Port mappings: add support of port ranges

[tuusberg]

Hi there!

Some applications do require wide range of open ports and the only option we have at the moment is to set them explicitly (e.g. one by one) when defining tasks.

I think that it would be useful to allow use of port ranges, like

{
          "hostPorts": 3000-3025,
          "containerPorts": 3000-3025,
          "protocol": "tcp"
}

Also, I've noticed that ecs-agent throws an error if there is > 100 ports specified in task definition, regardless of port numbers:

 Run tasks failed
 Reasons : RESOURCE:PORTS

Please advice.

[euank]

You're correct that we don't currently support specifying port ranges directly in task definitions.
I made sure the feature of port ranges is being tracked internally.

There is indeed a limit on the number of reserved and utilized ports. This limit, per the docs, is 50.

If you have more information on your use-case, it could help us in evaluating that limit.

Best,
Euan

[gkyar]

It would be nice to have this feature as I have a similar use case where the application requires a large number of ports (1 thousand ports) in order to communicate with the another instance running on a different host.

[margusbirk]

+1

[z0r1k]

Since docker supports port ranges I would expect that it should be possible to specify port ranges by ECS agent too.
Also I can easily image use-case where wide range or ports should be used, for example video conference SFU which can handle up to 10k WebRTC connections.

[wei-m-teh]

+1

[chenliu0831]

👍

[dolgafar]

+1
WebRTC / RTP
(Should be easy to do, since it's now supported in docker)

[bhendo]

+1
Is there any status on the progress of this?
I'll add FTP to the mix of use cases.

[sebalas]

+1

[tobiasc]

+1

[RyanBowlby-Reflektion]

+1

[jamiegs]

I would also like this to allow us to restrict containers to different ports so I can define security groups and only allow upstream services to access specific services running in ECS.

[adamdunkley]

+1

@euank I know this has been added to the use cases already, but FTP is what we require this for. We're adding passive ports in manually and we can only allow 49 concurrent PASV connections with the 50 port limit (with 1 for the control port on 21).

[pirasakat]

+1

[mihbor]

+1
At the very least the docs should mention ports parameter syntax is only partially supported.
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/cmd-ecs-cli-compose.html
The way it's written currently implies that the listed parameters are supported as per the linked docker compose syntax (v1&2) docs, which prominently show examples of the use of ranges: https://docs.docker.com/compose/compose-file/compose-file-v2/#ports

[Dominik-K]

At least, the 50 ports limit should throw an useful error message in the agent. Currently it just shows this misleading events message (in the AWS console):

service [...] was unable to place a task because no container instance met all of its requirements. The closest matching container-instance [...] is already using a port required by your task.

[marccardinal]

+1

[liafizan]

Couchbase server cluster using ECS Weave but managing ports is becoming a pain:
21100 to 21299 (inclusive) Node to Node communication

[bs-thomas]

+1 I'm hosting a ftp proxy daemon, and it needs to support a range of ports for passive mode. The range is 200 ports, and is impossible to achieve at the moment. Are there any plans to support this?

[minzhang28]

+1

[aabrahamian]

+1

[nswarnkar]

This is important requirement and we are going to hugely use ECS. Are you guys working on it ? When this could be available?

[tuusberg]

I created this issue more than a year ago.
Is there a chance that you guys would implement this feature in the near future?

[brainframe-me]

For those who are trying to setup an FTP server inside a ECS task container and are trying to allow PASV connections and bump into the limitations of ECS-agent. Please know that there is a simple solution that does not require you to define all potential dynamic pasv ports that you defined in your server configuration.
You simply need to set the NetworkMode of your TaskDefinition to 'host' instead of 'bridge'. This gives the container access to ports it dynamically opens (as is the case with passive FTP connections).
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Hope this helps somebody, I lost quite some time trying to get this to work

[houqp]

This is also a major blocker for us, is there a timeline for this?

[phil-lavin]

Confirmed that using NetworkMode: host instead of bridge does not require you to explicitly expose ports. Rather, all traffic to the host is directly mapped to the same port on the container. We've successfully run an RTP proxy for WebRTC inside ECS.

[Anamican]

For those who are trying to setup an FTP server inside a ECS task container and are trying to allow PASV connections and bump into the limitations of ECS-agent. Please know that there is a simple solution that does not require you to define all potential dynamic pasv ports that you defined in your server configuration.
You simply need to set the NetworkMode of your TaskDefinition to 'host' instead of 'bridge'. This gives the container access to ports it dynamically opens (as is the case with passive FTP connections).
Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.
Hope this helps somebody, I lost quite some time trying to get this to work

Thank you very much, after struggling for two days, this finally helped !

[houey]

Obviously in your security group you still need to allow the dynamic range you use, but here you can use a range.

Does this mean we can specify a narrower range of ports in the Security Group? is there a setting to match the dynamic port range to the Security group port range... IE we dont need 20,000 ports as a possibility.

[kerryjj]

+1

Erlang node clustering. Ports 4369 and the range 9100 - 9155 are the default.

[ccapndave]

+1

[kazz187]

+1

[bramevo]

+1 (FTP)

[asandeep]

+1

Running dask worker with --nprocs > 1 assigns multiple ports that can be controlled by specifying a range i.e. --worker-port 9000:9100.

Currently it requires to add all the ports individually.

[luis02lopez]

+1 as per PCI DSS requirements of not having that huge amount of open ports.

[mmoallemi99]

Confirmed that using NetworkMode: host instead of bridge does not require you to explicitly expose ports. Rather, all traffic to the host is directly mapped to the same port on the container. We've successfully run an RTP proxy for WebRTC inside ECS.

In Fargate only awsvpc network mode is accepted and I'm also struggling with port range specification for a WebRTC application.

[hyavari]

+1
Required for RTP protocol.

[ogonzalez-sd]

+1

We're using fargate to house a TURN (rfc5766) server and this would really be helpful!

[shlomisas]

+1

[webpolis]

In Fargate only awsvpc network mode is accepted and I'm also struggling with port range specification for a WebRTC application.

what was your solution @mmoallemi99 ?

I'm trying to find if there's a way to support WebRTC using ECS FARGATE.

The ICE negotiation works great (tested using this tool) both outside or inside a container, but I am still unable to establish communication from outside with a peer located inside a container. All Security Groups and Network ACLs currently allow TCP/UDP traffic for WebRTC interaction.

[mmoallemi99]

In Fargate only awsvpc network mode is accepted and I'm also struggling with port range specification for a WebRTC application.

what was your solution @mmoallemi99 ?

I'm trying to find if there's a way to support WebRTC using ECS FARGATE.

The ICE negotiation works great (tested using this tool) both outside or inside a container, but I am still unable to establish communication from outside with a peer located inside a container. All Security Groups and Network ACLs currently allow TCP/UDP traffic for WebRTC interaction.

I remember taking care of it with Terraform range function, pragmatically generating static port values in the end.

[httpiga]

Any update about this?

[vibhav-ag]

https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-ecs-supports-container-port-ranges-port-mapping/