Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Fargate: CannotPullContainer from ECR with private IP and NAT #1204
Fargate fails to pull ECR image with an error:
I have followed recommendations described here:
Security group outbound: ALL Traffic ALL ALL 0.0.0.0/0
As others have pointed out here #1128 (comment) and here #1128 (comment), just setting up NAT as described here #1128 (comment) is not sufficient. There really seams to be something wrong with the access. Same exact repository image starts successfully when deployed with a public IP.
Please let me know if you need more details to reproduce.
referenced this issue
Jan 22, 2018
I would attempt to debug this by creating an EC2 instance to the subnet and seeing if docker pull works. The EC2 instance should not have a public IP for testing purposes. Is your subnet private or public? I believe with Farget you should have a private subnet and a public subnet and deploy the task to the private subnet, then using NAT+IGW for public internet access.
What does "in private range" mean? Is the subnet private or public? The recommended setup seems to be using a private subnet, a public subnet, a NAT Gateway and an Internet gateway. I got my setup working with that. I launched the task into the private subnet.
See AWS documentation:
@panuhorsmalahti thanks a lot for providing the relevant information. I did not realize before that one has to setup both private AND public subnets. Just assigning NAT to a private subnet is not enough. It is required to have another subnet in the same VPC which is forwarding it's 0.0.0.0/0 to the IGW.
@dovidkopel there's not much to clarify there. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html