'Image cannot pull' error with Fargate

Created VPC Interface Endpoint for ECR with private subnet and SG with inbound and outbound port 443 publicly accessible.
For AWS ECS Fargate task to pull image privately, but still i am getting Image cannot pull error? :confused: What am I missing?

ECS task is running in the same Subnet as the VPCE?

Which platform version are you using? 1.4.0? https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

Have you created both the com.amazonaws.region.ecr.dkr and the com.amazonaws.region.ecr.api and the S3 gateway endpoint?

Amazon ECS tasks hosted on Amazon EC2 instances require both Amazon ECR endpoints and the Amazon S3 gateway endpoint.
Amazon ECS tasks hosted on Fargate using platform version 1.4.0 or later require both Amazon ECR VPC endpoints and the Amazon S3 gateway endpoints.
Amazon ECS tasks hosted on Fargate that use platform version 1.3.0 or earlier only require the com.amazonaws.region.ecr.dkr Amazon ECR VPC endpoint and the Amazon S3 gateway endpoints.

I am using 1.4.0 and create VPC Endpoint ecr.api

SG of VPC EP inbound/outbound 443 is allowed publicly

Issue is that when SG of my cluster outbound port 443 is public everything works but I want to restrict it and when i do I receive error

As the documentation says, you need all 3 endpoints. S3 gateway, ecr.dkr and ecr.api
The SG attached to the VPCE should be inbound:443 from the VPC CIDR, outbound:443

And and what about inbound and outbound SG of fargate cluster

Outbound:443 to the SG of the VPCE
inbound - based on your application and security requirements

Stopped reason CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReadSeeker: failed open: failed to do request: Get https://prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com/9286c6-384425088922-28bed518-d0c5-e2bd-6c3a-55

getting this error now

Ok so now I enabled s3 prefix for port 443 in outbound of SG cluster