How to get two docker containers hosted in aws to talk?

Question

I'm a noob when it comes to docker and aws so it's very likely that I'm missing something trivial but I've been stuck on this issue for quite some time.

So, I have three docker container hosted in aws - contA, contB and contC. contA and contB are part of the same virtual network. contC is a standalone container. contA is a running a koa server which has a bunch of api endpoints registered. contB is running an oauth service. contC is running a nodejs udp server. What I'm trying to do is make a post call to an endpoint inside contA from contC. So inside udp server I'm simply making a fetch post call to 'xxx.com/some/endpoint'. When trying to test if the communication from contC to contA works, I created containers off the images hosted in aws, mapped appropriate pubic and private ports and started the containers. But I got an error saying

'FetchError: request to xxx.com/some/endpoint failed, reason: getaddrinfo ENOTFOUND xxx.com xxx.com:443'

I don't want contC to be part of the same virtual network. I tried adding a --link from contC to contA when creating docker container. But that didn't help. Any insight on how to solve would be really helpful. Thanks!

Update I have understood that the problem is with contC's host name resolution.I am able to access these endpoints on Postman. I am also able to ping other public endpoints. Is there a way to configure the container's /etc/resolv.conf file to resolve xxx.com to xxx.xx.xx.xxx ?

does xxx.com resolve correctly? If not, can you add a Route53 record for it? — mcfinnigan, May 10 '18 at 11:04
@mcfinnigan yes, it does. I'm also able to get a response from that endpoint on Postman sans any OAuth headers. — Donna Ann Issac, May 11 '18 at 07:15

raevilman · Answer 1 · 2018-05-10T11:24:08.827

1

If I understood the problem right

You can not.

What you are looking for is, to contact a resource in VPC from outside of VPC. Which defeats the purpose of VPC in first place. Right!

In order to setup communication between an non VPC container and a VPC container, you can take help of API Gateway in between.

This might entertain you well
Amazon API Gateway Supports Endpoint Integrations with Private VPCs

You can now provide access to HTTP(S) resources within your Amazon Virtual Private Cloud (VPC) without exposing them directly to the public Internet.

Or else

Make those endpoints public, so that non VPC container can hit them.

Debug:
Can you hit those VPC secured endpoints from your laptop(public internet),
If yes, then your non VPC container should be able to do the same
If no, then how can a poor non VPC container can use those endpoints :(

Error: getaddrinfo ENOTFOUND

Also, have a look at this SO question, dealing with the same error
So either DNS is not able to resolve the URL (because, VPC shielding rocks )
or
URL format is wrong

edited May 10 '18 at 11:24

answered May 10 '18 at 11:13

raevilman

3,169
2
17
29

Thanks for the response! I get what you're saying but I don't want to take the API Gateway approach. The endpoints are public. I am able to hit these endpoints and get a response on Postman. So like you said, the non VPC container _should_ be able to do the same but it's not. Is there a way to edit the resolv.conf of the container to tell it to resolve xxx.com to xxx.xx.xx.xxx ? I came across [this](https://docs.docker.com/v17.09/engine/userguide/networking/default_network/configure-dns/) in the Docker docs but not clear how to configure it. Thanks again! – Donna Ann Issac May 11 '18 at 07:14
Can you login into non VPC container and see if it can see internet? try pinging any website like stackoverflow.com – raevilman May 11 '18 at 07:22
continuing my last comment..... Have you mapped ports with host? https://docs.docker.com/config/containers/container-networking/ – raevilman May 11 '18 at 07:23
Yes, it can. It can resolve google.com but not xxx.com. And port mapping is also done. – Donna Ann Issac May 11 '18 at 07:23
See if this helps. read about 'task networking feature' in this link https://github.com/aws/amazon-ecs-agent/issues/1166 ....[update] Direct link https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html – raevilman May 11 '18 at 07:28
Also as google.com is visible but not the other container, see if this fits in your situation,,,, its Service Discovery for Amazon ECS Using DNS https://aws.amazon.com/blogs/compute/service-discovery-for-amazon-ecs-using-dns/ – raevilman May 11 '18 at 07:35

score 1 · Answer 2 · answered May 15 '18 at 07:08

Inside a docker container, when trying to access a server inside another container one can add a record to the container's resolv.conf that points to some ip address. If that endpoint is public, you shouldn't have any trouble accessing the same public endpoint.

So when creating the container you include a --dns='some.ip.address.' option and that tells the container to resolve xxx.com to some.ip.address. The command would look something like this

docker container run -p 8080:80 --dns='192.62.0.7' image-name

How to get two docker containers hosted in aws to talk?

2 Answers2