1

Is there a way to block out a range of ips in the VPC?

Alternatively is there a way to get docker (docker compose) to use dhcp to get ip addresses? If it does so will they be blocked from being assigned to future vms you spin up in the vpc?

Roman A. Taycher
  • 28
  • 9
  • Is there a particular reason you need to run Docker yourself as opposed to using an orchestrator such as ECS or EKS? And what is the purpose of attempting to give containers their own IP addresses from within the VPC address range? – Micha Feb 16 '23 at 12:17

2 Answers2

0

To the best of my understanding, this won't work in the way that you're probably hoping it will. Containers on a host don't generally get their own IP addresses on their host's external network. And specifically in the context of EC2, I don't believe there's a way to get traffic for arbitrary in-VPC addresses routed to an instance short of a route table, nor will the VPC hand out extra DHCP addresses that haven't been assigned to the network interface.

If possible, consider running the containers using an AWS container orchestration service, such as ECS. ECS supports the awsvpc networking mode that does give each task a network interface with its own address within the VPC.

If you do have a specific need to run your own containers and expose them externally, you might consider using a private IP address range that's not managed by the VPC, which you could route to the host using your VPC route tables (disabling the source/destination check and enabling IP forwarding on the host). I don't know whether that would definitely work, but it may be worth experimenting with.

Micha
  • 250
  • 3
  • 8
-1

Is there a way to block out a range of ips (that you pass to docker) in the VPC?

To allow specific address ranges ("only use these ranges"), you can configure the default-address-pools setting /etc/docker/daemon.json:

{
     "default-address-pools": [
         {"base":"10.132.0.0/16 ","size":24}
     ]
 }

If you want to block specific ranges ("don't use these ranges"), just create a route to that network via your default gateway (ip route add 172.17.0.0/16 via <default_gw_ip>). Docker won't use address ranges that (a) are associated with existing host interfaces or (b) are reachable with an explicit route.

The default-address-pool option is documented in the dockerd man page.

larsks
  • 43,623
  • 14
  • 121
  • 180
  • Yes I understand that I was wondering how to block Amazon from assigning that sub range to new vms so they could safely be used by docker – Roman A. Taycher Feb 08 '23 at 00:54
  • Or alternatively if it was possible to get Amazon's cloud and docker to cooperate for how to grab ips(possibly with DHCP if that's how Amazon vms get ips) – Roman A. Taycher Feb 08 '23 at 00:55