- Newest
- Most votes
- Most comments
When you setup your VPC Endpoints, have you enabled Private DNS? If not you will need this enabling. It looks like your using Public DNS Names instead of private DNS Names.
https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service
Also ensure your security group allows access inbound on port 443
Maybe I missed something in your terraform but it looks like you create a sec.group for interface endpoints that allows access from other members of that group.
amazon-vpc.tf:
resource "aws_security_group" "interface_endpoints" {
name = "${var.environment}-interface-endpoints-sg"
description = "Default security group for VPC Interace endpoints"
vpc_id = aws_vpc.vpc.id
depends_on = [aws_vpc.vpc]
ingress {
from_port = "0"
to_port = "0"
protocol = "-1"
self = true
}
egress {
from_port = "0"
to_port = "0"
protocol = "-1"
self = "true"
}
}
But then in amazon-ecs.tf when you define network config for fargate task don't assign interface_endpoints sec.group to it. I think this will block your access to interface endpoints in your VPC.
network_configuration {
subnets = aws_subnet.private_subnet[*].id
security_groups = [aws_security_group.fargate_alb_sg.id]
}
If you would add interface_endpoints group to your network config would it help?
Not only that theres no outbound allowed from ECS either..
Good catch, with Terraform there is no default egress rule to allow all. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
You need to have the S3 Gateway Endpoint deployed too as S3 is where the ECR images are stored. Are you using Secrets manager or SSM Parameter store?
I do have the S3 Gateway endpoint deployed. No I am not using SSM or Secrets Manager right now
Relevant content
- asked 7 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
I didnt have Private DNS enabled on the VPC Interface Endpoints. I tried that but still getting the same error unfortunately.
Please share your error.. As it will be different now
The error message has remained the same unfortunately
Are you 100% Sure Private DNS Is enabled? It should be returning a private IP not a public.
Yes I am positive Private DNS is running, I checked it a few times. There is no public IPs being displayed