AWS Fargate Cluster unable to access Internet with NAT and Internet Gateways in place

Question

I'm trying to deploy containers to a private network Fargate cluster on AWS. I do have an Internet Gateway on my single VPC:

And I do have a NAT Gateway for that particular subnet in the very same VPC where my cluster/services live:

Routing seems OK for that Subnet as well:

And the security group for the service do not block any incoming connection:

But my containers don't even start with the infamous exception: CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Why? Thanks.

Answer 1

You don't have the subnet configured to use the NAT gateway. Your routing table currently sends traffic directly to the IGW, which makes the subnet a public subnet, not a private subnet, which means anything in that subnet would need to have a public IP assigned to it. NAT Gateways existing in the same subnet as other resources don't magically give those resources Internet access, you have to configure your routing tables appropriately.

Your network needs to be configured like this:

Public Subnets:

• IGW attached
• NAT Gateway
• Any other public resources that need to be accessible from the Internet, such as a public load balancer.

Private Subnets:

• A route to the NAT Gateway in the public subnet. No route to the IGW.