【发布时间】:2019-06-08 00:21:27
【问题描述】:
我正在尝试创建以下架构:具有两个子网的 vpc(一个是公共的,包含一个 NatGateway 和一个 InternetGateway,另一个是私有的。
我在私有子网中启动 Fargate 服务,但失败并出现以下错误:
CannotPullContainerError:API 错误 (500):获取 https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/: 网/http: 请求在等待连接时取消(超出了 Client.Timeout 在等待标题时)
这是我的 CloudFormation 模板(服务被故意注释掉,并且 ECR 图像 url 被打乱了):
Resources:
#Network resources: VPC
WorkflowVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: false
Tags:
- Key: Project
Value: Workflow
#PublicSubnet
WorkflowPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: "10.0.0.0/24"
VpcId:
Ref: WorkflowVpc
WorkflowInternetGateway:
Type: AWS::EC2::InternetGateway
WorkflowVCPGatewayAttachment:
DependsOn:
- WorkflowInternetGateway
- WorkflowVpc
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId:
Ref: WorkflowInternetGateway
VpcId:
Ref: WorkflowVpc
WorkflowElasticIp:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
WorkflowPublicSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: WorkflowVpc
PublicSubnetToRouteTable:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: WorkflowPublicSubnetRouteTable
SubnetId:
Ref: WorkflowPublicSubnet
WorkflowInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: WorkflowPublicSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: WorkflowInternetGateway
WorkflowNat:
DependsOn:
- WorkflowVCPGatewayAttachment
- WorkflowElasticIp
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- WorkflowElasticIp
- AllocationId
SubnetId:
Ref: WorkflowPublicSubnet
#Private subnet
WorkflowPrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: "10.0.1.0/24"
VpcId:
Ref: WorkflowVpc
WorkflowPrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: WorkflowVpc
PrivateSubnetToRouteTable:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: WorkflowPrivateSubnetRouteTable
SubnetId:
Ref: WorkflowPrivateSubnet
WorkflowNatRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: WorkflowPrivateSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: WorkflowNat
#Fargate:
WorkflowFargateTask:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- "FARGATE"
Cpu: "256"
Memory: "0.5GB"
ContainerDefinitions:
- Name: WorkflowFargateContainer
Image: "XYZ.dkr.ecr.us-east-1.amazonaws.com/workflow:latest"
NetworkMode: awsvpc
ExecutionRoleArn: "arn:aws:iam::XXX:role/ecsTaskExecutionRole"
WorkflowCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: WorkflowServiceCluster
# WorkflowService:
# DependsOn:
# - WorkflowNatRoute
# Type: AWS::ECS::Service
# Properties:
# Cluster:
# Ref: WorkflowCluster
# DesiredCount: 1
# TaskDefinition:
# Ref: WorkflowFargateTask
# NetworkConfiguration:
# AwsvpcConfiguration:
# AssignPublicIp: DISABLED
# Subnets:
# - Ref: WorkflowPrivateSubnet
# LaunchType: FARGATE
我还尝试在公共子网中设置 AssignPublicIp: ENABLED,它工作得很好,但这不是我的目标。
那么,我的问题是:我的模板是否正常,是 Fargate/ECR 的问题吗?
另外,调试这种行为的最佳方法是什么? CloudWatch 似乎没有关于此错误的日志...
【问题讨论】:
-
模板看起来很合理。将 EC2 实例添加到私有子网中,看看它是否可以连接到 Internet。
-
谢谢你,史蒂夫。我考虑了一下,但是由于无法从 Internet 访问它,因此我无法通过 ssh 进入该实例。知道如何测试它是否可以访问互联网吗?
-
更新:使用堡垒技术连接到我的私有 ec2 实例。 yum update -y 在主机分辨率上超时,所以我无法访问互联网。现在将尝试调试它!非常感谢,@SteveE。!!!
-
我用您的堆栈构建了一个 VPC,在两个子网中都有 EC2 实例,并且从任何一个连接到互联网都没有问题。然而,NAT 确实需要一分钟才能变得可用。这可能会导致您的 FARGATE 任务失败。我建议有两个 CF 堆栈,一个用于网络,一个用于 ECS。首先确保 NAT 可用。
标签: amazon-ecs aws-fargate aws-vpc