➢ The task ENI is fully managed by Amazon ECS. Amazon ECS creates the ENI and attaches it to the host Amazon EC2 instance with the specified security group.
The task sends and receives network traffic over the ENI in the same way that Amazon EC2 instances do with their primary network interfaces. Each task ENI is assigned a private IPv4 address by default.
If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, the task ENI will also receive an IPv6 address. Each task can only have one ENI.
These ENIs are visible in the Amazon EC2 console for your account, but they cannot be detached manually or modified by your account.
This is to prevent accidental deletion of an ENI that is associated with a running task.
You can view the ENI attachment information for tasks in the Amazon ECS console or with the DescribeTasks API operation. When the task stops or if the service is scaled down, the task ENI is detached and deleted.
We can't modify any attribute of ECS Task ENI as it is managed by ECS itself.
As per the doc[1], these ENIs are fully managed by ECS and we can not modify any attribute of task ENI.
So source/dest check can’t be disabled on ECS-managed container ENIs.
References:
[1]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
This is only applicable to the awspvc
network mode, which is used by Fargate.
As far as I can tell, there are 2 possible workarounds:
- Disable the Source/dest check on the instance ENI, and then configure a route from the main Instance ENI to the Docker container.
- Use ECS EC2 instead, and choose a different network mode.