Running docker in VPC and accessing container from another VPC machine

Question

I'm having issues while running docker in AWS VPC.

Here is my setup: I've got two machines running in VPC:

10.0.100.150
10.0.100.151

both having an elastic IPs assigned to them, both running in the same internet enabled subnet.

Let's say I'm running a web server that serves static files in a container on the 10.0.100.150 machine the container:

IP: 172.17.0.2
port 8111 is forwarded on the 8111 port on the machine.

I'm trying to access the static files from my local machine (or another non-VPC machine also tried an EC2 instance not running in the VPC) and it work flawlessly.

If I try to access the files from the other machine (10.0.100.151) it hangs. I'm using wget to pull the files.

Tried to debug it with tcpdump and ngrep and that I have seen is that the request reaches the container. If I ngrep on the host machine I see the requests going in but no response going back. If I ngrep on the container I see the requests going in and the response going back.

I've tried multiple iptables setups (with postrouting enabled, with manually forwarding ports etc) but no success.

Help in any way - even debugging directions would be much appreciated.

Thanks!

Possible duplicate of [expose docker containers to VPC network](http://serverfault.com/questions/568736) — Michael - sqlbot, Feb 10 '14 at 00:50
Double read the post with expose docker containers to VPC network but that thing is totally different. — Bogdan Gaza, Feb 10 '14 at 08:42
Is it? Do you already have source/destination IP check disabled on 10.0.100.150? — Michael - sqlbot, Feb 10 '14 at 12:51
Yup, I have it disabled and also tested on another non-default VPC, same bug. — Bogdan Gaza, Feb 10 '14 at 14:04
Can you list the security groups for the EC2 instances? This sounds like the instances are not in the default security group to allow traffic between other instances in that security group. — Andy Shinn, Jun 12 '14 at 19:34
Did you figure out how to solve this? I'm struggling with the same issue. — asbjornenge, Aug 14 '14 at 22:47

score 2 · Answer 1 · answered Nov 07 '14 at 12:12

2

Setting up a container network is much easier with weave. For more AWS-specific instructions, take a look at the project's blog.

answered Nov 07 '14 at 12:12

errordeveloper

233
1
5

_Disclaimer: I am part of Weaveworks, Inc. team._ – errordeveloper Jan 21 '15 at 17:30

score 0 · Answer 2 · answered Jun 12 '14 at 19:36

This sounds like the EC2 instances cannot communicate with each other because they are not in a security group that allows port 8111 access to each other. Check to make sure the security group allows access to either itself (and add both EC2 instances to the security group) or that it allows the VPC subnet to port 8111.

Running docker in VPC and accessing container from another VPC machine

2 Answers2