Private subnets cannot access internet via NAT gateway
I have an Elastic beanstalk app with Docker platform that's in a private subnets and I need the ec2 instances in that private subnet to be able to access the internet to be able to download docker images.
EB is not able to download public docker images
2023/05/26 20:49:51.618533 [INFO] Pulling valhalla ...
Pulling valhalla ... error
ERROR: for valhalla manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
2023/05/26 20:49:51.618555 [WARN] failed to execute command: docker-compose pull, retrying...
2023/05/26 20:49:51.618565 [INFO] Running command /bin/sh -c docker-compose pull
2023/05/26 20:49:54.895191 [INFO] Pulling valhalla ...
Pulling valhalla ... error
ERROR: for valhalla manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
2023/05/26 20:49:54.895227 [ERROR] An error occurred during execution of command [app-deploy] - [Docker Specific Build Application]. Stop running the command. Error: failed to pull docker images: Command /bin/sh -c docker-compose pull failed with error exit status 1. Stderr:Pulling valhalla ...
Pulling valhalla ... error
ERROR: for valhalla manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
manifest for gisops/valhalla:latest not found: manifest unknown: manifest unknown
Terraform setup
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = var.main_vpc_name
cidr = var.main_vpc_prefix
azs = var.availability_zones
private_subnets = var.private_subnets
public_subnets = var.public_subnets
database_subnets = var.database_subnets
elasticache_subnets = var.elasticache_subnets
redshift_subnets = var.redshift_subnets
enable_nat_gateway = true
single_nat_gateway = false
one_nat_gateway_per_az = true
enable_vpn_gateway = false
enable_dns_support = true
enable_dns_hostnames = true
create_database_subnet_group = true
create_database_subnet_route_table = true
create_database_internet_gateway_route = true
}
EB configuration
resource "aws_elastic_beanstalk_environment" "eb_env" {
....
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = module.vpc.vpc_id
resource = ""
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = join(",", sort(module.vpc.private_subnets))
resource = ""
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = join(",", sort(module.vpc.public_subnets))
resource = ""
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBScheme"
value = "internal"
resource = ""
}
setting {
namespace = "aws:ec2:vpc"
name = "AssociatePublicIpAddress"
value = "false"
resource = ""
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SecurityGroups"
value = join(",", sort([module.webtraffic-sg.security_group_id]))
resource = ""
}
}
Security group
module "webtraffic-sg" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4.0"
name = "webtraffic-sg"
description = "Security group for EC2 instance"
vpc_id = module.vpc.vpc_id
ingress_cidr_blocks = ["0.0.0.0/0"]
ingress_rules = ["http-80-tcp", "https-443-tcp"]
egress_rules = ["all-all"]
tags = {
Name = "${var.project_name}-sg-webtraffic"
}
}
Route table
Solution
As far as I can tell, there is no latest tag for that Docker image. You might want to try pinning it to a version number, e.g., gisops/valhalla:3.3.0. There is also a note that they were moving away from Docker Hub and that GitHub packages are used.
- AWS An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid
- FPDF's SetProtection script password protecting since Amazon Linux 2023
- How to rename AWS S3 Bucket
- AWS Security group include another Security Group
- Create a Terraform data for an s3 bucket that uses bucket_prefix
- Terraform Update an existing Lambda function was created on AWS console
- Using AWS services to create subdomains on the fly to host a site on S3
- EC2 instance 'took too long to respond'
- AWS EC2 ECS - How many tasks should I place on a single instance?
- What Amazon REST API do I use to get book information?
- amazon product advertising api - item lookup request working example
- Deploy TPU TF Serving Model to AWS SageMaker
- Use !ImportValue together with !Sub in a yaml template
- AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden
- S3 - What Exactly Is A Prefix? And what Ratelimits apply?
- Configure output of a wait state in AWS step functions
- "You have requested more vCPU capacity", when launching G instance
- Await causing aws Lambda to timeout
- Using an AWS service to execute a python script that will extract keywords from text using keyBERT?
- Access key ID and Secret Access Key for AWS Educate account
- Import Porkbun TLS cert into AWS ACM
- Error running sam local start-api with colima
- Serverless framework + Express.js | Uploading images turns out corrupt/broken
- aws lambda Unable to import module 'lambda_function': No module named 'requests'
- TerraForm AWS: Is it possible to Import all AWS Resources in one time? | terraform import all services in one time
- running aws cli on amazon linux returns No module named 'cryptography'
- How to tag sandbox resources in Amplify Gen 2 (AWS)?
- How do I get AWS_ACCESS_KEY_ID for Amazon?
- Is there a way to use AWS's sam build with OpenTofu?
- AWS S3 GetObjectAsync Hangs/Times Out