Docker instance running on private subnet AWS Fargate

3
votes

My VPC consists of 2 public and 2 private subnets, private subnet having NAt gateway to access internet and my docker instance is running on private subnet which receives external URLs (http://commondatastorage.googleapis.com/gtv-videos-bucket/sample/BigBuckBunny.mp4) as input and download content/file and store the files in s3

I have application load balancer setup in public subnet and connects to fargate instance

when i try to run and the logs say NAME cannot be resolved commondatastorage.googleapis.com

I understand that docker is not having internet connection

What i am doing wrong here and what needs to corrected?

PS: While creating the fargate service I DISABLED Auto Assign Public IP as instance should be on private subnet

1
amazon-web-servicesamazon-ecsaws-fargate
Can you check the security group of the fargate task, make sure your outbound rules are appropriate and not blocking anything?bluescores
@bluescores no problem with security groups currently allowing all traffic 0.0.0.0/0gurusai
ALB private subnet and container private subnet are both in the same AZ?bluescores
@bluescores ALB expects two AZ and I added both public subnets to ALB. I have not added any private subnet to ALBgurusai

1 Answers

3
votes

You probably already checked the AWS page about "Task Networking in AWS Fargate"

The key to be able to reach internet is a NAT, so, if it's not working, you should start from that in checking for errors. You can see how important it is from the following description taken from the page I linked

In this configuration, the tasks can still communicate to other servers on the internet via the NAT gateway. They would appear to have the IP address of the NAT gateway to the recipient of the communication. If you run a Fargate task in a private subnet, you must add this NAT gateway. Otherwise, Fargate can’t make a network request to Amazon ECR to download the container image, or communicate with Amazon CloudWatch to store container metrics.

If the NAT for some reason is not working, another approach could be to ENABLE Auto Assign Public IP, but define a security group that blocks any attempt to connect to your tasks in the private VPC. In this way the Task will be able to reach the DNS server required to resolve commondatastorage.googleapis.com