ECS Fargate Network Interface with src/dest Check disabled
When creating an AWS ECS Fargate Service is there a way to set the generated Network Interface's Source/dest check
field to false
?
The service is set-up following the ECS Fargate getting started guide. The service is running a squid Proxy, which I believe needs to be able to accept traffic destined for other IPs, similar to a NAT.
Altering the src/dest check field after creation gives permissions denied errors, despite having full Administrator permissions:
Failed to update the source/destination check for eni-12345abcde: You do not have permission to access the specified resource.
I think the message is misleading, and Network Interfaces cannot be modified (or deleted) while they are attached, as I've seen similar when attempting to delete Interfaces despite having permissions to do so.
Is there a way to set or modify an ECS Fargate service's Network Interface to skip the src/dest check?
➢ The task ENI is fully managed by Amazon ECS. Amazon ECS creates the ENI and attaches it to the host Amazon EC2 instance with the specified security group.
The task sends and receives network traffic over the ENI in the same way that Amazon EC2 instances do with their primary network interfaces. Each task ENI is assigned a private IPv4 address by default.
If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, the task ENI will also receive an IPv6 address. Each task can only have one ENI.
These ENIs are visible in the Amazon EC2 console for your account, but they cannot be detached manually or modified by your account.
This is to prevent accidental deletion of an ENI that is associated with a running task.
You can view the ENI attachment information for tasks in the Amazon ECS console or with the DescribeTasks API operation. When the task stops or if the service is scaled down, the task ENI is detached and deleted.
We can't modify any attribute of ECS Task ENI as it is managed by ECS itself.
As per the doc[1], these ENIs are fully managed by ECS and we can not modify any attribute of task ENI.
So source/dest check can’t be disabled on ECS-managed container ENIs.
References: [1]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
This is only applicable to the awspvc
network mode, which is used by Fargate.
As far as I can tell, there are 2 possible workarounds:
- Disable the Source/dest check on the instance ENI, and then configure a route from the main Instance ENI to the Docker container.
- Use ECS EC2 instead, and choose a different network mode.