Created VPC Interface Endpoint for ECR with private subnet and SG with inbound and outbound port 443 publicly accessible.
For AWS ECS Fargate task to pull image privately, but still i am getting Image cannot pull error? What am I missing?
ECS task is running in the same Subnet as the VPCE?
Which platform version are you using? 1.4.0? https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
Have you created both the
com.amazonaws.region.ecr.dkr and the
com.amazonaws.region.ecr.api and the S3 gateway endpoint?
Amazon ECS tasks hosted on Amazon EC2 instances require both Amazon ECR endpoints and the Amazon S3 gateway endpoint.
Amazon ECS tasks hosted on Fargate using platform version 1.4.0 or later require both Amazon ECR VPC endpoints and the Amazon S3 gateway endpoints.
Amazon ECS tasks hosted on Fargate that use platform version 1.3.0 or earlier only require the com.amazonaws.region.ecr.dkr Amazon ECR VPC endpoint and the Amazon S3 gateway endpoints.
I am using 1.4.0 and create VPC Endpoint ecr.api
SG of VPC EP inbound/outbound 443 is allowed publicly
Issue is that when SG of my cluster outbound port 443 is public everything works but I want to restrict it and when i do I receive error
As the documentation says, you need all 3 endpoints. S3 gateway, ecr.dkr and ecr.api
The SG attached to the VPCE should be inbound:443 from the VPC CIDR, outbound:443 0.0.0.0/0
And and what about inbound and outbound SG of fargate cluster
Outbound:443 to the SG of the VPCE
inbound - based on your application and security requirements
Stopped reason CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReadSeeker: failed open: failed to do request: Get https://prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com/9286c6-384425088922-28bed518-d0c5-e2bd-6c3a-55…
getting this error now
Ok so now I enabled s3 prefix for port 443 in outbound of SG cluster