# Allocate a network interface for tasks on Amazon ECS Managed Instances AWSVPC network mode Using the `awsvpc` network mode in Amazon ECS Managed Instances simplifies container networking because you have more control over how your applications communicate with each other and other services within your VPCs. The `awsvpc` network mode also provides greater security for your containers by allowing you to use security groups and network monitoring tools at a more granular level within your tasks. By default, every Amazon ECS Managed Instances instance has a trunk Elastic Network Interface (ENI) attached during launch as a primary ENI when the instance type supports trunking. For more information about instance types that support ENI trunking, see [Supported instances for increased Amazon ECS container network interfaces](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/eni-trunking-supported-instance-types.html). **Note** When the chosen instance type doesn't support trunk ENIs, the instance will be launched with a regular ENI. Each task that runs on the instance receives its own ENI attached to the trunk ENI, with a primary private IP address. If your VPC is configured for dual-stack mode and you use a subnet with an IPv6 CIDR block, the ENI also receives an IPv6 address. When using a public subnet, you can optionally assign a public IP address to the Amazon ECS Managed Instance primary ENI by enabling IPv4 public addressing for the subnet. For more information, see [Modify the IP addressing attributes of your subnet](https://docs.amazonaws.cn//vpc/latest/userguide/subnet-public-ip.html) in *Amazon VPC User Guide*. A task can only have one ENI that's associated with it at a time. Containers that belong to the same task can also communicate over the `localhost` interface. For more information about VPCs and subnets, see [How Amazon VPC works](https://docs.amazonaws.cn/vpc/latest/userguide/how-it-works.html) in the *Amazon VPC User Guide* The following operations use the primary ENI attached to the instance: + **Image downloads** - Container images are downloaded from Amazon ECR through the primary ENI. + **Secrets retrieval** - Secrets Manager secrets and other credentials are retrieved through the primary ENI. + **Log uploads** - Logs are uploaded to CloudWatch through the primary ENI. + **Environment file downloads** - Environment files are downloaded through the primary ENI. Application traffic flows through the task ENI. Because each task gets its own ENI, you can use networking features such as VPC Flow Logs, which you can use to monitor traffic to and from your tasks. For more information, see [VPC Flow Logs](https://docs.amazonaws.cn/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide*. You can also take advantage of Amazon PrivateLink. You can configure a VPC interface endpoint so that you can access Amazon ECS APIs through private IP addresses. Amazon PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway. For more information, see [Amazon ECS interface VPC endpoints (Amazon PrivateLink)](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/vpc-endpoints.html). The `awsvpc` network mode also allows you to leverage Amazon VPC Traffic Mirroring for security and monitoring of network traffic when using instance types that don't have trunk ENIs attached. For more information, see [What is Traffic Mirroring?](https://docs.amazonaws.cn/vpc/latest/mirroring/what-is-traffic-mirroring.html) in the *Amazon VPC Traffic Mirroring Guide*. ## Considerations for `awsvpc` mode + Tasks require the Amazon ECS service-linked role for ENI management. This role is created automatically when you create a cluster or service. + Task ENIs are managed by Amazon ECS and cannot be manually detached or modified. + Assigning a public IP address to the task ENI using `assignPublicIp` when running a standalone task (`RunTask`) or creating or updating a service (`CreateService`/`UpdateService`) is not supported. + When you configure `awsvpc` networking at the task level, you must use the same VPC that you specified as part of the Amazon ECS Managed Instances capacity provider's launch template. You can use different subnets and security groups from those specified in the launch template. + For `awsvpc` network mode tasks, use `ip` target type when configuring load balancer target groups. Amazon ECS automatically manages target group registration for supported networking modes. ## Using a VPC in dual-stack mode When using a VPC in dual-stack mode, your tasks can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 addresses are independent of each other. Therefore you must configure routing and security in your VPC separately for IPv4 and IPv6. For more information about how to configure your VPC for dual-stack mode, see [Migrating to IPv6](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-migrate-ipv6.html) in the *Amazon VPC User Guide*. If you configured your VPC with an internet gateway or an outbound-only internet gateway, you can use your VPC in dual-stack mode. By doing this, tasks that are assigned an IPv6 address can access the internet through an internet gateway or an egress-only internet gateway. NAT gateways are optional. For more information, see [Internet gateways](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Internet_Gateway.html) and [Egress-only internet gateways](https://docs.amazonaws.cn/vpc/latest/userguide/egress-only-internet-gateway.html) in the *Amazon VPC User Guide*. Amazon ECS tasks are assigned an IPv6 address if the following conditions are met: + The Amazon ECS Managed Instances instance that hosts the task is using version `1.45.0` or later of the container agent. For information about how to check the agent version your instance is using, and updating it if needed, see [Updating the Amazon ECS container agent](ecs-agent-update.md). + The `dualStackIPv6` account setting is enabled. For more information, see [Access Amazon ECS features with account settings](ecs-account-settings.md). + Your task is using the `awsvpc` network mode. + Your VPC and subnet are configured for IPv6. The configuration includes the network interfaces that are created in the specified subnet. For more information about how to configure your VPC for dual-stack mode, see [Migrating to IPv6](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-migrate-ipv6.html) and [Modify the IPv6 addressing attribute for your subnet](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6) in the *Amazon VPC User Guide*.