Search code examples
amazon-web-servicesdockeraws-cloudformationamazon-ecsamazon-vpc

ECS Service: can't pull docker image from ECR registry without assign public ip to service tasks

I have the following cloudformation stack which defines an ECS Service:

ApiService:
    Type: AWS::ECS::Service
    DependsOn:
     - LoadBalancerListener80
     - LoadBalancerListener443
    Properties:
      Cluster: !Ref EcsClusterArn
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 100
      DeploymentController:
        Type: ECS
      DesiredCount: 1
      HealthCheckGracePeriodSeconds: 10
      LaunchType: FARGATE
      LoadBalancers:
        - ContainerName: !Join ['-', ['container', !Ref AWS::StackName]]
          ContainerPort: !Ref Port
          TargetGroupArn: !Ref LoadBalancerTargetGroup
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED # <-- if disabled, pulling from ecr registry fails
          SecurityGroups:
            - !Ref ApiServiceContainerSecurityGroup
          Subnets: !Ref Subnets
      SchedulingStrategy: REPLICA
      ServiceName: !Ref AWS::StackName
      TaskDefinition: !Ref ApiServiceTaskDefinition

I've noticed that without enabling public IP auto-assign, service tasks are unable to pull docker image from the ECR registry. I don't understand why do I need containers to have public ip to pull images from the registry...the service security group allows all the outbound traffic, the subnets can access the internet through an internet gateway and the IAM role allows pulling from ECR...so why the need for a public ip? I don't want my containers to have a public ip, they should be reachable only inside the VPC. Or I misunderstood and it's only the task that will receive a public ip (for whatever reason) while containers will still be private inside the VPC?

Solution

  • "the IAM role allows pulling from ECR"

    The IAM role just gives it permission, it doesn't provide a network connection.

    "the subnets can access the internet through an internet gateway"

    I think you'll find that the Internet Gateway only provides Internet Access to resources with a public IP assigned to them.

    ECR is a service that exists outside your VPC, so you need one of the following for the network connection to ECR to be established:

    1. Public IP.

    2. NAT Gateway, with a route to the NAT Gateway in the subnet.

    3. ECR Interface VPC Endpoint, with a route to the endpoint in the subnet.