AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Fargate and Tasks in a Private Subnet

0

Hi

I have an AN ECS cluster where I am trying to deploy my tasks to AWS Fargate in a private Subnet. I am trying to deploy a simple nodejs Hello World image but the task is showing the following error after a while.

Task stopped at: 2024-01-31T10:17:16.172Z
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-1.amazonaws.com/": dial tcp 63.34.63.179:443: i/o timeout. Please check your task network configuration.

I have VPC Endpoints in place for ecr.dkr and ecr.api but I am still getting this error. I have gone through the steps in this link but to no avail as of yet. My terraform code can be viewed on github - any suggestions to resolve this error would be greatly appreciated.

주제
서버리스컨테이너
태그
AWS Fargate아마존 엘라스틱 컨테이너 서비스컨테이너테라폼
언어
English
Damien Gallagher
질문됨 3달 전310회 조회
3개 답변
1

When you setup your VPC Endpoints, have you enabled Private DNS? If not you will need this enabling. It looks like your using Public DNS Names instead of private DNS Names.

https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service

Also ensure your security group allows access inbound on port 443

profile picture
전문가
Gary Mclean
답변함 3달 전
  • Damien Gallagher
    3달 전

    I didnt have Private DNS enabled on the VPC Interface Endpoints. I tried that but still getting the same error unfortunately.

  • Gary Mclean 전문가
    3달 전

    Please share your error.. As it will be different now

  • Damien Gallagher
    3달 전

    The error message has remained the same unfortunately

  • Gary Mclean 전문가
    3달 전

    Are you 100% Sure Private DNS Is enabled? It should be returning a private IP not a public.

  • Damien Gallagher
    3달 전

    Yes I am positive Private DNS is running, I checked it a few times. There is no public IPs being displayed

0

Maybe I missed something in your terraform but it looks like you create a sec.group for interface endpoints that allows access from other members of that group.

amazon-vpc.tf:

resource "aws_security_group" "interface_endpoints" {
  name        = "${var.environment}-interface-endpoints-sg"
  description = "Default security group for VPC Interace endpoints"
  vpc_id      = aws_vpc.vpc.id
  depends_on  = [aws_vpc.vpc]
  ingress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = "true"
  }
}

But then in amazon-ecs.tf when you define network config for fargate task don't assign interface_endpoints sec.group to it. I think this will block your access to interface endpoints in your VPC.

  network_configuration {
    subnets         = aws_subnet.private_subnet[*].id
    security_groups = [aws_security_group.fargate_alb_sg.id]
  }

If you would add interface_endpoints group to your network config would it help?

profile picture
전문가
Kallu
답변함 3달 전
profile picture
전문가
Gary Mclean
검토됨 3달 전
0

You need to have the S3 Gateway Endpoint deployed too as S3 is where the ECR images are stored. Are you using Secrets manager or SSM Parameter store?

profile picture
전문가
Gary Mclean
답변함 3달 전
  • Damien Gallagher
    3달 전

    I do have the S3 Gateway endpoint deployed. No I am not using SSM or Secrets Manager right now

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠