- Newest
- Most votes
- Most comments
Hello,
You've informed that this container does not need internet ingress/egress anyways
. Also, the error message is RequestError: send request failed caused by: Post "https://api.ecr.us-east-1.amazonaws.com/": dial tcp 52.46.154.25:443: i/o timeout. Please check your task network configuration.
.
As per our docs:
Tasks using the Fargate launch type don't require the interface VPC endpoints for Amazon ECS, but you might need interface VPC endpoints for Amazon ECR, Secrets Manager, or Amazon CloudWatch Logs described in the following points.
Since you don't have internet connection from the provided subnet, it will fail to pull the image from ECR due to lack of connection to the ECR endpoint.
In order to overcome this error, you'll need to configure these endpoints:
- ECR and S3 Gateway Endpoint:
Amazon ECS tasks hosted on Fargate using Linux platform version 1.4.0 or later require both the com.amazonaws.region.ecr.dkr and com.amazonaws.region.ecr.api Amazon ECR VPC endpoints as well as the Amazon S3 gateway endpoint to take advantage of this feature.
If your VPC doesn't have an internet gateway and your tasks use the awslogs log driver to send log information to CloudWatch Logs, you must create an interface VPC endpoint for CloudWatch Logs.
Another option is to configure Public Subnet with Public IP address or Private Subnet using NatGateway. Please check further information on this Best Practice Documentation.
This Knowledge Center article also describes all the steps that need to be followed to run an Amazon ECS task on Fargate in a private subnet.
Did you specify the iam role when you created the task definition?
Be sure to specify execution_role_arn in your terraform resource
You may also want to use an ecs service and not start a task which you can create with terraform.
If you need access to Ecr, sns, s3, logs then you will need internet access or VPC endpoints to access these services.
I see you have public ip assigned, try and make sure the subnets defined when you start the task are public and route to an internet gateway and not on a subnet routing to a NAT gateway.
That may be your issue.
Relevant content
- asked 3 years ago
- asked 8 months ago
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago
Thanks for your comment. I just updated the original question with the Terraform definition of the task. In short: yes, the task references the execution role (you cannot define a task without one). I do not want a service because this task runs to completion; it is not a long-running container by design. And as I mentioned I am just using the default VPC that AWS creates, and the default security group which does allow egress to anything.
Thanks. Added a new answer