1

We have a Fargate service that should be exposed to the internet via a load balancer, and since for tests we had used so far the random Public IP of the task, we decided to disable the Public IP, so that it makes sense for the task of the service to be accessible via the load balancer only.

Disabling the Public IP though seems to make the container inside Fargate unable to download the env file from S3. The strange fact is that the image from ECR is pulled but the task fails when it tries to get the env file.

According to this: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-task-environment-variables/

If your ECS task is in a public subnet, verify the following: Be sure that task has a public IP address enabled.

The service is in a public subnet, so according to this we should have the public IP.

Is there a reason for this since the public subnet should in itself have access to the internet? And why does the ECR pull work anyways?

Thanks

1 Answer 1

1

You said you disabled the public IP. A container / server needs a public IP to reach S3 through the internet gateway.

If you want to access S3 without a public IP use an S3 VPC endpoint.

4
  • But shouldn't for the same reason the ECR pull not work? And isn't the public subnet a network with access to the internet (hence "public")?
    – Ncifra
    Commented Jun 22, 2022 at 8:19
  • From memory (I could be wrong on this point) the ECR container image pull is done by the ECS service that has access to ECR. Or maybe there's a VPC endpoint there. I haven't done containers for a while and remember something a bit like that. A resource without a public IP cannot access the internet, that's the way AWS works.
    – Tim
    Commented Jun 22, 2022 at 9:52
  • I did some checks and we do have indeed an Endpoint for S3 (but not for ECR) for this VPC. Most likely the ECR pull is done by the service, so the task is run after the image is pulled, but still I don't know why S3 doesn't work without the public IP.
    – Ncifra
    Commented Jun 22, 2022 at 14:11
  • Is your S3 endpoint a gateway or interface type? If it's gateway is it in the route table? S3 is generally a public service, and you can't get to the internet without a public IP - that's just the way AWS works.
    – Tim
    Commented Jun 22, 2022 at 18:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .