I've created a cluster, VPC, subnet and a Fargate service using the first run wizard of ECS on AWS console and uploaded the image on ECR and deployed successfully.
Now I need the service to access a remote database. So, I need to add the IP in the firewall's whitelist. I allocated an Elastic IP, created a NAT Gateway and updated the router table following this tutorial.
I stopped the task and tried to run it again. But then I could not pull the image from ECR to run a new task caused by the following error message:
CannotPullContainerError: Error response from daemon: Get https://account-id.dkr.ecr.sa-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
My setup:
- VPC with CIDR 10.0.0.0/16 (automatically created on ECS wizard)
- Subnet with the following router table:
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | nat-<nat-id>
NAT Gateway, on VPC and subnets that were created on ECS Wizard and the Elastic IP I allocated.
Currently, I'm allowing all traffic in both inbound and outbound rules:
Type | Protocol | Port range | Source | Description - optional
-----|----------|------------|---------|------------------------
All | All | All |0.0.0.0/0| -
What am I missing? Is this the only way I can accomplish what I want? Is there a simpler way to achieve it? I found in Stack Overflow another way to associate an Elastic IP by using Application Load Balancer or Network Load Balancer. Is it a better approach?