How do you get docker to work in amazon vpc? (ip assignment coordination)

Roman A. Taycher

2/7/24, 5:17 PM

Is there a way to block out a range of ips in the VPC?

Alternatively is there a way to get docker (docker compose) to use dhcp to get ip addresses? If it does so will they be blocked from being assigned to future vms you spin up in the vpc?

334

2 + 1

dhcp

amazon-web-services

docker

docker-compose

Micha

2/16/24, 12:17 PM

Is there a particular reason you need to run Docker yourself as opposed to using an orchestrator such as ECS or EKS? And what is the purpose of attempting to give containers their own IP addresses from within the VPC address range?

Score:0

Server

Micha

2/16/24, 1:02 PM

To the best of my understanding, this won't work in the way that you're probably hoping it will. Containers on a host don't generally get their own IP addresses on their host's external network. And specifically in the context of EC2, I don't believe there's a way to get traffic for arbitrary in-VPC addresses routed to an instance short of a route table, nor will the VPC hand out extra DHCP addresses that haven't been assigned to the network interface.

If possible, consider running the containers using an AWS container orchestration service, such as ECS. ECS supports the awsvpc networking mode that does give each task a network interface with its own address within the VPC.

If you do have a specific need to run your own containers and expose them externally, you might consider using a private IP address range that's not managed by the VPC, which you could route to the host using your VPC route tables (disabling the source/destination check and enabling IP forwarding on the host). I don't know whether that would definitely work, but it may be worth experimenting with.

+ 0

Score:-1

Server

larsks

2/7/24, 8:38 PM

Is there a way to block out a range of ips (that you pass to docker) in the VPC?

To allow specific address ranges ("only use these ranges"), you can configure the default-address-pools setting /etc/docker/daemon.json:

{
     "default-address-pools": [
         {"base":"10.132.0.0/16 ","size":24}
     ]
 }

If you want to block specific ranges ("don't use these ranges"), just create a route to that network via your default gateway (ip route add 172.17.0.0/16 via <default_gw_ip>). Docker won't use address ranges that (a) are associated with existing host interfaces or (b) are reachable with an explicit route.

The default-address-pool option is documented in the dockerd man page.

+ 2

Roman A. Taycher

2/8/24, 12:54 AM

Yes I understand that I was wondering how to block Amazon from assigning that sub range to new vms so they could safely be used by docker

Roman A. Taycher

2/8/24, 12:55 AM

Or alternatively if it was possible to get Amazon's cloud and docker to cooperate for how to grab ips(possibly with DHCP if that's how Amazon vms get ips)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do you get docker to work in amazon vpc? (ip assignment coordination)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.