Cannot reach container in ECS Fargate cluster that looks properly configured

I have an ECS Fargate cluster that I configured after reading instructions in another StackOverFlow post. I have several containers that I’ve pushed into ECR repositories and can successfully launch the containers. But going to http://PUBLIC-IP-ADDRESS does not access the service exposed by the container.

In my most recent test I simply used the httpd container from Docker Hub because it is simple and provides a default web page. Still no luck.

The VPC has two subnets – public and private – and was constructed per the instructions in the above-linked post. I am attaching the containers — as an ECS Service — to the public subnet and also configuring the Service to make it a public IP address.

Public subnet (CIDR has this route table: local igw-0ad0671cc2924857e

Network ACL inbound rules

  * ALL Traffic ALL ALL DENY

Network ACL outbound rules

  * ALL Traffic ALL ALL DENY

(These are the default rules)

The private subnet (CIDR has the same configuration but the route table instead connects to a NAT gateway. The NAT gateway is homed on the public net.

The only thing I did differently from the VPC configuration instructions is the security group. When creating the services, I configure the service with the default security group that came with the VPC. This security group allows all traffic both inbound and outbound.

For the Task Definition – I created an httpd T.D. using the awsvpc network mode (it’s a Fargate ECS), 1/2 GB memory, 0.25 vCPU, exposing port 80 on the container,

For the Service, I attached it to the VPC, gave it the name httpd, attached it to the public subnet, and said to use a public IP address.

The Service and the contained Task launch correctly, and the Task shows a public IP address. Accessing that IP address results in a long wait and eventually the web browser gives up. (times out)


I was not aware of the need to have a load balancer. I have attempted to add a load balancer. But it made no difference.

To add the load balancer required adding more public subnets configured as above. The Application Load Balancer is attached to the VPC and to the public subnets. It is listening to HTTP (port 80).

I then re-created the service for the httpd container. During creation of the service, I did my best to configure it for the load balancer and then the service description gives this summary:

Target Group Name   Container Name  Container Port
ecs-ecs-go-httpd             httpd              80

Source: StackOverflow