SGs attached to instances are not the problem (instances have default outbound rule).SO the s3 gateway endpoint is fine for accessing ecr image layers, but not amazon-linux-extra repos. I know my other VPC endpoints work perfectly -> Auto-scaling service interface endpoint is performing (I can see it scaling down instances as per the policy), SSM interface endpoint allowing me to use session manager, and ECR endpoint(s) are working in conjunction with s3 gateway endpoint (s3 gateway endpoint is required because image layers are in s3) -> I know this works because if I open up NACLS and delete my s3 endpoint and install docker, then lock everything down again, bring back my s3 gatewayendpoint I can successfully pull my ECR images.
Largely this is a networking exercise so I would rather not do this because it avoids solving and understanding the problem.
I really wanted to set up my networking so everything is nicely locked down and feel like it should be pretty straight forward utilizing endpoints.
I understand NACLs are stateless and have enabled IN and OUTBOUND rules for s3 amazon IP cidr blocks on ephemeral port ranges (yes I have also enabled traffic between pub and private subnets).I have DNS and hostnames enabled in my VPC.NACLs for public subnet allow internet traffic in and out, the NACLs around private subnets allow traffic from public subnets in and out, traffic out to the internet (and traffic from s3 cidrs in and out). Appropriate routing and EIP/NAT is all stitched up.Instances in private subnets have outbouond 0.0.0.0/0 routed to NAT in respective public subnets.
I have ASG instances sitting in a VPC with pub and private subnets. When my instances initialize they can not install docker.
0 kommentar(er)
