1 Answer
- Newest
- Most votes
- Most comments
2
I think you need to allow the higher ephemeral ports on the inbound rules. The Fargate task is calling the Secrets Manager endpoint over TCP 443 but there is no incoming rule to allow the response.
You could also use a VPC interface endpoint for Secrets Manager so that these requests don't leave the subnet. See: Using an AWS Secrets Manager VPC endpoint.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
And there was this other question asked within minutes of this one: https://repost.aws/questions/QUQTOI3m3KRsGLi0x9Yh1bLg/ecs-fargate-task-running-in-private-subnet-cant-pull-container-from-private-ecr-repository
Those sound like the key take aways from the other forum post. Thank you.
I did do that like this but no difference as long as NACL inbound rule 300 is there. I wonder why.
If the endpoint is created without specifying a security group, the default SG is used. The default SG of the VPC allows inbound from others in the SG only. That could be blocking. If the endpoint is in another subnet the NACLs can block the traffic.