5

I'm trying to deploy containers to a private network Fargate cluster on AWS. I do have an Internet Gateway on my single VPC:

Internet Gateway

And I do have a NAT Gateway for that particular subnet in the very same VPC where my cluster/services live:

NAT Gateway

Routing seems OK for that Subnet as well:

Subnet route

And the security group for the service do not block any incoming connection:

Security Groups

Security Groups Inbound

But my containers don't even start with the infamous exception: CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Why? Thanks.

Hasan Can Saral
  • 2,950
  • 5
  • 43
  • 78

1 Answers1

3

You don't have the subnet configured to use the NAT gateway. Your routing table currently sends traffic directly to the IGW, which makes the subnet a public subnet, not a private subnet, which means anything in that subnet would need to have a public IP assigned to it. NAT Gateways existing in the same subnet as other resources don't magically give those resources Internet access, you have to configure your routing tables appropriately.

Your network needs to be configured like this:

Public Subnets:

  • IGW attached
  • NAT Gateway
  • Any other public resources that need to be accessible from the Internet, such as a public load balancer.

Private Subnets:

  • A route to the NAT Gateway in the public subnet. No route to the IGW.
Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thanks, can you be a bit more specific as to what I need to do? I'm a bit puzzled since I thought I only had private subnets. – Hasan Can Saral Oct 16 '20 at 13:15
  • You need to create 2 sets of subnets in your VPC, public and private. The public subnets are the ones with a direct route to the Internet, via the Internet Gateway. This is all you currently have. To use the Internet Gateway a resource needs a public IP assigned to it, and then it can access the Internet Directly, through the IGW, using its public IP. Then create some private subnets. A private subnet is a subnet that does NOT have an IGW attached to it. A private subnet uses a route to a NAT Gateway to provide outgoing Internet access to the resources inside it. – Mark B Oct 16 '20 at 13:19
  • I see. Then having an igw and not having a public IP address for the service on that subnet is doomed to be offline? – Hasan Can Saral Oct 16 '20 at 13:24
  • 1
    @HasanCanSaral yes exactly. In that scenario that resource only has access to resources in the VPC, and can never access anything outside of the VPC. – Mark B Oct 16 '20 at 13:25