I hit an issue while testing ECS Managed Instance, so here's a quick note for future reference.
ECS Exec Fails on a Task Container Running on ECS Managed Instance in a Public Subnet
If you deploy this setup in a public subnet without any special network configuration and run the Exec command, you'll get the following error:
An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation: The execute command failed. TargetNotConnected: ecs:ecs-task_xxxxxxxxxxxxxxxx is not connected.
Network Considerations for ECS Managed Instance
The blog post linked below covers this in detail, but it appears that with ECS Managed Instance, you cannot assign a public IP to a task using assignPublicIp=ENABLE.
https://zenn.dev/gsk9999/articles/0da047d2cc3b59
When Task Instances Are Placed in a Public Subnet
Here is what you can do:
- Create a VPC Endpoint
I confirmed this works with my own testing. However, for production use, the per-hour cost of VPC Endpoints is something to keep in mind.
When Task Instances Are Placed in a Private Subnet
- The method above
- Or route traffic to the internet via NAT Gateway
I haven't tested this myself, but since the route is established at the network level in this case, it should work in theory.
Summary
When using ECS Managed Instance, it's important to pay attention to networking.
This article doesn't go into detail on this, but the examples above assume awsvpc mode. Depending on your use case, switching the ECS network mode to bridge may also be an option.
For production environments where NAT Gateway or VPC Endpoints are already in place, going with the approach described in the linked blog post is probably the better choice. Note that the linked blog post is written in Japanese.
Top comments (0)