AWS Fargate and Tasks in a Private Subnet

0

Hi

I have an AN ECS cluster where I am trying to deploy my tasks to AWS Fargate in a private Subnet. I am trying to deploy a simple nodejs Hello World image but the task is showing the following error after a while.

Task stopped at: 2024-01-31T10:17:16.172Z
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-1.amazonaws.com/": dial tcp 63.34.63.179:443: i/o timeout. Please check your task network configuration.

I have VPC Endpoints in place for ecr.dkr and ecr.api but I am still getting this error. I have gone through the steps in this link but to no avail as of yet. My terraform code can be viewed on github - any suggestions to resolve this error would be greatly appreciated.

3 Answers
1

When you setup your VPC Endpoints, have you enabled Private DNS? If not you will need this enabling. It looks like your using Public DNS Names instead of private DNS Names.

https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service

Also ensure your security group allows access inbound on port 443

profile picture
EXPERT
answered 9 months ago
  • I didnt have Private DNS enabled on the VPC Interface Endpoints. I tried that but still getting the same error unfortunately.

  • Please share your error.. As it will be different now

  • The error message has remained the same unfortunately

  • Are you 100% Sure Private DNS Is enabled? It should be returning a private IP not a public.

  • Yes I am positive Private DNS is running, I checked it a few times. There is no public IPs being displayed

0

Maybe I missed something in your terraform but it looks like you create a sec.group for interface endpoints that allows access from other members of that group.

amazon-vpc.tf:

resource "aws_security_group" "interface_endpoints" {
  name        = "${var.environment}-interface-endpoints-sg"
  description = "Default security group for VPC Interace endpoints"
  vpc_id      = aws_vpc.vpc.id
  depends_on  = [aws_vpc.vpc]
  ingress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = "true"
  }
}

But then in amazon-ecs.tf when you define network config for fargate task don't assign interface_endpoints sec.group to it. I think this will block your access to interface endpoints in your VPC.

  network_configuration {
    subnets         = aws_subnet.private_subnet[*].id
    security_groups = [aws_security_group.fargate_alb_sg.id]
  }

If you would add interface_endpoints group to your network config would it help?

profile picture
EXPERT
answered 9 months ago
profile picture
EXPERT
reviewed 9 months ago
0

You need to have the S3 Gateway Endpoint deployed too as S3 is where the ECR images are stored. Are you using Secrets manager or SSM Parameter store?

profile picture
EXPERT
answered 9 months ago
  • I do have the S3 Gateway endpoint deployed. No I am not using SSM or Secrets Manager right now

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions