EC2 Image Builder not working in the private subnet

Question

I'm trying to create a image within the private subnet where the first component to install required certificates to get internet access. But the first component (install certificates to get internet access) gets failed.

Image ARN: arn:aws:imagebuilder:us-east-1:1xxxxxxxxx:image/test-certs/1.0.0/1 failed with error: Workflow Execution ID: 'xxxxx41xxdc' failed with reason: failed to download the EC2 Image Builder Component 'arn:aws:imagebuilder:us-east-1:1xxxxxx:component/create-certs/1.0.0/1'. Error - operation error imagebuilder: GetComponent, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Get "https://imagebuilder.us-east-1.amazonaws.com/GetComponent?componentBuildVersionArn=": tls: failed to verify certificate: x509: certificate signed by unknown authority.

Accepted Answer

As you have updated that instance is in a private subnet, kindly confirm whether the instance is having internet access via NAT gateway or not. If you are not having NAT gateway, then image builder endpoint cant able to reach without internet access.

What this means is that when the instance tries to reach the image builder endpoint, it is resolving to the public IP address and since there is no route to go through, it just times out. If you are not fine to create NAT gateway, then you can create VPC endpoint for Image builder. Kindly follow the below documentation to create an interface VPC endpoint for image builder.

[+] https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html#vpc-endpoint-create

If you are having internet access to reach the endpoint then run the below command to check connectivity.

```
telnet imagebuilder.us-east-1.amazonaws.com 443
```

EC2 Image Builder not working in the private subnet

Contenido relevante