How can I resolve the “CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)” error in Amazon ECS?

Last updated: 2019-12-24

I launch a task in Amazon Elastic Container Service (Amazon ECS). Then, I receive the following error: "CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)."

How can I resolve this error?

Short Description

You can receive this error when a task fails to pull an image because your network isn't configured correctly or has an intermittent connection.

The following resolution includes steps for resolving the error caused by a network that isn't configured correctly.

Resolution

Choose a solution based on your launch type: Amazon Elastic Compute Cloud (Amazon EC2) or AWS Fargate.

Amazon EC2 launch type

  • If your container instance is in a private subnet, confirm that your subnet has a route to an internet gateway or network address translation (NAT) gateway in a route table.
    Note: Instead of an internet gateway or NAT gateway, you can use AWS PrivateLink or HTTP proxy.
  • If your container instance is in a public subnet, confirm that your instance has a public IP address. You can edit the subnet's public IPv4 address behavior to assign public IPs to container instances on launch.
  • If you're using an Amazon provided DNS in your Amazon Virtual Private Cloud (Amazon VPC), confirm that the security group attached to your instance has outbound access allowed for HTTPS (443).
  • If you're using a custom DNS, confirm that you have outbound access allowed for DNS (UDP and TCP) on port 53 and HTTPS access on port 443.

Fargate launch type

  • Confirm that the subnet used to run a task has a route to an internet gateway or NAT gateway in a route table.
    Note: Instead of an internet gateway or NAT gateway, you can use AWS PrivateLink.
  • If you're launching a task in a public subnet, choose ENABLED for Auto-assign public IP when you launch the task. This allows your task to have outbound network access to pull an image.
  • If you're using an Amazon-provided DNS in your Amazon VPC, confirm that the security group attached to the instance has outbound access allowed for HTTPS (443).
  • If you're using a custom DNS, confirm that you have outbound access allowed for DNS (UDP and TCP) on port 53 and HTTPS access on port 443.

Did this article help you?

Anything we could improve?


Need more help?