问题描述
ELB 后面的 Docker 容器获得动态端口,这些端口自动注册到 ELB,以便它们可以将流量重定向到它们.
Docker containers behind ELB get dynamic ports which are auto registered with ELB so that they can get traffic redirected to them.
为了让 ELB 可以访问您的 Web 服务器,您必须打开所有这些端口 1024 - 65535 源自您的安全组.
In order to make your web servers accessible to ELB you have to open all these ports 1024 - 65535 originating from within your security group.
有没有办法不必向一系列端口开放安全组,而只向 ELB 使用的罐开放?
Is there a way to not to have to open up a security group to a range of port but only to the pots that ELB is using?
推荐答案
AWS 从不修改安全组,因为这可能会导致冲突和安全问题.唯一的例外是 Elastic Beanstalk 等服务.您可能必须按照论坛所说的进行操作并允许端口范围.
Security groups are never modified by AWS as this might cause conflicts and security issues. The only exception would be services such as Elastic Beanstalk. You'd likely have to do what the forum says and allow port ranges.
每个 http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html
默认的临时端口范围是 49153 到 65535,此范围用于 1.6.0 之前的 Docker 版本.对于 Docker 1.6.0 及更高版本,Docker 守护进程尝试从/proc/sys/net/ipv4/ip_local_port_range 读取临时端口范围;如果此内核参数不可用,则使用默认的临时端口范围.您不应尝试在临时端口范围内指定主机端口,因为这些是为自动分配保留的.通常,低于 32768 的端口不在临时端口范围内.
如果你真的关心什么端口,就我所见,你有几个选择:
If you actually care about what ports, you have a few options as far as I can see:
- 不要专门使用 ALB 和转发端口,以便您可以在 ELB 安全组中指定它们.
- 将 ALB 放在与应用程序相同的安全组中,并使用内部安全组规则,例如
TCP 0-65535用于sg-foo其中sg-foo是 ALB 和应用程序所在的安全组 - 将 ALB 放在安全组
sg-foo中,并在sg-app上放置规则(其中sg-app是安全组组您的应用程序)并允许来自sg-app 内的
sg-foo 的流量 TCP 0-65535- Not use ALB and forward ports specifically so you can specify them in the ELB security group.
- Place the ALB in the same security group as your applications and use internal security group rules such as
TCP 0-65535forsg-foowheresg-foois the security group both the ALB and apps are in - Place the ALB in security group
sg-foo, and put a rule onsg-app(wheresg-appis the security group your applications are in) and allow trafficTCP 0-65535fromsg-fooinsidesg-app
这篇关于动态端口和 AWS Applocation 负载均衡器和 ECS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!