Using an HTTP proxy for Amazon ECS Linux container instances - Amazon Elastic Container Service

Using an HTTP proxy for Amazon ECS Linux container instances

You can configure your Amazon ECS container instances to use an HTTP proxy for both the Amazon ECS container agent and the Docker daemon. This is useful if your container instances do not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.

To configure your Amazon ECS Linux container instance to use an HTTP proxy, set the following variables in the relevant files at launch time (with Amazon EC2 user data). You can also manually edit the configuration file, and then restart the agent.

/etc/ecs/ecs.config (Amazon Linux 2 and AmazonLinux AMI)

Set this value to the hostname (or IP address) and port number of an HTTP proxy to use for the Amazon ECS agent to connect to the internet. For example, your container instances may not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.


Set this value to,,/var/run/docker.sock to filter EC2 instance metadata, IAM roles for tasks, and Docker daemon traffic from the proxy.

/etc/systemd/system/ecs.service.d/http-proxy.conf (Amazon Linux 2 only)

Set this value to the hostname (or IP address) and port number of an HTTP proxy to use for ecs-init to connect to the internet. For example, your container instances may not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.


Set this value to,,/var/run/docker.sock to filter EC2 instance metadata, IAM roles for tasks, and Docker daemon traffic from the proxy.

/etc/init/ecs.override (Amazon Linux AMI only)

Set this value to the hostname (or IP address) and port number of an HTTP proxy to use for ecs-init to connect to the internet. For example, your container instances may not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.

env NO_PROXY=,,/var/run/docker.sock

Set this value to,,/var/run/docker.sock to filter EC2 instance metadata, IAM roles for tasks, and Docker daemon traffic from the proxy.

/etc/systemd/system/docker.service.d/http-proxy.conf (Amazon Linux 2 only)

Set this value to the hostname (or IP address) and port number of an HTTP proxy to use for the Docker daemon to connect to the internet. For example, your container instances may not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.


Set this value to to filter EC2 instance metadata from the proxy.

/etc/sysconfig/docker (Amazon Linux AMI and Amazon Linux 2 only)
export HTTP_PROXY=

Set this value to the hostname (or IP address) and port number of an HTTP proxy to use for the Docker daemon to connect to the internet. For example, your container instances may not have external network access through an Amazon VPC internet gateway, NAT gateway, or instance.

export NO_PROXY=,

Set this value to to filter EC2 instance metadata from the proxy.

Setting these environment variables in the above files only affects the Amazon ECS container agent, ecs-init, and the Docker daemon. They do not configure any other services (such as yum) to use the proxy.

Example Amazon Linux HTTP proxy user data script

The example user data cloud-boothook script below configures the Amazon ECS container agent, ecs-init, the Docker daemon, and yum to use an HTTP proxy that you specify. You can also specify a cluster into which the container instance registers itself.

Launch new container instances and use the following example script in the EC2 User data. Replace PROXY_HOST, PROXY_PORT and CLUSSTER_NAME with your values. For more information, see Launching an Amazon ECS Linux container instance.


The user data script below only supports Amazon Linux 2 and Amazon Linux AMI variants of the Amazon ECS-optimized AMI.

#cloud-boothook # Configure Yum, the Docker daemon, and the ECS agent to use an HTTP proxy # Specify proxy host, port number, and ECS cluster name to use PROXY_HOST= PROXY_PORT=3128 CLUSTER_NAME=proxy-test if grep -q 'Amazon Linux release 2' /etc/system-release ; then OS=AL2 echo "Setting OS to Amazon Linux 2" elif grep -q 'Amazon Linux AMI' /etc/system-release ; then OS=ALAMI echo "Setting OS to Amazon Linux AMI" else echo "This user data script only supports Amazon Linux 2 and Amazon Linux AMI." fi # Set Yum HTTP proxy if [ ! -f /var/lib/cloud/instance/sem/config_yum_http_proxy ]; then echo "proxy=http://$PROXY_HOST:$PROXY_PORT" >> /etc/yum.conf echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_yum_http_proxy fi # Set Docker HTTP proxy (different methods for Amazon Linux 2 and Amazon Linux AMI) # Amazon Linux 2 if [ $OS == "AL2" ] && [ ! -f /var/lib/cloud/instance/sem/config_docker_http_proxy ]; then mkdir /etc/systemd/system/docker.service.d cat <<EOF > /etc/systemd/system/docker.service.d/http-proxy.conf [Service] Environment="HTTP_PROXY=http://$PROXY_HOST:$PROXY_PORT/" Environment="HTTPS_PROXY=https://$PROXY_HOST:$PROXY_PORT/" Environment="NO_PROXY=," EOF systemctl daemon-reload if [ "$(systemctl is-active docker)" == "active" ] then systemctl restart docker fi echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_docker_http_proxy fi # Amazon Linux AMI if [ $OS == "ALAMI" ] && [ ! -f /var/lib/cloud/instance/sem/config_docker_http_proxy ]; then echo "export HTTP_PROXY=http://$PROXY_HOST:$PROXY_PORT/" >> /etc/sysconfig/docker echo "export HTTPS_PROXY=https://$PROXY_HOST:$PROXY_PORT/" >> /etc/sysconfig/docker echo "export NO_PROXY=," >> /etc/sysconfig/docker echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_docker_http_proxy fi # Set ECS agent HTTP proxy if [ ! -f /var/lib/cloud/instance/sem/config_ecs-agent_http_proxy ]; then cat <<EOF > /etc/ecs/ecs.config ECS_CLUSTER=$CLUSTER_NAME HTTP_PROXY=$PROXY_HOST:$PROXY_PORT NO_PROXY=,,/var/run/docker.sock EOF echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_ecs-agent_http_proxy fi # Set ecs-init HTTP proxy (different methods for Amazon Linux 2 and Amazon Linux AMI) # Amazon Linux 2 if [ $OS == "AL2" ] && [ ! -f /var/lib/cloud/instance/sem/config_ecs-init_http_proxy ]; then mkdir /etc/systemd/system/ecs.service.d cat <<EOF > /etc/systemd/system/ecs.service.d/http-proxy.conf [Service] Environment="HTTP_PROXY=$PROXY_HOST:$PROXY_PORT/" Environment="NO_PROXY=,,/var/run/docker.sock" EOF systemctl daemon-reload if [ "$(systemctl is-active ecs)" == "active" ]; then systemctl restart ecs fi echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_ecs-init_http_proxy fi # Amazon Linux AMI if [ $OS == "ALAMI" ] && [ ! -f /var/lib/cloud/instance/sem/config_ecs-init_http_proxy ]; then cat <<EOF > /etc/init/ecs.override env HTTP_PROXY=$PROXY_HOST:$PROXY_PORT env NO_PROXY=,,/var/run/docker.sock EOF echo "$$: $(date +%s.%N | cut -b1-13)" > /var/lib/cloud/instance/sem/config_ecs-init_http_proxy fi