Cannot get response from deployed AWS Fargate?

Okay, I've followed the docs on How to create Task Definition using AWS console. I also created a cluster before creating Task Definition. Task (i.e. the container) is running using provided image URI which is on ECR. I can see logs nicely on CloudWatch as well as in ECS itself.

When I go to:

Amazon Elastic Container Service -> Clusters -> AwsTutorialECSCluster -> Tasks -> myTaskId -> Configuration

I can see public IP. The application in question is simple Spring Boot app with default settings.

public class AwsTutorialApplication {

    public static void main(String[] args) {, args);

    public String helloAws(){
        return "Hello from AWS!";


I cannot get response when I try any of the following:


While creating Task definition I also added the Role with managed policy: AwsTutorialECS_FullAccess_Role

I will pass json Task definition:

"taskDefinitionArn": "arn:aws:ecs:eu-central-1:myAccount:task-definition/NewTaskDefinition:1",
        "containerDefinitions": [
                "name": "spring-boot-container",
                "image": "",
                "cpu": 0,
                "memory": 3072,
                "portMappings": [
                        "name": "spring-boot-container-8080-tcp",
                        "containerPort": 8080,
                        "hostPort": 8080,
                        "protocol": "tcp",
                        "appProtocol": "http"
                "essential": true,
                "environment": [],
                "environmentFiles": [],
                "mountPoints": [],
                "volumesFrom": [],
                "logConfiguration": {
                    "logDriver": "awslogs",
                    "options": {
                        "awslogs-create-group": "true",
                        "awslogs-group": "/ecs/NewTaskDefinition",
                        "awslogs-region": "eu-central-1",
                        "awslogs-stream-prefix": "ecs"
        "family": "NewTaskDefinition",
        "taskRoleArn": "arn:aws:iam::myAccount:role/AwsTutorialECS_FullAccess_Role",
        "executionRoleArn": "arn:aws:iam::myAccount:role/ecsTaskExecutionRole",
        "networkMode": "awsvpc",
        "revision": 1,
        "volumes": [],
        "status": "ACTIVE",
        "requiresAttributes": [
                "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
                "name": "ecs.capability.execution-role-awslogs"
                "name": "com.amazonaws.ecs.capability.ecr-auth"
                "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
                "name": "com.amazonaws.ecs.capability.task-iam-role"
                "name": "ecs.capability.execution-role-ecr-pull"
                "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
                "name": "ecs.capability.task-eni"
                "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
        "placementConstraints": [],
        "compatibilities": [
        "requiresCompatibilities": [
        "cpu": "1024",
        "memory": "3072",
        "runtimePlatform": {
            "cpuArchitecture": "X86_64",
            "operatingSystemFamily": "LINUX"
        "registeredAt": "2023-03-21T18:20:52.034Z",
        "registeredBy": "arn:aws:iam::accountiD:user/myUserName",
        "tags": []

User has AdministratorAccess IAM role.

Why is this so complicated?!?

Update 1:

Based on the comments for security groups. I delete Task Definition, unregistered and stop Task. Recreated everything again. When I go to Deploy -> Run Task:

Still cannot hit an endpoint. Also, I disabled cors with @CrossOrigin and:

public class Config implements WebMvcConfigurer {

    public void addCorsMappings(CorsRegistry registry) {


  • You have HTTP port 80 open in the security group. You are selecting HTTP because you are using the HTTP protocol, but you aren't using the standard HTTP port (80), you are using port 8080 instead. So selecting HTTP which is just a shortcut for port 80 is not going to work for you. You have to add a TCP rule to your security group with port 8080 to allow the traffic to your service.

    Note that there is no reason to recreate everything just to get to that screen again. You can go into the EC2 section of the AWS console, find the security group there, and just add a new inbound rule for port 8080.