By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to Access Nginx Service via Public IP on AWS Fargate Task Despite Reachable Network

0

Description: I have deployed an Nginx service on AWS Fargate and assigned it a public IP. However, I'm unable to access the service via this IP address. I've verified the task’s security groups and network ACLs to ensure they allow inbound traffic on port 80, and the subnet associated with the task is a public subnet with a route to the internet gateway.

Details:

Task Definition: Includes an Nginx container using the image public.ecr.aws/nginx/nginx:stable-perl.
Networking: The task is in a awsvpc network mode and has been assigned a public IP.
Security Groups: Configured to allow all inbound traffic.
VPC Reachability Analyzer: Confirms the network path is reachable.
CloudWatch Logs: No errors are reported, and the Nginx service appears to start without issues.

Despite these configurations, when attempting to access the Nginx service via the public IP, there is no response. I've also run the VPC Reachability Analyzer, which shows the path is reachable, suggesting there are no issues with the security group, network ACL, route table, or subnet configurations.

Steps Taken:

Verified Nginx is listening on port 80 within the container.
Ensured the ECS task is in a RUNNING state.
Checked that the ECS execution role has the necessary permissions.
Confirmed there are no Load Balancers involved at this stage.

Task definition: { "taskDefinitionArn": "arn:aws:ecs:[region]:[account key]:task-definition/my-nginx:3", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:stable-perl", "cpu": 1024, "memory": 2048, "portMappings": [ { "name": "nginx-80-tcp", "containerPort": 80, "hostPort": 80, "protocol": "tcp", "appProtocol": "http" } ], "essential": true, "environment": [], "environmentFiles": [], "mountPoints": [], "volumesFrom": [], "ulimits": [], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-create-group": "true", "awslogs-group": "/ecs/my-nginx", "awslogs-region": "[region]", "awslogs-stream-prefix": "ecs" }, "secretOptions": [] } } ], "family": "my-nginx", "executionRoleArn": "arn:aws:iam::[account key]:role/ecsTaskExecutionRole", "networkMode": "awsvpc", "revision": 3, "volumes": [], "status": "ACTIVE", "requiresAttributes": [ { "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" }, { "name": "ecs.capability.execution-role-awslogs" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" }, { "name": "ecs.capability.task-eni" }, { "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29" } ], "placementConstraints": [], "compatibilities": [ "EC2", "FARGATE" ], "requiresCompatibilities": [ "FARGATE" ], "cpu": "1024", "memory": "2048", "runtimePlatform": { "cpuArchitecture": "X86_64", "operatingSystemFamily": "LINUX" }, "registeredAt": "2023-11-19T13:24:50.423Z", "registeredBy": "arn:aws:iam::[account key]:root", "tags": [] }

Inbound rule: Name Security group rule ID IP version Type Protocol Port range Destination Description

  • sgr-09XXXXXXXX– All traffic All All sg-0068XXXXXXXXX / default – Outbound rule: Name Security group rule ID IP version Type Protocol Port range Destination Description
  • sgr-05dc937XXXXXX IPv4 All traffic All All 0.0.0.0/0 –

The log of the container: timestamp,message 1700400342620,"/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" 1700400342620,/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ 1700400342623,/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 1700400342634,10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf 1700400342641,10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf 1700400342641,/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh 1700400342643,/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh 1700400342644,/docker-entrypoint.sh: Configuration complete; ready for start up 1700400342648,"2023/11/19 13:25:42 [notice] 1#1: using the ""epoll"" event method" 1700400342648,2023/11/19 13:25:42 [notice] 1#1: nginx/1.24.0 1700400342648,2023/11/19 13:25:42 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 1700400342648,2023/11/19 13:25:42 [notice] 1#1: OS: Linux 5.10.198-187.748.amzn2.x86_64 1700400342648,2023/11/19 13:25:42 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 65535:65535 1700400342648,2023/11/19 13:25:42 [notice] 1#1: start worker processes 1700400342648,2023/11/19 13:25:42 [notice] 1#1: start worker process 29 1700400342649,2023/11/19 13:25:42 [notice] 1#1: start worker process 30

I am seeking guidance on additional troubleshooting steps I could take or any configuration aspects I might have overlooked. Any insights from the community would be greatly appreciated.

Topics
Networking & Content DeliveryServerlessContainersManagement & Governance
Tags
Amazon VPCAWS FargateAmazon Elastic Container ServiceSecurity GroupAmazon CloudWatch Logs
Language
English
Yawen
asked 5 months ago375 views
1 Answer
0
Accepted Answer

Can you check again the security group rules? It looks like your security group allows inbound traffic only from another security group. To be able to reach the service by using the public IP you have to at least allow traffic from your public IP.

I would recommend you to place your services in a private subnet and use a load balancer in front of them.

profile picture
Rares Boboc
answered 5 months ago
  • Yawen
    5 months ago

    Thanks, I create a new group, allowing all ip, then it works

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content