1 回答
- 最新
- 投票最多
- 评论最多
2
Hello.
Since a public IP address is used to access ECR, try using a NAT Gateway or enabling public IP address attachment for the ECS task.
It should also be possible to set up a VPC endpoint using methods other than NAT Gateway.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/networking-outbound.html
You may find the following troubleshooting documents helpful.
https://repost.aws/knowledge-center/ecs-unable-to-pull-secrets
I'm quite confused, I've created another service that assigns public IP to the instances and everything works. Why the instance needs public IP? I thought that while the instance is being set up, the docker will ACCESS the ECR, so it needs connection to the ECR endpoint, but the ECR endpoint does not need access to the instance (via public IP). Can you please explain?
ECR will return a public IP address when resolving a name if you do not configure anything in VPC. Therefore, if communication using a public IP address is not possible, access to ECR will not be possible. In other words, it is necessary to give the ECS task a public IP address and access ECR via an Internet gateway or by using a NAT Gateway. By setting up a VPC endpoint, you can communicate using a private IP address.
As you can see from the error message you shared below, it's trying to access a public IP address and failing. This means that the settings for communication using a public IP address have not been configured.