How can I resolve the “CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)” error in Amazon ECS?

Last updated: 2020-06-10

I launch a task in Amazon Elastic Container Service (Amazon ECS). Then, I receive the following error: "CannotPullContainerError: Error response from daemon:Get https://registry-name/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)."

How can I resolve this error?

Short Description

You can receive this error when a task fails to pull an image due to an incorrectly configured network or an intermittent connection.

The following resolution includes steps for resolving the error caused by an incorrectly configured network.

Resolution

Choose a solution based on your launch type: Amazon Elastic Compute Cloud (Amazon EC2) or AWS Fargate.

Amazon EC2 launch type

  • If your container instance is in a private subnet, confirm that your subnet has a network address translation (NAT) gateway in a route table.
    Note: Instead of a NAT gateway, you can use AWS PrivateLink or HTTP proxy. To avoid errors, be sure to correctly configure AWS PrivateLink or HTTP proxy.
  • If your container instance is in a public subnet, confirm that your instance has a public IP address. You can edit the subnet's public IPv4 address behavior to assign public IPs to container instances on launch.
  • If you're using an Amazon provided DNS in your Amazon Virtual Private Cloud (Amazon VPC), confirm that the security group attached to your instance has outbound access allowed for HTTPS (port 443).
  • If you're using a custom DNS, confirm that you’re allowing outbound access for DNS (UDP and TCP) on port 53 and HTTPS on port 443.
  • Verify that your network access control (network ACL) rules aren't blocking traffic to the registry.

Fargate launch type

  • Confirm that the subnet used to run a task has a route to an internet gateway or NAT gateway in a route table.
    Note: Instead of an internet gateway or NAT gateway, you can use AWS PrivateLink. To avoid errors, be sure to correctly configure AWS PrivateLink or HTTP proxy.
  • If you're launching tasks in a public subnet, choose ENABLED for Auto-assign public IP when you launch a task in the Amazon EC2 console. This allows your task to have outbound network access to pull an image.
  • If you're using an Amazon provided DNS in your Amazon VPC, confirm that the security group attached to the instance has outbound access allowed for HTTPS (port 443).
  • If you're using a custom DNS, confirm that outbound access is allowed for DNS (UDP and TCP) on port 53 and HTTPS access on port 443.
  • Verify that your network ACL rules aren't blocking traffic to the registry.

Did this article help you?

Anything we could improve?


Need more help?