Can't run a basic ECS/Fargate task following AWS docs

0

I follow this ECS guide, but always get an error. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/getting-started-fargate.html

My region is: eu-central-1

  1. I deleted* and then created default VPC using console following these steps: https://docs.aws.amazon.com/vpc/latest/userguide/delete-vpc.html#delete-vpc-console https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-vpc

    * Before I deleted/created default VPC, I also tried steps 2-4 with already created default VPC with the same result.

  2. I created AWS Fargate (serverless) cluster using console without (optional) steps and namespace**: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/getting-started-fargate.html

    ** I also tried the option with namespace with the same result.

  3. I created a task definition according to Step 2*** in: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/getting-started-fargate.html

    *** I also tried to add ecsTaskExecutionRole to the task, but it didn't help.

  4. I deployed the task by clicking the Deploy button and selecting Run task. I chose cluster I created in 2nd step and clicked Create. Unfortunately, task never runs and always returns these errors:

    There was an error while describing network interfaces. The networkInterface ID 'eni-042a245591c1f3e39' does not exist****

    **** This error probably occurs during de-provisioning and has nothing to do with the second error below. When the task has a Pending status, I checked if networkInterface ID exists and it does.

    Task stopped at: 2023-09-27T10:41:38.641Z CannotPullContainerError: pull image manifest has been retried 5 time(s): failed to resolve ref public.ecr.aws/docker/library/httpd:latest: failed to do request: Head "https://public.ecr.aws/v2/docker/library/httpd/manifests/latest": dial tcp: lookup public.ecr.aws on 172.31.0.2:53: read udp 172.31.40.124:56444->172.31.0.2:53: i/o timeout

I also tried opening ports 80 and 443 in VPC's security group for all inbound traffic with no luck.

How can I make it work? Thank you.

2 Answers
1
Accepted Answer

I changed the region from eu-central-1 to us-east-1 following the same steps as I described above and it works. Probably there is some bug in AWS, hard to say if eu-central-1 can't access public.ecr.aws or if it's something different.

Mihi
answered 9 months ago
profile picture
EXPERT
reviewed 11 days ago
1

Hello.

I'm getting a timeout error when pulling the container image.
If the subnet used by ECS is a private subnet, try adding a route to the NAT Gateway to the route table or setting up a VPC endpoint for ECR.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

If you are using a public subnet, please check whether the subnet's public IP allocation is enabled.
https://docs.aws.amazon.com/vpc/latest/userguide/modify-subnets.html#subnet-public-ip

profile picture
EXPERT
answered 9 months ago
profile picture
EXPERT
reviewed 11 days ago
  • Hello. Unfortunately, creating a VPC endpoint for ECR or public NAT with a private subnet didn't help. All public subnets have Enable auto-assign public IPv4 addressInfo checked. I've already sent feedback to AWS that their guide is inaccurate or incomplete.

    If there's someone who could write me a step-by-step guide on how to make the below AWS guide work, that would be great: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/getting-started-fargate.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions