Sometimes when creating a service in your ECS cluster you may encounter this error showing inside a task: Status reason CannotPullContainerError: Error response from daemon: Get DOCKERIMAGEURI: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

The reason behind this error is that your task running in the service cannot pull the Docker image due to wrong network configuration. You need to allow your service to be able to access the internet.

If you’re deploying in a public subnet try checking if the following are true:

  • Choose ENALBED for auto-assign public IP address
  • Make sure your public subnet has a default route of 0.0.0.0/0 routing traffic to an internet gateway

If you’re deploying in a private subnet check the following:

  • Your private subnet has a default route of 0.0.0.0/0 routing traffic to a NAT GATEWAY

NAT gateway and internet gateway are the key difference. In public subnets use the internet gateway. In private subnets you need to use a NAT gateway. Using an internet gateway will not work.

You can learn how to create a NAT gateway and more about ECS on our Amazon ECS Fundamentals online training course: https://www.releaseworksacademy.com/courses/amazon-ecs-fundamentals