I am trying to deploy different types of docker containers from my ECS cluster. Depending on the type of container, I need to allow certain inbound and outbound port to public. How do I modify the existing ECS instance security group to which the container is deployed to and add this additional security group rule in a dynamic fashion? I am looking for a automated solution ; In case the container moves to a different instance, I need to reinstate the original security group for the ECS instance.
I looked up on awsvpc networking mode to dynamically create a security group and assign it to the ENI, but then I need a public ip and a specific port to be exposed per ECS instance. The NAT based network by deploying ECS instance in private subnet to expose it to public wont work for my use case.
awsvpc can give a public IP for a fargate deployment, but then for my use case which happens to be a stateful container along with a EFS mount, fargate wont help much.