AWS Batch Timeout connecting to ECR

Asked 16/6, 2022 at 12:7 Answered 7/2, 2023 at 3:12

I get the following error running an AWS batch job:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.us-east-1.amazonaws.com/: dial tcp 54.239.19.155:443: i/o timeout

I am using Fargate option for the AWS batch compute environment.

My VPC contains a subnet with 'auto assign public IPv4 address', an internet gateway, and a matching route table. I thought that this might be a problem in my VPC, so to verify that, I've launched a new EC2 instance in the VPC, and run in the EC2 instance curl to https://api.ecr.us-east-1.amazonaws.com. The curl can connect without any issues.

What could be the problem?

Farlee answered 16/6, 2022 at 12:7 Comment(3)

The VPC setting "auto assign public IPv4 address" only applies to EC2 instances I believe. For Fargate tasks in ECS or Batch you need to enable the assignPublicIp setting. docs.aws.amazon.com/batch/latest/userguide/fargate.html – Martica 16/6, 2022 at 13:27

I've changed the job definition as you have specified. This solved the issue. Thanks! – Farlee 16/6, 2022 at 18:8

Since it solved the issue for you, I reposted my command as an answer. – Martica 16/6, 2022 at 18:35

The VPC setting "auto assign public IPv4 address" only applies to EC2 instances I believe. For Fargate tasks in ECS or Batch you need to enable the assignPublicIp setting.

Martica answered 16/6, 2022 at 18:35 Comment(4)

This is incorrect. A fargate task in awsvpc mode creates an elastic network interface (ENI) that is identical to the ENI of any other service, such as RDS or EC2. If you click on a fargate task that has "auto assign public IPv4 address" disabled you will see it still gets a private IPv4 address. Assigning a public IP address exhausts the pool of available addresses, makes the task more expensive, slower to start, and directly reachable for all actors on the internet. – Card 18/10, 2023 at 21:8

@Card Nothing you say is in contrast to anything in my answer. My answer is specifically about the VPC wide setting for "auto assign public IPv4 address". That specific VPC level setting only applies to EC2 instances in the VPC. Fargate tasks have their own "Assign Public IP" setting which works the same as the EC2 setting, but you have to specify it at the Fargate task level, there is no VPC-wide setting that controls that for Fargate tasks. What you are saying about how Fargate IP addresses work is not in dispute, and I did not state otherwise in my answer. – Martica 18/10, 2023 at 21:11

@Card The question was specifically asking why the VPC setting of "auto assign public IPv4 address" was not affecting the Fargate tasks. The question was not asking if it was a good idea to assign public IP addresses to Fargate tasks. If you are implying that there are absolutely zero reasons to ever assign a public IP address to a Fargate task, then I would argue that you are incorrect. – Martica 18/10, 2023 at 21:15

You're right I misread the question and apologize. – Card 18/10, 2023 at 21:17

The best answer is right. "The VPC setting "auto assign public IPv4 address" only applies to EC2 instances I believe. For Fargate tasks in ECS or Batch, you need to enable the assignPublicIp setting."

Albeit please make sure the VPC is correct first before diving into roles, tasks and policy.

To configure VPC for Fargate correctly:

The first video is the one I followed since I didn't want a load balancer. Although, I turned on the auto-generated subtitles as it's in Spanish.

Laclair answered 7/2, 2023 at 3:12 Comment(0)

Recommended topics

Hot tags