AWS Certified Solutions Architect – Professional — Question 284

A solutions architect is migrating an existing workload to AWS Fargate. The task can only run in a private subnet within the VPC where there is no direct connectivity from outside the system to the application. When the Fargate task is launched, the task fails with the following error:
CannotPullContainerError: API error (500): Get https://111122223333.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection
How should the solutions architect correct this error?

Answer options

• A. Ensure the task is set to ENABLED for the auto-assign public IP setting when launching the task.
• B. Ensure the task is set to DISABLED for the auto-assign public IP setting when launching the task. Configure a NAT gateway in the public subnet in the VPC to route requests to the internet.
• C. Ensure the task is set to DISABLED for the auto-assign public IP setting when launching the task. Configure a NAT gateway in the private subnet in the VPC to route requests to the internet.
• D. Ensure the network mode is set to bridge in the Fargate task definition.

Correct answer: B

Explanation

The CannotPullContainerError occurs because the Fargate task in the private subnet lacks internet connectivity to pull the container image from the Amazon ECR registry. To resolve this, a NAT gateway must be deployed in a public subnet to route outbound traffic from the private subnet to the internet, while keeping the task's auto-assign public IP set to DISABLED. Placing a NAT gateway in a private subnet (Option C) is incorrect because a NAT gateway requires a public subnet with a route to an internet gateway to function.