By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Fargate and Tasks in a Private Subnet

0

Hi

I have an AN ECS cluster where I am trying to deploy my tasks to AWS Fargate in a private Subnet. I am trying to deploy a simple nodejs Hello World image but the task is showing the following error after a while.

Task stopped at: 2024-01-31T10:17:16.172Z
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-1.amazonaws.com/": dial tcp 63.34.63.179:443: i/o timeout. Please check your task network configuration.

I have VPC Endpoints in place for ecr.dkr and ecr.api but I am still getting this error. I have gone through the steps in this link but to no avail as of yet. My terraform code can be viewed on github - any suggestions to resolve this error would be greatly appreciated.

Topics
ServerlessContainers
Tags
AWS FargateAmazon Elastic Container ServiceContainersTerraform
Language
English
Damien Gallagher
asked 3 months ago287 views
3 Answers
1

When you setup your VPC Endpoints, have you enabled Private DNS? If not you will need this enabling. It looks like your using Public DNS Names instead of private DNS Names.

https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service

Also ensure your security group allows access inbound on port 443

profile picture
EXPERT
Gary Mclean
answered 3 months ago
  • Damien Gallagher
    3 months ago

    I didnt have Private DNS enabled on the VPC Interface Endpoints. I tried that but still getting the same error unfortunately.

  • Gary Mclean EXPERT
    3 months ago

    Please share your error.. As it will be different now

  • Damien Gallagher
    3 months ago

    The error message has remained the same unfortunately

  • Gary Mclean EXPERT
    3 months ago

    Are you 100% Sure Private DNS Is enabled? It should be returning a private IP not a public.

  • Damien Gallagher
    3 months ago

    Yes I am positive Private DNS is running, I checked it a few times. There is no public IPs being displayed

0

Maybe I missed something in your terraform but it looks like you create a sec.group for interface endpoints that allows access from other members of that group.

amazon-vpc.tf:

resource "aws_security_group" "interface_endpoints" {
  name        = "${var.environment}-interface-endpoints-sg"
  description = "Default security group for VPC Interace endpoints"
  vpc_id      = aws_vpc.vpc.id
  depends_on  = [aws_vpc.vpc]
  ingress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = "0"
    to_port   = "0"
    protocol  = "-1"
    self      = "true"
  }
}

But then in amazon-ecs.tf when you define network config for fargate task don't assign interface_endpoints sec.group to it. I think this will block your access to interface endpoints in your VPC.

  network_configuration {
    subnets         = aws_subnet.private_subnet[*].id
    security_groups = [aws_security_group.fargate_alb_sg.id]
  }

If you would add interface_endpoints group to your network config would it help?

profile picture
EXPERT
Kallu
answered 3 months ago
profile picture
EXPERT
Gary Mclean
reviewed 3 months ago
0

You need to have the S3 Gateway Endpoint deployed too as S3 is where the ECR images are stored. Are you using Secrets manager or SSM Parameter store?

profile picture
EXPERT
Gary Mclean
answered 3 months ago
  • Damien Gallagher
    3 months ago

    I do have the S3 Gateway endpoint deployed. No I am not using SSM or Secrets Manager right now

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content