AWS ECS Fargate, container to container communication

Question

I'm having trouble exposing ports on my ECS Fargate containers.

I have applied port mapping on container level for my task definition, like so:

On the containers themselves, it looks like there is no specific mapping enabled, or am I reading this wrong?

The containers need to intercommunication with each other (Clustered software)

I fetch the IP from the meta container configuration per container, e.g.

  "Networks": [
    {
      "NetworkMode": "awsvpc",
      "IPv4Addresses": ["172.31.22.46"],

In this case, 172.31.22.46:8080 should be open for communication, within the ECS cluster. That does however not happen. the endpoints are unreachable and nodes cannot communicate.

Are there more things I need to do to allow this to work? e.g. open up some security setting somewhere?

Sorry for the fairly cryptic question, but I don't know how to explain this better.

Answer 1

I'm not sure if this is the answer, but it's worth checking, as I was caught out by this once.

A security group is a firewall around a single ENI (Elastic Network Interface). Each ENI effectively has a security group that filters communications from all other ENIs. There is no automatic communication between resources in a security group - you have to explicitly allow it.

The solution in this case is to allow ingress into the security group from the security group, by named security group. You obviously have to allow egress as well, this can be done with the an explicit rule that names the security group but from memory I think the default 0.0.0.0/0 would be sufficient - try it and see.