The latest articles on DEV Community by Kosuke Ozawa (@kskozw03). https://dev.to/kskozw03 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3782183%2Ff65e65ce-3545-4dc5-a859-0c224be34a61.jpeg https://dev.to/kskozw03 en Kosuke Ozawa Fri, 08 May 2026 05:19:16 +0000 https://dev.to/aws-builders/why-ecs-exec-fails-on-ecs-managed-instance-and-how-to-fix-it-3khg https://dev.to/aws-builders/why-ecs-exec-fails-on-ecs-managed-instance-and-how-to-fix-it-3khg <p>I hit an issue while testing ECS Managed Instance, so here's a quick note for future reference.</p> <h2> ECS Exec Fails on a Task Container Running on ECS Managed Instance in a Public Subnet </h2> <p>If you deploy this setup in a public subnet without any special network configuration and run the Exec command, you'll get the following error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>An error occurred <span class="o">(</span>TargetNotConnectedException<span class="o">)</span> when calling the ExecuteCommand operation: The execute <span class="nb">command </span>failed. TargetNotConnected: ecs:ecs-task_xxxxxxxxxxxxxxxx is not connected. </code></pre> </div> <h2> Network Considerations for ECS Managed Instance </h2> <p>The blog post linked below covers this in detail, but it appears that with ECS Managed Instance, you cannot assign a public IP to a task using <code>assignPublicIp=ENABLE</code>.</p> <p><a href="https://zenn.dev/gsk9999/articles/0da047d2cc3b59" rel="noopener noreferrer">https://zenn.dev/gsk9999/articles/0da047d2cc3b59</a></p> <h2> When Task Instances Are Placed in a Public Subnet </h2> <p>Here is what you can do:</p> <ul> <li>Create a VPC Endpoint</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh3kwmzenvmbb2fiba8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh3kwmzenvmbb2fiba8.png" alt="Connect to Session Manager via VPC Endpoint" width="800" height="333"></a></p> <p>I confirmed this works with my own testing. However, for production use, the <strong>per-hour cost of VPC Endpoints</strong> is something to keep in mind.</p> <h2> When Task Instances Are Placed in a Private Subnet </h2> <ul> <li>The method above</li> <li>Or route traffic to the internet via NAT Gateway</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmc30svdu3dgrwxazl3ku.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmc30svdu3dgrwxazl3ku.png" alt="Connect to Session Manager via NAT Gateway" width="800" height="301"></a></p> <p>I haven't tested this myself, but since the route is established at the network level in this case, it should work in theory.</p> <h2> Summary </h2> <p>When using ECS Managed Instance, it's important to pay attention to networking.</p> <p>This article doesn't go into detail on this, but the examples above assume <code>awsvpc</code> mode. Depending on your use case, switching the ECS network mode to <code>bridge</code> may also be an option.</p> <p>For production environments where NAT Gateway or VPC Endpoints are already in place, going with the approach described in the linked blog post is probably the better choice. Note that the linked blog post is written in Japanese.</p> aws containers cloud networking