I suspect this is port related, as it's fairly standard that things in a cluster need to communicate. The two articles below should answer this question for you. It seems to me the following are probably required
- Amazon ECS agent ports 51678 and 51679 (protocol unspecified)
- TCP 2376 and 2377 (docker)
- TCP / UDP 7946 (docker)
- UDP 4789 (docker)
- Ephemeral ports 49153 to 65535 (protocol unspecified)
Note that I know little about ECS and have simply done a couple of Google searches and read documentation. ECS is based on Docker so I looked at that. Some experimentation will be required.
Digital Ocean has a good article on Docker Ports.
TCP port 2376 for secure Docker client communication. This port is
required for Docker Machine to work. Docker Machine is used to
orchestrate Docker hosts. TCP port 2377. This port is used for
communication between the nodes of a Docker Swarm or cluster. It only
needs to be opened on manager nodes. TCP and UDP port 7946 for
communication among nodes (container network discovery). UDP port 4789
for overlay network traffic (container ingress networking).
Then the Amazon documentation mentions some of the same ports.
The default ephemeral port range is 49153 to 65535, and this range is
used for Docker versions prior to 1.6.0. For Docker version 1.6.0 and
later, the Docker daemon tries to read the ephemeral port range from
/proc/sys/net/ipv4/ip_local_port_range; if this kernel parameter is
unavailable, the default ephemeral port range is used. You should not
attempt to specify a host port in the ephemeral port range, because
these are reserved for automatic assignment. In general, ports below
32768 are outside of the ephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and
2376, and the Amazon ECS container agent ports 51678 and 51679. Any
host port that was previously specified in a running task is also
reserved while the task is running (after a task stops, the host port
is released).The current reserved ports are displayed in the
remainingResources of DescribeContainerInstances output, and a
container instance may have up to 100 reserved ports at a time,
including the default reserved ports (automatically assigned ports do
not count toward the 100 reserved ports limit).
Note that as per Wikipedia and comments below the ephemeral port range may need to be expanded.