How to dynamically modify the security group of a running ECS instance based on the container running in it?

2
votes

I am trying to deploy different types of docker containers from my ECS cluster. Depending on the type of container, I need to allow certain inbound and outbound port to public. How do I modify the existing ECS instance security group to which the container is deployed to and add this additional security group rule in a dynamic fashion? I am looking for a automated solution ; In case the container moves to a different instance, I need to reinstate the original security group for the ECS instance.

  1. I looked up on awsvpc networking mode to dynamically create a security group and assign it to the ENI, but then I need a public ip and a specific port to be exposed per ECS instance. The NAT based network by deploying ECS instance in private subnet to expose it to public wont work for my use case.

  2. awsvpc can give a public IP for a fargate deployment, but then for my use case which happens to be a stateful container along with a EFS mount, fargate wont help much.

1
amazon-web-servicesdockeraws-lambdaamazon-ecsaws-security-group

1 Answers

0
votes

I think you might want to revisit awsvpc networking mode. It sounds like it would meet your needs as you've explained them here. In awsvpc mode, a new ENI is allocated for your task and is mapped into the task's network namespace. From your task's point of view, it'll look like you're running in host-mode networking; your container will be directly accessible to your network. You will use an existing security group that will permit inbound traffic the port your task's containers expose.

Alternatively, if you really do need to manipulate security groups based on task placement, you should look into using a lambda function to respond to ECS CloudWatch events with the appropriate action. This is documented at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch_event_stream.html