Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS Fargate and Tasks in a Private Subnet

0

Hi

I have an AN ECS cluster where I am trying to deploy my tasks to AWS Fargate in a private Subnet. I am trying to deploy a simple nodejs Hello World image but the task is showing the following error after a while.

Task stopped at: 2024-01-31T10:17:16.172Z
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-1.amazonaws.com/": dial tcp 63.34.63.179:443: i/o timeout. Please check your task network configuration.

I have VPC Endpoints in place for ecr.dkr and ecr.api but I am still getting this error. I have gone through the steps in this link but to no avail as of yet. My terraform code can be viewed on github - any suggestions to resolve this error would be greatly appreciated.

Temas
Sin servidorContenedores
Etiquetas
AWS FargateAmazon Elastic Container ServiceContenedoresTerraform
Idioma
English
Damien Gallagher
preguntada hace 3 meses310 visualizaciones
3 Respuestas
1

When you setup your VPC Endpoints, have you enabled Private DNS? If not you will need this enabling. It looks like your using Public DNS Names instead of private DNS Names.

https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service

Also ensure your security group allows access inbound on port 443

profile picture
EXPERTO
Gary Mclean
respondido hace 3 meses
  • Damien Gallagher
    hace 3 meses

    I didnt have Private DNS enabled on the VPC Interface Endpoints. I tried that but still getting the same error unfortunately.

  • Gary Mclean EXPERTO
    hace 3 meses

    Please share your error.. As it will be different now

  • Damien Gallagher
    hace 3 meses

    The error message has remained the same unfortunately

  • Gary Mclean EXPERTO
    hace 3 meses

    Are you 100% Sure Private DNS Is enabled? It should be returning a private IP not a public.

  • Damien Gallagher
    hace 3 meses

    Yes I am positive Private DNS is running, I checked it a few times. There is no public IPs being displayed

0

Maybe I missed something in your terraform but it looks like you create a sec.group for interface endpoints that allows access from other members of that group.

amazon-vpc.tf:

resource "aws_security_group" "interface_endpoints" {
  name        = "${var.environment}-interface-endpoints-sg"
  description = "Default security group for VPC Interace endpoints"
  vpc_id      = aws_vpc.vpc.id
  depends_on  = [aws_vpc.vpc]
  ingress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = "true"
  }
}

But then in amazon-ecs.tf when you define network config for fargate task don't assign interface_endpoints sec.group to it. I think this will block your access to interface endpoints in your VPC.

  network_configuration {
    subnets         = aws_subnet.private_subnet[*].id
    security_groups = [aws_security_group.fargate_alb_sg.id]
  }

If you would add interface_endpoints group to your network config would it help?

profile picture
EXPERTO
Kallu
respondido hace 3 meses
profile picture
EXPERTO
Gary Mclean
revisado hace 3 meses
0

You need to have the S3 Gateway Endpoint deployed too as S3 is where the ECR images are stored. Are you using Secrets manager or SSM Parameter store?

profile picture
EXPERTO
Gary Mclean
respondido hace 3 meses
  • Damien Gallagher
    hace 3 meses

    I do have the S3 Gateway endpoint deployed. No I am not using SSM or Secrets Manager right now

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante