Chapter 03

事前準備とネットワーク周りの構築

ShigeruOda
ShigeruOda
2022.10.28に更新

■CloudShellの起動

AWS コンソールにログイン

  • Administrator権限のIAMユーザーでAWSコンソールにログイン

img

  • リージョンを"アジアパシフィック(東京)"に変更

img

CloudShellボタン押下

  • 画面右上のCloudShellボタンを押下
    img

CloudShellを起動

img

■AWS Account IDの取得

  • IDを取得し、変数に格納・確認を行います

img

cmd

AccountID=`aws sts get-caller-identity --query Account --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"

■ECSタスクの実行Roleの存在確認

  • ECSタスクを実行するRole(ecsTaskExecutionRole)の存在確認を行います

img

cmd

aws iam list-roles | grep "RoleName" | grep "ecsTaskExecutionRole"

result(存在する場合)

            "RoleName": "ecsTaskExecutionRole",

result(存在しない場合)

(なし)

■ECSの実行Role作成(Roleが存在しない場合のみ実行)

  • ecsTaskExecutionRoleが存在しない場合のみ実行します

img

cmd

cd ~/
cat << EOF > assume-role-policy-document.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
aws iam create-role \
  --role-name ecsTaskExecutionRole \
  --assume-role-policy-document file://assume-role-policy-document.json

result

{
    "Role": {
        "Path": "/",
        "RoleName": "ecsTaskExecutionRole",
        "RoleId": "AROASHENIAIFBW66KV4HJ",
        "Arn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",
        "CreateDate": "2022-09-15T11:39:04+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ecs-tasks.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

■RoleにPolicyをアタッチ(Roleが存在しない場合のみ実行)

  • 作成したRoleにPolicyをアタッチします

img

cmd

aws iam attach-role-policy \
  --role-name ecsTaskExecutionRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

result

(なし)
  • Policyがアタッチされたことを確認します

cmd

aws iam list-attached-role-policies \
  --role-name ecsTaskExecutionRole

result

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonECSTaskExecutionRolePolicy",
            "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
        }
    ]
}

■VPCの作成

  • VPCを新規に作成します

img

cmd

aws ec2 create-vpc \
    --cidr-block 10.0.0.0/16 \
    --tag-specification "ResourceType=vpc,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "Vpc": {
        "CidrBlock": "10.0.0.0/16",
        "DhcpOptionsId": "dopt-c3de3ba5",
        "State": "pending",
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012",
        "InstanceTenancy": "default",
        "Ipv6CidrBlockAssociationSet": [],
        "CidrBlockAssociationSet": [
            {
                "AssociationId": "vpc-cidr-assoc-0b14e52ce4b43dd1e",
                "CidrBlock": "10.0.0.0/16",
                "CidrBlockState": {
                    "State": "associated"
                }
            }
        ],
        "IsDefault": false,
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ]
    }
}

■VpcIdの取得

  • IDを取得し、変数に格納・確認を行います

cmd

VpcId=`aws ec2 describe-vpcs \
    --query 'Vpcs[*].VpcId' \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOn" \
    --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
EOF
cat ~/export.log

results

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"

■DNS名前解決をONにする

  • 作成したVPCで「ドメイン名からIPアドレスへの変換、またはその逆」を可能にします
  • 後程作成するVPCエンドポイントに必要な為です

cmd

aws ec2 modify-vpc-attribute \
  --vpc-id ${VpcId}  \
  --enable-dns-support  '{"Value":true}' 

result

(なし)

■DNS名前解決の状態確認

  • 設定内容が正しく反映されているか確認を行います

cmd

aws ec2 describe-vpc-attribute \
  --query EnableDnsSupport \
  --vpc-id ${VpcId}  \
  --attribute enableDnsSupport

result

{
    "Value": true
}

■DNSホスト名をONにする

  • VPC内でDNSホスト名(ex : ip-10-0-0-23.ap-northeast-1.compute.internal)を持つように設定します
  • 後程作成するVPCエンドポイントに必要な為です

cmd

aws ec2 modify-vpc-attribute \
  --vpc-id ${VpcId}  \
  --enable-dns-hostnames  '{"Value":true}' 

result

(なし)

■DNSホスト名の状態確認

  • 設定内容が正しく反映されているか確認を行います

cmd

aws ec2 describe-vpc-attribute \
  --query EnableDnsHostnames \
  --vpc-id ${VpcId}  \
  --attribute enableDnsHostnames

result

{
    "Value": true
}

■Subnetの作成

  • 作成したVPCの中にSubnetを4つ作成します
  • Private Subnetが2つ、Public Subnetが2つです

img

cmd (Public Subnet 1つ目)

aws ec2 create-subnet \
    --vpc-id $VpcId \
    --availability-zone ap-northeast-1a \
    --cidr-block 10.0.0.0/24 \
    --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"

result (Public Subnet 1つ目)

{
    "Subnet": {
        "AvailabilityZone": "ap-northeast-1a",
        "AvailabilityZoneId": "apne1-az4",
        "AvailableIpAddressCount": 251,
        "CidrBlock": "10.0.0.0/24",
        "DefaultForAz": false,
        "MapPublicIpOnLaunch": false,
        "State": "available",
        "SubnetId": "subnet-0356b36ba2daa766c",
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012",
        "AssignIpv6AddressOnCreation": false,
        "Ipv6CidrBlockAssociationSet": [],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPublic"
            }
        ],
        "SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0356b36ba2daa766c",
        "EnableDns64": false,
        "Ipv6Native": false,
        "PrivateDnsNameOptionsOnLaunch": {
            "HostnameType": "ip-name",
            "EnableResourceNameDnsARecord": false,
            "EnableResourceNameDnsAAAARecord": false
        }
    }
}

cmd (Public Subnet 2つ目)

aws ec2 create-subnet \
    --vpc-id $VpcId \
    --availability-zone ap-northeast-1c \
    --cidr-block 10.0.1.0/24 \
    --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"

result (Public Subnet 2つ目)

{
    "Subnet": {
        "AvailabilityZone": "ap-northeast-1c",
        "AvailabilityZoneId": "apne1-az1",
        "AvailableIpAddressCount": 251,
        "CidrBlock": "10.0.1.0/24",
        "DefaultForAz": false,
        "MapPublicIpOnLaunch": false,
        "State": "available",
        "SubnetId": "subnet-0dabe411bfdc835fb",
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012",
        "AssignIpv6AddressOnCreation": false,
        "Ipv6CidrBlockAssociationSet": [],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPublic"
            }
        ],
        "SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0dabe411bfdc835fb",
        "EnableDns64": false,
        "Ipv6Native": false,
        "PrivateDnsNameOptionsOnLaunch": {
            "HostnameType": "ip-name",
            "EnableResourceNameDnsARecord": false,
            "EnableResourceNameDnsAAAARecord": false
        }
    }
}

cmd (Private Subnet 1つ目)

aws ec2 create-subnet \
    --vpc-id $VpcId \
    --availability-zone ap-northeast-1a \
    --cidr-block 10.0.2.0/24 \
    --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"

result (Private Subnet 1つ目)

{
    "Subnet": {
        "AvailabilityZone": "ap-northeast-1a",
        "AvailabilityZoneId": "apne1-az4",
        "AvailableIpAddressCount": 251,
        "CidrBlock": "10.0.2.0/24",
        "DefaultForAz": false,
        "MapPublicIpOnLaunch": false,
        "State": "available",
        "SubnetId": "subnet-0d99180ac3baeb5fa",
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012",
        "AssignIpv6AddressOnCreation": false,
        "Ipv6CidrBlockAssociationSet": [],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPrivate"
            }
        ],
        "SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0d99180ac3baeb5fa",
        "EnableDns64": false,
        "Ipv6Native": false,
        "PrivateDnsNameOptionsOnLaunch": {
            "HostnameType": "ip-name",
            "EnableResourceNameDnsARecord": false,
            "EnableResourceNameDnsAAAARecord": false
        }
    }
}

cmd (Private Subnet 2つ目)

aws ec2 create-subnet \
    --vpc-id $VpcId \
    --availability-zone ap-northeast-1c \
    --cidr-block 10.0.3.0/24 \
    --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"

result (Private Subnet 2つ目)

{
    "Subnet": {
        "AvailabilityZone": "ap-northeast-1c",
        "AvailabilityZoneId": "apne1-az1",
        "AvailableIpAddressCount": 251,
        "CidrBlock": "10.0.3.0/24",
        "DefaultForAz": false,
        "MapPublicIpOnLaunch": false,
        "State": "available",
        "SubnetId": "subnet-0a66f1c2d5ce3b939",
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012",
        "AssignIpv6AddressOnCreation": false,
        "Ipv6CidrBlockAssociationSet": [],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPrivate"
            }
        ],
        "SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0a66f1c2d5ce3b939",
        "EnableDns64": false,
        "Ipv6Native": false,
        "PrivateDnsNameOptionsOnLaunch": {
            "HostnameType": "ip-name",
            "EnableResourceNameDnsARecord": false,
            "EnableResourceNameDnsAAAARecord": false
        }
    }
}

■Subnet IDの取得

  • IDを取得し、変数に格納・確認を行います

cmd

SubnetId1aPublic=`aws ec2 describe-subnets \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPublic" \
    "Name=availabilityZone,Values=ap-northeast-1a" \
    --query "Subnets[*].SubnetId" \
    --output text`
SubnetId1cPublic=`aws ec2 describe-subnets \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPublic" \
    "Name=availabilityZone,Values=ap-northeast-1c" \
    --query "Subnets[*].SubnetId" \
    --output text`
SubnetId1aPrivate=`aws ec2 describe-subnets \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPrivate" \
    "Name=availabilityZone,Values=ap-northeast-1a" \
    --query "Subnets[*].SubnetId" \
    --output text`
SubnetId1cPrivate=`aws ec2 describe-subnets \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPrivate" \
    "Name=availabilityZone,Values=ap-northeast-1c" \
    --query "Subnets[*].SubnetId" \
    --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"

■InternetGatewayの作成

img

  • Internetの出入り口であるInternetGatewayを作成する

cmd

aws ec2 create-internet-gateway \
    --tag-specifications "ResourceType=internet-gateway,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "InternetGateway": {
        "Attachments": [],
        "InternetGatewayId": "igw-082f42082d7748713",
        "OwnerId": "123456789012",
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ]
    }
}

■InternetGateway IDの取得

  • IDを取得し、変数に格納・確認を行います

cmd

InternetGatewayId=`aws ec2 describe-internet-gateways \
    --query 'InternetGateways[*].InternetGatewayId' \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOn" \
    --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"

■InternetGatewayをVPCにAttach

  • VPCとInternetGatewayを紐付けし、Internetとの接続点を作成します

img

cmd

aws ec2 attach-internet-gateway \
    --internet-gateway-id ${InternetGatewayId} \
    --vpc-id ${VpcId}

result

(なし)

■InternetGatewayをVPCに紐付けされていることを確認

  • アタッチされていることを確認

cmd

aws ec2 describe-internet-gateways \
    --internet-gateway-ids ${InternetGatewayId} \
    --query 'InternetGateways[*].Attachments[*].State' \
    --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOn" \
    --output text

result

available

■RouteTableの作成

  • PublicSubnetとPrivateSubnetのデータの流れを制御するルートテーブルを作成します
  • 現時点ではRouteTableとSubnetの紐付けはないです

img

cmd (PublicSubnet)

aws ec2 create-route-table \
  --vpc-id ${VpcId} \
  --tag-specifications "ResourceType=route-table,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"

result (PublicSubnet)

{
    "RouteTable": {
        "Associations": [],
        "PropagatingVgws": [],
        "RouteTableId": "rtb-000a11e6eacc5c263",
        "Routes": [
            {
                "DestinationCidrBlock": "10.0.0.0/16",
                "GatewayId": "local",
                "Origin": "CreateRouteTable",
                "State": "active"
            }
        ],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPublic"
            }
        ],
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012"
    }
}

cmd (PrivateSubnet)

aws ec2 create-route-table \
  --vpc-id ${VpcId} \
  --tag-specifications "ResourceType=route-table,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"

result (PrivateSubnet)

{
    "RouteTable": {
        "Associations": [],
        "PropagatingVgws": [],
        "RouteTableId": "rtb-077b87e7eb65d1f43",
        "Routes": [
            {
                "DestinationCidrBlock": "10.0.0.0/16",
                "GatewayId": "local",
                "Origin": "CreateRouteTable",
                "State": "active"
            }
        ],
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOnPrivate"
            }
        ],
        "VpcId": "vpc-010a940bbd8f747c2",
        "OwnerId": "123456789012"
    }
}

■RouteTable IDの取得

  • IDを取得し、変数に格納・確認を行います

cmd

RouteTableIdPublic=`aws ec2 describe-route-tables \
  --query "RouteTables[*].RouteTableId" \
  --filters "Name=vpc-id,Values=${VpcId}" \
  "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPublic" \
  --output text`
RouteTableIdPrivate=`aws ec2 describe-route-tables \
  --query "RouteTables[*].RouteTableId" \
  --filters "Name=vpc-id,Values=${VpcId}" \
  "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOnPrivate" \
  --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"

■RouteTableにSubnetを紐付け

  • RouteTableとSubnetを紐付けします

img

cmd (PublicSubnet 1つ目)

aws ec2 associate-route-table \
  --route-table-id ${RouteTableIdPublic} \
  --subnet-id ${SubnetId1aPublic}

result (PublicSubnet 1つ目)

{
    "AssociationId": "rtbassoc-0fdd06641008db840",
    "AssociationState": {
        "State": "associated"
    }
}

cmd (PublicSubnet 2つ目)

aws ec2 associate-route-table \
  --route-table-id ${RouteTableIdPublic} \
  --subnet-id ${SubnetId1cPublic}

result (PublicSubnet 2つ目)

{
    "AssociationId": "rtbassoc-067b436f3f7eb8e3a",
    "AssociationState": {
        "State": "associated"
    }
}

cmd (PrivateSubnet 1つ目)

aws ec2 associate-route-table \
  --route-table-id ${RouteTableIdPrivate} \
  --subnet-id ${SubnetId1aPrivate}

result (PrivateSubnet 1つ目)

{
    "AssociationId": "rtbassoc-0d02b62aeb39e373e",
    "AssociationState": {
        "State": "associated"
    }
}

cmd (PrivateSubnet 2つ目)

aws ec2 associate-route-table \
  --route-table-id ${RouteTableIdPrivate} \
  --subnet-id ${SubnetId1cPrivate}

result (PrivateSubnet 2つ目)

{
    "AssociationId": "rtbassoc-07780995550f76761",
    "AssociationState": {
        "State": "associated"
    }
}

■RouteTableにInternetGatewayを紐付け

  • PublicSubnet用のRouteTableにInternetGatewayを紐付け、Internetに接続できるようにします

img

cmd

aws ec2 create-route \
  --route-table-id ${RouteTableIdPublic} \
  --destination-cidr-block "0.0.0.0/0" \
  --gateway-id ${InternetGatewayId}

result

{
    "Return": true
}

■PublicSubnet用のSecurityGroup作成

  • PublicSubnet用のSecurityGroup作成

img

cmd

aws ec2 create-security-group \
  --group-name PublicSecurityGroup \
  --description "Public Security Group" \
  --vpc-id ${VpcId} \
  --tag-specifications "ResourceType=security-group,Tags=[{Key=Name,Value=ContainerHandsOn-PublicSecurityGroup}]"

result

{
    "GroupId": "sg-065a7c8eceb9759d4",
    "Tags": [
        {
            "Key": "Name",
            "Value": "ContainerHandsOn-PublicSecurityGroup"
        }
    ]
}

■PublicSunetのSecurityGroupsIdの取得

  • IDを取得し、変数に格納・確認を行います

cmd

PublicSecurityGroupsId=`aws ec2 describe-security-groups \
  --query 'SecurityGroups[*].GroupId' \
  --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOn-PublicSecurityGroup" \
    --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
export PublicSecurityGroupsId="${PublicSecurityGroupsId}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"
これはサンプルです。export PublicSecurityGroupsId="sg-065a7c8eceb9759d4"

■PrivateSubnet用のSecurityGroup作成

  • PrivateSubnet用のSecurityGroup作成

img

cmd

aws ec2 create-security-group \
  --group-name PrivateSecurityGroup \
  --description "Private Security Group" \
  --vpc-id ${VpcId} \
  --tag-specifications "ResourceType=security-group,Tags=[{Key=Name,Value=ContainerHandsOn-PrivateSecurityGroup}]"

result

{
    "GroupId": "sg-0f59547a1185820b5",
    "Tags": [
        {
            "Key": "Name",
            "Value": "ContainerHandsOn-PrivateSecurityGroup"
        }
    ]
}

■PublicSunetのSecurityGroupsIdの取得

  • IDを取得し、変数に格納・確認を行います
PrivateSecurityGroupsId=`aws ec2 describe-security-groups \
  --query 'SecurityGroups[*].GroupId' \
  --filters "Name=tag-key,Values=Name" \
    "Name=tag-value,Values=ContainerHandsOn-PrivateSecurityGroup" \
    --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
export PublicSecurityGroupsId="${PublicSecurityGroupsId}"
export PrivateSecurityGroupsId="${PrivateSecurityGroupsId}"
EOF
cat ~/export.log

result

これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"
これはサンプルです。export PublicSecurityGroupsId="sg-065a7c8eceb9759d4"
これはサンプルです。export PrivateSecurityGroupsId="sg-0f59547a1185820b5"

■PublicSubnetのインバウンドルールを追加

  • InternetからのHTTP(プロトコルtcp ポート80)でのアクセスを許可します

img

cmd

aws ec2 authorize-security-group-ingress \
    --group-id ${PublicSecurityGroupsId} \
    --protocol tcp \
    --port 80 \
    --cidr 0.0.0.0/0

result

{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0fa3570659990ac7c",
            "GroupId": "sg-065a7c8eceb9759d4",
            "GroupOwnerId": "123456789012",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv4": "0.0.0.0/0"
        }
    ]
}

■PrivateSubnetのインバウンドルールを追加1

  • PublicSubnet経由でのHTTPでのアクセスを許可します

img

cmd

aws ec2 authorize-security-group-ingress \
    --group-id ${PrivateSecurityGroupsId} \
    --protocol tcp \
    --port 80 \
    --source-group ${PublicSecurityGroupsId}

result

{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-03987cbc28a10ec4c",
            "GroupId": "sg-0f59547a1185820b5",
            "GroupOwnerId": "123456789012",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "ReferencedGroupInfo": {
                "GroupId": "sg-065a7c8eceb9759d4"
            }
        }
    ]
}

■PrivateSubnetのインバウンドルールを追加2

  • 後で設定するVPCエンドポイントの為にHTTPS(プロトコルtcp ポート443)アクセスを許可します

cmd

aws ec2 authorize-security-group-ingress \
    --group-id ${PrivateSecurityGroupsId} \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0

result

{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0597c6c5a6a6f4758",
            "GroupId": "sg-0f59547a1185820b5",
            "GroupOwnerId": "123456789012",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 443,
            "ToPort": 443,
            "CidrIpv4": "0.0.0.0/0"
        }
    ]
}

■CloudWatch LogGroupの作成

  • ecsTaskExecutionRoleがLogGroupを作成できないので、手作成します。

img

cmd

aws logs create-log-group --log-group-name awslogs-container-hands-on

result

(なし)

■CloudWatch LogGroupの作成確認

cmd

aws logs describe-log-groups --log-group-name-prefix awslogs-container-hands-on

result

{
    "logGroups": [
        {
            "logGroupName": "awslogs-container-hands-on",
            "creationTime": 1663242536780,
            "metricFilterCount": 0,
            "arn": "arn:aws:logs:ap-northeast-1:123456789012:log-group:awslogs-container-hands-on:*",
            "storedBytes": 0
        }
    ]
}