このチャプターの目次
- ■CloudShellの起動
- ■AWS Account IDの取得
- ■ECSタスクの実行Roleの存在確認
- ■ECSの実行Role作成(Roleが存在しない場合のみ実行)
- ■RoleにPolicyをアタッチ(Roleが存在しない場合のみ実行)
- ■VPCの作成
- ■VpcIdの取得
- ■DNS名前解決をONにする
- ■DNS名前解決の状態確認
- ■DNSホスト名をONにする
- ■DNSホスト名の状態確認
- ■Subnetの作成
- ■Subnet IDの取得
- ■InternetGatewayの作成
- ■InternetGateway IDの取得
- ■InternetGatewayをVPCにAttach
- ■InternetGatewayをVPCに紐付けされていることを確認
- ■RouteTableの作成
- ■RouteTable IDの取得
- ■RouteTableにSubnetを紐付け
- ■RouteTableにInternetGatewayを紐付け
- ■PublicSubnet用のSecurityGroup作成
- ■PublicSunetのSecurityGroupsIdの取得
- ■PrivateSubnet用のSecurityGroup作成
- ■PublicSunetのSecurityGroupsIdの取得
- ■PublicSubnetのインバウンドルールを追加
- ■PrivateSubnetのインバウンドルールを追加1
- ■PrivateSubnetのインバウンドルールを追加2
- ■CloudWatch LogGroupの作成
- ■CloudWatch LogGroupの作成確認
■CloudShellの起動
AWS コンソールにログイン
- Administrator権限のIAMユーザーでAWSコンソールにログイン
- リージョンを"アジアパシフィック(東京)"に変更
CloudShellボタン押下
- 画面右上のCloudShellボタンを押下
CloudShellを起動
■AWS Account IDの取得
- IDを取得し、変数に格納・確認を行います
cmd
AccountID=`aws sts get-caller-identity --query Account --output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
■ECSタスクの実行Roleの存在確認
- ECSタスクを実行するRole(ecsTaskExecutionRole)の存在確認を行います
cmd
aws iam list-roles | grep "RoleName" | grep "ecsTaskExecutionRole"
result(存在する場合)
"RoleName": "ecsTaskExecutionRole",
result(存在しない場合)
(なし)
■ECSの実行Role作成(Roleが存在しない場合のみ実行)
- ecsTaskExecutionRoleが存在しない場合のみ実行します
cmd
cd ~/
cat << EOF > assume-role-policy-document.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document file://assume-role-policy-document.json
result
{
"Role": {
"Path": "/",
"RoleName": "ecsTaskExecutionRole",
"RoleId": "AROASHENIAIFBW66KV4HJ",
"Arn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",
"CreateDate": "2022-09-15T11:39:04+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
■RoleにPolicyをアタッチ(Roleが存在しない場合のみ実行)
- 作成したRoleにPolicyをアタッチします
cmd
aws iam attach-role-policy \
--role-name ecsTaskExecutionRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
result
(なし)
- Policyがアタッチされたことを確認します
cmd
aws iam list-attached-role-policies \
--role-name ecsTaskExecutionRole
result
{
"AttachedPolicies": [
{
"PolicyName": "AmazonECSTaskExecutionRolePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
]
}
■VPCの作成
- VPCを新規に作成します
cmd
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specification "ResourceType=vpc,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-c3de3ba5",
"State": "pending",
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0b14e52ce4b43dd1e",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
]
}
}
■VpcIdの取得
- IDを取得し、変数に格納・確認を行います
cmd
VpcId=`aws ec2 describe-vpcs \
--query 'Vpcs[*].VpcId' \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOn" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
EOF
cat ~/export.log
results
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
■DNS名前解決をONにする
- 作成したVPCで「ドメイン名からIPアドレスへの変換、またはその逆」を可能にします
- 後程作成するVPCエンドポイントに必要な為です
cmd
aws ec2 modify-vpc-attribute \
--vpc-id ${VpcId} \
--enable-dns-support '{"Value":true}'
result
(なし)
■DNS名前解決の状態確認
- 設定内容が正しく反映されているか確認を行います
cmd
aws ec2 describe-vpc-attribute \
--query EnableDnsSupport \
--vpc-id ${VpcId} \
--attribute enableDnsSupport
result
{
"Value": true
}
■DNSホスト名をONにする
- VPC内でDNSホスト名(ex : ip-10-0-0-23.ap-northeast-1.compute.internal)を持つように設定します
- 後程作成するVPCエンドポイントに必要な為です
cmd
aws ec2 modify-vpc-attribute \
--vpc-id ${VpcId} \
--enable-dns-hostnames '{"Value":true}'
result
(なし)
■DNSホスト名の状態確認
- 設定内容が正しく反映されているか確認を行います
cmd
aws ec2 describe-vpc-attribute \
--query EnableDnsHostnames \
--vpc-id ${VpcId} \
--attribute enableDnsHostnames
result
{
"Value": true
}
■Subnetの作成
- 作成したVPCの中にSubnetを4つ作成します
- Private Subnetが2つ、Public Subnetが2つです
cmd (Public Subnet 1つ目)
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.0.0/24 \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"
result (Public Subnet 1つ目)
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.0.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0356b36ba2daa766c",
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPublic"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0356b36ba2daa766c",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
cmd (Public Subnet 2つ目)
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1c \
--cidr-block 10.0.1.0/24 \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"
result (Public Subnet 2つ目)
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1c",
"AvailabilityZoneId": "apne1-az1",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.1.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0dabe411bfdc835fb",
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPublic"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0dabe411bfdc835fb",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
cmd (Private Subnet 1つ目)
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.2.0/24 \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"
result (Private Subnet 1つ目)
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.2.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0d99180ac3baeb5fa",
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPrivate"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0d99180ac3baeb5fa",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
cmd (Private Subnet 2つ目)
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1c \
--cidr-block 10.0.3.0/24 \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"
result (Private Subnet 2つ目)
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1c",
"AvailabilityZoneId": "apne1-az1",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.3.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0a66f1c2d5ce3b939",
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPrivate"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-0a66f1c2d5ce3b939",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
■Subnet IDの取得
- IDを取得し、変数に格納・確認を行います
cmd
SubnetId1aPublic=`aws ec2 describe-subnets \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPublic" \
"Name=availabilityZone,Values=ap-northeast-1a" \
--query "Subnets[*].SubnetId" \
--output text`
SubnetId1cPublic=`aws ec2 describe-subnets \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPublic" \
"Name=availabilityZone,Values=ap-northeast-1c" \
--query "Subnets[*].SubnetId" \
--output text`
SubnetId1aPrivate=`aws ec2 describe-subnets \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPrivate" \
"Name=availabilityZone,Values=ap-northeast-1a" \
--query "Subnets[*].SubnetId" \
--output text`
SubnetId1cPrivate=`aws ec2 describe-subnets \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPrivate" \
"Name=availabilityZone,Values=ap-northeast-1c" \
--query "Subnets[*].SubnetId" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
■InternetGatewayの作成
- Internetの出入り口であるInternetGatewayを作成する
cmd
aws ec2 create-internet-gateway \
--tag-specifications "ResourceType=internet-gateway,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"InternetGateway": {
"Attachments": [],
"InternetGatewayId": "igw-082f42082d7748713",
"OwnerId": "123456789012",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
]
}
}
■InternetGateway IDの取得
- IDを取得し、変数に格納・確認を行います
cmd
InternetGatewayId=`aws ec2 describe-internet-gateways \
--query 'InternetGateways[*].InternetGatewayId' \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOn" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
■InternetGatewayをVPCにAttach
- VPCとInternetGatewayを紐付けし、Internetとの接続点を作成します
cmd
aws ec2 attach-internet-gateway \
--internet-gateway-id ${InternetGatewayId} \
--vpc-id ${VpcId}
result
(なし)
■InternetGatewayをVPCに紐付けされていることを確認
- アタッチされていることを確認
cmd
aws ec2 describe-internet-gateways \
--internet-gateway-ids ${InternetGatewayId} \
--query 'InternetGateways[*].Attachments[*].State' \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOn" \
--output text
result
available
■RouteTableの作成
- PublicSubnetとPrivateSubnetのデータの流れを制御するルートテーブルを作成します
- 現時点ではRouteTableとSubnetの紐付けはないです
cmd (PublicSubnet)
aws ec2 create-route-table \
--vpc-id ${VpcId} \
--tag-specifications "ResourceType=route-table,Tags=[{Key=Name,Value=ContainerHandsOnPublic}]"
result (PublicSubnet)
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-000a11e6eacc5c263",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPublic"
}
],
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012"
}
}
cmd (PrivateSubnet)
aws ec2 create-route-table \
--vpc-id ${VpcId} \
--tag-specifications "ResourceType=route-table,Tags=[{Key=Name,Value=ContainerHandsOnPrivate}]"
result (PrivateSubnet)
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-077b87e7eb65d1f43",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOnPrivate"
}
],
"VpcId": "vpc-010a940bbd8f747c2",
"OwnerId": "123456789012"
}
}
■RouteTable IDの取得
- IDを取得し、変数に格納・確認を行います
cmd
RouteTableIdPublic=`aws ec2 describe-route-tables \
--query "RouteTables[*].RouteTableId" \
--filters "Name=vpc-id,Values=${VpcId}" \
"Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPublic" \
--output text`
RouteTableIdPrivate=`aws ec2 describe-route-tables \
--query "RouteTables[*].RouteTableId" \
--filters "Name=vpc-id,Values=${VpcId}" \
"Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOnPrivate" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"
■RouteTableにSubnetを紐付け
- RouteTableとSubnetを紐付けします
cmd (PublicSubnet 1つ目)
aws ec2 associate-route-table \
--route-table-id ${RouteTableIdPublic} \
--subnet-id ${SubnetId1aPublic}
result (PublicSubnet 1つ目)
{
"AssociationId": "rtbassoc-0fdd06641008db840",
"AssociationState": {
"State": "associated"
}
}
cmd (PublicSubnet 2つ目)
aws ec2 associate-route-table \
--route-table-id ${RouteTableIdPublic} \
--subnet-id ${SubnetId1cPublic}
result (PublicSubnet 2つ目)
{
"AssociationId": "rtbassoc-067b436f3f7eb8e3a",
"AssociationState": {
"State": "associated"
}
}
cmd (PrivateSubnet 1つ目)
aws ec2 associate-route-table \
--route-table-id ${RouteTableIdPrivate} \
--subnet-id ${SubnetId1aPrivate}
result (PrivateSubnet 1つ目)
{
"AssociationId": "rtbassoc-0d02b62aeb39e373e",
"AssociationState": {
"State": "associated"
}
}
cmd (PrivateSubnet 2つ目)
aws ec2 associate-route-table \
--route-table-id ${RouteTableIdPrivate} \
--subnet-id ${SubnetId1cPrivate}
result (PrivateSubnet 2つ目)
{
"AssociationId": "rtbassoc-07780995550f76761",
"AssociationState": {
"State": "associated"
}
}
■RouteTableにInternetGatewayを紐付け
- PublicSubnet用のRouteTableにInternetGatewayを紐付け、Internetに接続できるようにします
cmd
aws ec2 create-route \
--route-table-id ${RouteTableIdPublic} \
--destination-cidr-block "0.0.0.0/0" \
--gateway-id ${InternetGatewayId}
result
{
"Return": true
}
■PublicSubnet用のSecurityGroup作成
- PublicSubnet用のSecurityGroup作成
cmd
aws ec2 create-security-group \
--group-name PublicSecurityGroup \
--description "Public Security Group" \
--vpc-id ${VpcId} \
--tag-specifications "ResourceType=security-group,Tags=[{Key=Name,Value=ContainerHandsOn-PublicSecurityGroup}]"
result
{
"GroupId": "sg-065a7c8eceb9759d4",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn-PublicSecurityGroup"
}
]
}
■PublicSunetのSecurityGroupsIdの取得
- IDを取得し、変数に格納・確認を行います
cmd
PublicSecurityGroupsId=`aws ec2 describe-security-groups \
--query 'SecurityGroups[*].GroupId' \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOn-PublicSecurityGroup" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
export PublicSecurityGroupsId="${PublicSecurityGroupsId}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"
これはサンプルです。export PublicSecurityGroupsId="sg-065a7c8eceb9759d4"
■PrivateSubnet用のSecurityGroup作成
- PrivateSubnet用のSecurityGroup作成
cmd
aws ec2 create-security-group \
--group-name PrivateSecurityGroup \
--description "Private Security Group" \
--vpc-id ${VpcId} \
--tag-specifications "ResourceType=security-group,Tags=[{Key=Name,Value=ContainerHandsOn-PrivateSecurityGroup}]"
result
{
"GroupId": "sg-0f59547a1185820b5",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn-PrivateSecurityGroup"
}
]
}
■PublicSunetのSecurityGroupsIdの取得
- IDを取得し、変数に格納・確認を行います
PrivateSecurityGroupsId=`aws ec2 describe-security-groups \
--query 'SecurityGroups[*].GroupId' \
--filters "Name=tag-key,Values=Name" \
"Name=tag-value,Values=ContainerHandsOn-PrivateSecurityGroup" \
--output text`
clear; cat << EOF > ~/export.log
export AccountID="${AccountID}"
export VpcId="${VpcId}"
export SubnetId1aPublic="${SubnetId1aPublic}"
export SubnetId1cPublic="${SubnetId1cPublic}"
export SubnetId1aPrivate="${SubnetId1aPrivate}"
export SubnetId1cPrivate="${SubnetId1cPrivate}"
export InternetGatewayId="${InternetGatewayId}"
export RouteTableIdPublic="${RouteTableIdPublic}"
export RouteTableIdPrivate="${RouteTableIdPrivate}"
export PublicSecurityGroupsId="${PublicSecurityGroupsId}"
export PrivateSecurityGroupsId="${PrivateSecurityGroupsId}"
EOF
cat ~/export.log
result
これはサンプルです。export AccountID="123456789012"
これはサンプルです。export VpcId="vpc-010a940bbd8f747c2"
これはサンプルです。export SubnetId1aPublic="subnet-0356b36ba2daa766c"
これはサンプルです。export SubnetId1cPublic="subnet-0dabe411bfdc835fb"
これはサンプルです。export SubnetId1aPrivate="subnet-0d99180ac3baeb5fa"
これはサンプルです。export SubnetId1cPrivate="subnet-0a66f1c2d5ce3b939"
これはサンプルです。export InternetGatewayId="igw-082f42082d7748713"
これはサンプルです。export RouteTableIdPublic="rtb-000a11e6eacc5c263"
これはサンプルです。export RouteTableIdPrivate="rtb-077b87e7eb65d1f43"
これはサンプルです。export PublicSecurityGroupsId="sg-065a7c8eceb9759d4"
これはサンプルです。export PrivateSecurityGroupsId="sg-0f59547a1185820b5"
■PublicSubnetのインバウンドルールを追加
- InternetからのHTTP(プロトコルtcp ポート80)でのアクセスを許可します
cmd
aws ec2 authorize-security-group-ingress \
--group-id ${PublicSecurityGroupsId} \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
result
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0fa3570659990ac7c",
"GroupId": "sg-065a7c8eceb9759d4",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0"
}
]
}
■PrivateSubnetのインバウンドルールを追加1
- PublicSubnet経由でのHTTPでのアクセスを許可します
cmd
aws ec2 authorize-security-group-ingress \
--group-id ${PrivateSecurityGroupsId} \
--protocol tcp \
--port 80 \
--source-group ${PublicSecurityGroupsId}
result
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-03987cbc28a10ec4c",
"GroupId": "sg-0f59547a1185820b5",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"ReferencedGroupInfo": {
"GroupId": "sg-065a7c8eceb9759d4"
}
}
]
}
■PrivateSubnetのインバウンドルールを追加2
- 後で設定するVPCエンドポイントの為にHTTPS(プロトコルtcp ポート443)アクセスを許可します
cmd
aws ec2 authorize-security-group-ingress \
--group-id ${PrivateSecurityGroupsId} \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
result
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0597c6c5a6a6f4758",
"GroupId": "sg-0f59547a1185820b5",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"CidrIpv4": "0.0.0.0/0"
}
]
}
■CloudWatch LogGroupの作成
- ecsTaskExecutionRoleがLogGroupを作成できないので、手作成します。
cmd
aws logs create-log-group --log-group-name awslogs-container-hands-on
result
(なし)
■CloudWatch LogGroupの作成確認
cmd
aws logs describe-log-groups --log-group-name-prefix awslogs-container-hands-on
result
{
"logGroups": [
{
"logGroupName": "awslogs-container-hands-on",
"creationTime": 1663242536780,
"metricFilterCount": 0,
"arn": "arn:aws:logs:ap-northeast-1:123456789012:log-group:awslogs-container-hands-on:*",
"storedBytes": 0
}
]
}