AWS ECS Fargate Task is not working properly from Cloudformation Stack

Question

I have a working "model" of my ECS Fargate launch type task that I created using the AWS Console. I need, however, to create a Cloudformation YAML file and deploy it.

The problem I'm having is that when I deploy the stack, the cluster and service are created, the task is also created and is showing as "RUNNING" in the console. It's just a simple NGINX container with my own content in it. But the deployed version is never responding on its public IP. If I STOP it and then start another task in the console, it works fine. I'm at a loss as to why the deployed version doesn't work and the manually started one does.

Nothing is showing in the Cloudwatch logs, nothing in Cloudtrail. Any suggestions are appreciated. Here is my Cloudformation YAML file:

AWSTemplateFormatVersion: 2010-09-09
Description: ECS NGINX FARGATE

Resources:
  ECSCluster:
    Type: 'AWS::ECS::Cluster'
    Properties:
      ClusterName: 'jwh20-ecs-cluster'

  NginxService:
    Type: 'AWS::ECS::Service'
    Properties:
      Cluster: !Ref ECSCluster
      LaunchType: FARGATE
      TaskDefinition: !Ref NginxTask
      DesiredCount: 1
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          Subnets:
            - 'subnet-XXXXXXXXXXXX'

  NginxTask:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      Cpu: 512
      Memory: 1024
      Family: jwh-nginx
      ContainerDefinitions:
        - Name: jwh20-container
          Image: 'XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/jwh20'
          Name: jwh20-nginx-cont
          PortMappings:
            -
              ContainerPort: 80
              HostPort: 80
              Protocol: 'tcp'
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: '/ecs/jwh-nginx-cf'
              awslogs-region: !Ref AWS::Region
              awslogs-stream-prefix: 'ecs'
      ExecutionRoleArn: 'arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole'
      TaskRoleArn: 'arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole'
      NetworkMode: awsvpc
      RequiresCompatibilities: 
        - 'FARGATE'

Answer 1

If you can see the Task come to RUNNING State, that means the image from ECR was pulled successfully, meaning successful outbound connections. However if you are not able to get any response back from the task by hitting on the PUBLIC_IP:80 , that usually suggests Security Group or NACL related issue . I'm assuming you are getting request time out. If not do share the output of the below:

curl -v http:// <PUBLIC_IP_OF_THE_TASK>

---

On observing the template,

There is no security group specified in the NetworkConfiguration

      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          Subnets:
            - 'subnet-XXXXXXXXXXXX'

AWS::ECS::Service AwsVpcConfiguration - If you do not specify a security group, the default security group for the VPC is used.

The default security group may not have the port 80 open. You can have a look at that.

Secondly, this one maybe a typo, I see the Name property being specified twice,

    ContainerDefinitions:
        - Name: jwh20-container
          Image: 'XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/jwh20'
          Name: jwh20-nginx-cont
          PortMappings: