By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Deploying ECS Task Definition Through is Stuck on Provisioning

0

I'm currently experiencing an issue where the I'm trying to deploy a TypeScript + Node JS + Express Server docker image to ECS. I've ensured that the Docker image is able to run locally and I have successfully uploaded the Docker image to ECR.

I created an ECS cluster without any issues. CloudFormation events show that the service was created successfully.

When I try and run the task that specifies the ECR image, It's just stuck on Provisioning. Looking at CloudFormation, the task is also stuck in CREATE_IN_PROGRESS

The parameters I used to create the Cluster are as follows...

  • AWS Fargate Deselected
  • AWS EC2 Instances selected
  • Create new ASG
  • OS: Amazon Linux 2023
  • Instance Type: t3.micro
  • Desired Capacity, min: 0, max: 5
  • SSH pem key enabled
  • Network Set to Custom VPC with 2 public and 2 private subnets, all selected
  • Auto-Assign IP enabled

Dockerfile

# Start from the official Node.js 20 image
FROM --platform=linux/amd64 node:18.4.0-alpine

# Set the working directory
WORKDIR /app

COPY package*.json ./

RUN npm install

# Bundle app source inside Docker image
COPY . .

# Build the application
RUN npm run build

CMD [ "npm", "run", "prod" ]
# Expose the port the app runs on
EXPOSE 80

The Task Definition

{
    "family": "abcApiDevTask",
    "containerDefinitions": [
        {
            "name": "radical-api-image",
            "image": "abc.dkr.ecr.us-west-1.amazonaws.com/abc-api-dev:latest",
            "cpu": 2048,
            "memory": 3072,
            "memoryReservation": 1024,
            "portMappings": [
                {
                    "name": "abc-api-image-80-tcp",
                    "containerPort": 80,
                    "hostPort": 80,
                    "protocol": "tcp",
                    "appProtocol": "http"
                }
            ],
            "essential": true,
            "environment": [],
            "mountPoints": [],
            "volumesFrom": [],
            "workingDirectory": "/app"
        }
    ],
    "taskRoleArn": "arn:aws:iam::105065788176:role/ecsTaskExecutionRole",
    "executionRoleArn": "arn:aws:iam::105065788176:role/ecsTaskExecutionRole",
    "networkMode": "awsvpc",
    "requiresCompatibilities": [
        "EC2"
    ],
    "cpu": "2048",
    "memory": "3072",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    }
}
Topics
ComputeContainers
Tags
Amazon EC2Amazon Elastic Container Registry (ECR)ECS Service Discovery
Language
English
vsradical
asked 7 months ago1767 views
4 Answers
1
Accepted Answer

Hello.

Does the private subnet's route table have a route to the NAT Gateway?
To run a task in a private subnet, we need to pull the container image from ECR, so we need a route to the ECS VPC endpoint or NAT Gateway.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/vpc-endpoints.html

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • Riku_Kobayashi EXPERT
    7 months ago

    Thank you for your reply. Are you unable to launch the task successfully even if you launch it from the management console instead of from CloudFormation?

  • Riku_Kobayashi EXPERT
    7 months ago

    Looking at the task definition, the network mode is "awsvpc". In this case, you cannot use public subnets. Try stopping using public subnets. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html#task-networking-considerations

    When hosting tasks that use the awsvpc network mode on Amazon EC2 Linux instances, your task ENIs aren't given public IP addresses. To access the internet, tasks must be launched in a private subnet that's configured to use a NAT gateway. For more information, see NAT gateways in the Amazon VPC User Guide. Inbound network access must be from within a VPC that uses the private IP address or routed through a load balancer from within the VPC. Tasks that are launched within public subnets do not have access to the internet.

    Also, make sure that "enableDnsHostnames" and "enableDnsSupport" are enabled in your VPC. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support

0

Yes, there are 2 Routes available in the Private Subnets Route Table. one is destination 0.0.0.0/0 which points to nat-<id> and an internal ip pointing to local. The public subnets are connected to an internet gateway. VPC Architecture

vsradical
answered 7 months ago
0

I got it to work! Thanks so much for your help! I only selected the private subnets this time and I increased the instance size to t3.medium instead of t3.micro. I'm not sure what did the trick.

Now I'm attempting to setup an API Gateway to the instance.

vsradical
answered 7 months ago
0

I have the same Issue as described , and I used the same Instance t3.medium and placed my Service in a Private Subnet instead of Public one , but Still It is Stuck In Provisioning status , Did You change anything else other than that ?

Mahmoud
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content