1
votes

I have two ECS clusters, both running fargate 1.3 tasks (lets call them task A and task B). Both tasks have network type awsvpc and both have auto assigned public IPs. Furthermore, both clusters/tasks are in the same VPC. Task A is associated with security group A, task B is associated with security group B (as well as a load balancer that is also connected with the security group). I am trying to making an http request from task A to task B. I'm 100% sure I have the security groups set up properly, namely:

security group A:

  • egress to anywhere

security group B:

  • ingress to security group A (Port range All, Protocol All, Type "All Traffic")

When I try to make the request from A to B, I get a time out error. I know it is a security group error, because if I create an ingress rule with Source = everywhere, it works. Furthermore, if I go in and check the public IP address of fargate task A, and add that IP address to the ingress of security group B, it also works.

What is happening here?

1

1 Answers

3
votes

Since you're using public (Internet) IPs, the traffic is going outside of the VPC and back in, at which point the fact that the traffic originated from security group A is lost. You need to use private IPs to keep all network traffic within the VPC.