0

We have a Fargate service that should be exposed to the internet via a load balancer, and since for tests we had used so far the random Public IP of the task, we decided to disable the Public IP, so that it makes sense for the task of the service to be accessible via the load balancer only.

Disabling the Public IP though seems to make the container inside Fargate unable to download the env file from S3. The strange fact is that the image from ECR is pulled but the task fails when it tries to get the env file.

According to this: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-task-environment-variables/

If your ECS task is in a public subnet, verify the following: Be sure that task has a public IP address enabled.

The service is in a public subnet, so according to this we should have the public IP.

Is there a reason for this since the public subnet should in itself have access to the internet? And why does the ECR pull work anyways?

Thanks

Ncifra
  • 101

1 Answers1

1

You said you disabled the public IP. A container / server needs a public IP to reach S3 through the internet gateway.

If you want to access S3 without a public IP use an S3 VPC endpoint.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • But shouldn't for the same reason the ECR pull not work? And isn't the public subnet a network with access to the internet (hence "public")? – Ncifra Jun 22 '22 at 08:19
  • From memory (I could be wrong on this point) the ECR container image pull is done by the ECS service that has access to ECR. Or maybe there's a VPC endpoint there. I haven't done containers for a while and remember something a bit like that. A resource without a public IP cannot access the internet, that's the way AWS works. – Tim Jun 22 '22 at 09:52
  • I did some checks and we do have indeed an Endpoint for S3 (but not for ECR) for this VPC. Most likely the ECR pull is done by the service, so the task is run after the image is pulled, but still I don't know why S3 doesn't work without the public IP. – Ncifra Jun 22 '22 at 14:11
  • Is your S3 endpoint a gateway or interface type? If it's gateway is it in the route table? S3 is generally a public service, and you can't get to the internet without a public IP - that's just the way AWS works. – Tim Jun 22 '22 at 18:58