow port ranges.
Per http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html
The default ephemeral port range is 49153 to 65535, and this range is used for Docker versions prior to 1.6.0. For Docker version 1.6.0 and later, the Docker daemon tries to read the ephemeral port range from /proc/sys/net/ipv4/ip_local_port_range; if this kernel parameter is unavailable, the default ephemeral port range is used. You should not attempt to specify a host port in the ephemeral port range, because these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.
If you actually care about what ports, you have a few options as far as I can see:
- Not use ALB and forward ports specifically so you can specify them in the ELB security group.
- Place the ALB in the same security group as your applications and use internal security group rules such as
TCP 0-65535forsg-foowheresg-foois the security group both the ALB and apps are in - Place the ALB in security group
sg-foo, and put a rule onsg-app(wheresg-appis the security group your applications are in) and allow trafficTCP 0-65535fromsg-fooinsidesg-app
In the container instance security group, restrict incoming traffic to a port range of 32768-65535 and the relevant subnet CIDR for your VPC and load balancer (e.g., 10.0.0.0/16).
来源:https://stackoverflow.com/questions/39832433/dynamic-ports-and-aws-applocation-load-balancer-and-ecs