Amazon ECS task networking for Amazon ECS Managed Instances - Amazon Elastic Container Service
Using a VPC in IPv6-only mode

Amazon ECS task networking for Amazon ECS Managed Instances

The networking behavior of Amazon ECS tasks running on Amazon ECS Managed Instances is determined by the network mode specified in the task definition. You must specify a network mode in the task definition. You will not be able to run tasks on Amazon ECS Managed Instances using a task definition that doesn't specify a network mode. Amazon ECS Managed Instances supports the following networking modes, ensuring backward compatibility for migrating workloads from Fargate or Amazon ECS on Amazon EC2:

Network mode Description

awsvpc

Each task receives its own elastic network interface (ENI) and private IPv4 address. This provides the same networking properties as Amazon EC2 instances and is compatible with traditional Fargate tasks. Uses ENI trunking for high task density.

host

Tasks share the host's network namespace directly. Container networking is tied to the underlying host instance.

Using a VPC in IPv6-only mode

In an IPv6-only configuration, your Amazon ECS tasks communicate exclusively over IPv6. To set up VPCs and subnets for an IPv6-only configuration, you must add an IPv6 CIDR block to the VPC and create subnets that include only an IPv6 CIDR block. For more information see Add IPv6 support for your VPC and Create a subnet in the Amazon VPC User Guide. You must also update route tables with IPv6 targets and configure security groups with IPv6 rules. For more information, see Configure route tables and Configure security group rules in the Amazon VPC User Guide.

The following considerations apply:

  • You can update an IPv4-only or dualstack Amazon ECS service to an IPv6-only configuration by either updating the service directly to use IPv6-only subnets or by creating a parallel IPv6-only service and using Amazon ECS blue-green deployments to shift traffic to the new service. For more information about Amazon ECS blue-green deployments, see Amazon ECS blue/green deployments.

  • An IPv6-only Amazon ECS service must use dualstack load balancers with IPv6 target groups. If you're migrating an existing Amazon ECS service that's behind a Application Load Balancer or a Network Load Balancer, you can create a new dualstack load balancer and shift traffic from the old load balancer, or update the IP address type of the existing load balancer.

    For more information about Network Load Balancers, see Create a Network Load Balancer and Update the IP address types for your Network Load Balancer in the User Guide for Network Load Balancers. For more information about Application Load Balancers, see Create an Application Load Balancer and Update the IP address types for your Application Load Balancer in the User Guide for Application Load Balancers.

  • For Amazon ECS tasks in an IPv6-only configuration to communicate with IPv4-only endpoints, you can set up DNS64 and NAT64 for network address translation from IPv6 to IPv4. For more information, see DNS64 and NAT64 in the Amazon VPC User Guide.

  • Amazon ECS workloads in an IPv6-only configuration must use Amazon ECR dualstack image URI endpoints when pulling images from Amazon ECR. For more information, see Getting started with making requests over IPv6 in the Amazon Elastic Container Registry User Guide.

    Note

    Amazon ECR doesn't support dualstack interface VPC endpoints that tasks in an IPv6-only configuration can use. For more information, see Getting started with making requests over IPv6 in the Amazon Elastic Container Registry User Guide.

  • Amazon ECS Exec isn't supported in an IPv6-only configuration.