このチャプターの目次
FargateをPrivateSubnetで稼働させるため、以下VPCエンドポイントを準備します
ECRに格納されたイメージを取得するためには通常Internet経由となります、しかし今回はFargateはPrivateSubnetというInternetに接続されていないので、Internet経由ではECRにアクセスできません
これを解決するためにVPCエンドポイントというInternetに繋がらないAWSのネットワーク経由でECRにアクセスを行います。
- com.amazonaws.ap-northeast-1.s3
- com.amazonaws.ap-northeast-1.ecr.dkr
- com.amazonaws.ap-northeast-1.ecr.api
- com.amazonaws.ap-northeast-1.logs
■com.amazonaws.ap-northeast-1.s3
- S3はGateway型のエンドポイントを利用します
cmd
aws ec2 create-vpc-endpoint \
--vpc-id ${VpcId} \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.ap-northeast-1.s3 \
--route-table-ids ${RouteTableIdPrivate} \
--tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-06659337f5464d836",
"VpcEndpointType": "Gateway",
"VpcId": "vpc-010a940bbd8f747c2",
"ServiceName": "com.amazonaws.ap-northeast-1.s3",
"State": "available",
"PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
"RouteTableIds": [
"rtb-077b87e7eb65d1f43"
],
"SubnetIds": [],
"Groups": [],
"PrivateDnsEnabled": false,
"RequesterManaged": false,
"NetworkInterfaceIds": [],
"DnsEntries": [],
"CreationTimestamp": "2022-09-15T12:05:51.000Z",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
],
"OwnerId": "123456789012"
}
}
■com.amazonaws.ap-northeast-1.ecr.dkr
- ECRはInterface型のエンドポイントを利用します
cmd
aws ec2 create-vpc-endpoint \
--vpc-id ${VpcId} \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.ap-northeast-1.ecr.dkr \
--subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
--security-group-id ${PrivateSecurityGroupsId} \
--tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-01b89cdff71057ac6",
"VpcEndpointType": "Interface",
"VpcId": "vpc-010a940bbd8f747c2",
"ServiceName": "com.amazonaws.ap-northeast-1.ecr.dkr",
"State": "pending",
"RouteTableIds": [],
"SubnetIds": [
"subnet-0d99180ac3baeb5fa",
"subnet-0a66f1c2d5ce3b939"
],
"Groups": [
{
"GroupId": "sg-0f59547a1185820b5",
"GroupName": "PrivateSecurityGroup"
}
],
"IpAddressType": "ipv4",
"DnsOptions": {
"DnsRecordIpType": "ipv4"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-05c8a332e7c1cd6f1",
"eni-0f512a24a322c2df6"
],
"DnsEntries": [
{
"DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn-ap-northeast-1c.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn-ap-northeast-1a.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "dkr.ecr.ap-northeast-1.amazonaws.com",
"HostedZoneId": "ZONEIDPENDING"
},
{
"DnsName": "*.dkr.ecr.ap-northeast-1.amazonaws.com",
"HostedZoneId": "ZONEIDPENDING"
}
],
"CreationTimestamp": "2022-09-15T12:06:12.996Z",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
],
"OwnerId": "123456789012"
}
}
■com.amazonaws.ap-northeast-1.ecr.api
- ECRはInterface型のエンドポイントを利用します
cmd
aws ec2 create-vpc-endpoint \
--vpc-id ${VpcId} \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.ap-northeast-1.ecr.api \
--subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
--security-group-id ${PrivateSecurityGroupsId} \
--tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-0b393692593886a63",
"VpcEndpointType": "Interface",
"VpcId": "vpc-010a940bbd8f747c2",
"ServiceName": "com.amazonaws.ap-northeast-1.ecr.api",
"State": "pending",
"RouteTableIds": [],
"SubnetIds": [
"subnet-0d99180ac3baeb5fa",
"subnet-0a66f1c2d5ce3b939"
],
"Groups": [
{
"GroupId": "sg-0f59547a1185820b5",
"GroupName": "PrivateSecurityGroup"
}
],
"IpAddressType": "ipv4",
"DnsOptions": {
"DnsRecordIpType": "ipv4"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-08db2d56fe23f4746",
"eni-010e2407de481c23e"
],
"DnsEntries": [
{
"DnsName": "vpce-0b393692593886a63-w1unh4qj.api.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-0b393692593886a63-w1unh4qj-ap-northeast-1c.api.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-0b393692593886a63-w1unh4qj-ap-northeast-1a.api.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "api.ecr.ap-northeast-1.amazonaws.com",
"HostedZoneId": "ZONEIDPENDING"
}
],
"CreationTimestamp": "2022-09-15T12:06:37.143Z",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
],
"OwnerId": "123456789012"
}
}
■com.amazonaws.ap-northeast-1.logs
- CloudWatch LogsはInterface型のエンドポイントを利用します
cmd
aws ec2 create-vpc-endpoint \
--vpc-id ${VpcId} \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.ap-northeast-1.logs \
--subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
--security-group-id ${PrivateSecurityGroupsId} \
--tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"
result
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-0aa40c4643e1f52ea",
"VpcEndpointType": "Interface",
"VpcId": "vpc-010a940bbd8f747c2",
"ServiceName": "com.amazonaws.ap-northeast-1.logs",
"State": "pending",
"RouteTableIds": [],
"SubnetIds": [
"subnet-0d99180ac3baeb5fa",
"subnet-0a66f1c2d5ce3b939"
],
"Groups": [
{
"GroupId": "sg-0f59547a1185820b5",
"GroupName": "PrivateSecurityGroup"
}
],
"IpAddressType": "ipv4",
"DnsOptions": {
"DnsRecordIpType": "ipv4"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-0b0fb7fc59f22f128",
"eni-06d10382813d38317"
],
"DnsEntries": [
{
"DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee.logs.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee-ap-northeast-1c.logs.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee-ap-northeast-1a.logs.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "Z2E726K9Y6RL4W"
},
{
"DnsName": "logs.ap-northeast-1.amazonaws.com",
"HostedZoneId": "ZONEIDPENDING"
}
],
"CreationTimestamp": "2022-09-15T12:07:05.639Z",
"Tags": [
{
"Key": "Name",
"Value": "ContainerHandsOn"
}
],
"OwnerId": "123456789012"
}
}