In Amazon ECS (Elastic Container Service), there are three primary network modes that define how containers interact with networking and how their networking is configured. These network modes are bridge, host, and awsvpc.
bridge Network Mode (default for EC2 launch type)
In bridge mode, containers are connected to a virtual bridge network on the EC2 instance. This means containers communicate with each other via the bridge network, but they don’t have their own IP addresses on the VPC network. Instead, they share the EC2 instance’s IP address and are assigned ports on the EC2 instance for communication.
Key Characteristics:
- Containers use NAT (Network Address Translation) to access resources outside the container.
- Containers in bridge mode share the EC2 instance’s network interface, so port conflicts can occur when multiple containers use the same ports.
- Port mapping is required for each container, meaning you must explicitly expose a port on the container and map it to a port on the EC2 instance.
Use Case:
- Useful when you have multiple containers running on the same instance and want them to communicate via a bridge network, but don’t need each container to have a unique IP address.
Example:
- Containers running on an EC2 instance may use ports
8080and8081, but both containers share the same EC2 instance IP address.
host Network Mode
In host mode, containers share the network stack of the EC2 instance. Containers use the EC2 instance’s IP address directly, and they don’t get an internal network interface like in awsvpc mode. In this mode, there is no network isolation between the container and the EC2 instance itself, which means the container uses the instance’s IP and its ports directly.
Key Characteristics:
- Containers do not have a separate ENI (Elastic Network Interface); they use the EC2 instance’s primary network interface.
- Containers don’t need port mapping, since they can bind directly to any port on the EC2 instance.
- This can lead to port conflicts when multiple containers attempt to use the same port.
- Provides low-latency network communication with the EC2 instance, as the container communicates directly through the instance’s IP.
Use Case:
- Ideal when you want the container to have direct access to the instance’s network stack (e.g., for high-performance or low-latency requirements).
Example:
- A container runs on EC2 and binds to port
80directly without needing to map a container port to a host port, using the instance’s IP for communication.
awsvpc Network Mode
In awsvpc mode, each ECS task receives its own Elastic Network Interface (ENI) and private IP address from the VPC. This is the most isolated and flexible mode, where each task can have its own IP address within your VPC.
Key Characteristics:
- Each ECS task gets its own private IP address within the VPC.
- Containers in
awsvpcmode can communicate using the private IP address of the task, and security groups can be applied directly to the tasks for fine-grained security control. - Dynamic port mapping can be done, where ECS assigns a dynamic port for each task.
- VPC-based networking: Tasks have direct access to other VPC resources, such as RDS, DynamoDB, or other ECS tasks.
- Allows tasks to have full network visibility, with easier integration into VPC-centric applications.
Use Case:
- Ideal for microservices, high security environments, or when tasks need to communicate with VPC resources.
Example:
- An ECS task has a private IP (e.g.,
10.0.1.10) and a dynamic port assigned, allowing it to communicate with a database or another service directly within the VPC.
Comparison of the Network Modes:
| Network Mode | Description | Use Case | IP Addressing | Port Mapping Required |
|---|---|---|---|---|
awsvpc | Each ECS task gets its own ENI and private IP in VPC. | Ideal for microservices or tasks that need isolation and security. | Private IP in VPC | No (dynamic port mapping) |
bridge | Containers share an EC2 instance’s virtual bridge network. | Useful for multi-container applications on a single EC2 instance. | EC2 instance IP | Yes |
host | Containers share the EC2 instance’s network stack. | High-performance, low-latency applications. | EC2 instance IP | No (bind directly to host ports) |
ifferences in Network Modes between EC2 and Fargate:
| Network Mode | EC2 Launch Type | Fargate Launch Type |
|---|---|---|
| Bridge | Yes (default) | No |
| Host | Yes (not recommended for multi-container tasks) | No |
| awsvpc | Yes (for both EC2 and Fargate tasks) | Yes (the only supported mode) |