Introduction

ECS tasks that use awsvpc network mode need an elastic network interface before the container can start. When that ENI cannot be created or attached, the task remains in PENDING and may later stop with networking or resource initialization errors. The real issue is usually outside the container image itself: subnet IP exhaustion, EC2 ENI density limits, or broken VPC placement settings.

Symptoms

  • ECS tasks stay in PENDING for several minutes and then stop
  • Service events mention unable to attach ENI or a resource initialization failure
  • Fargate tasks never reach RUNNING even though the task definition is valid
  • EC2-backed services fail only on some container instances or in one Availability Zone

Common Causes

  • The selected subnet has too few available private IP addresses
  • EC2 launch type tasks hit ENI or IP density limits on the underlying instance type
  • The service uses subnets or security groups that do not match the cluster's intended VPC layout
  • Existing tasks or orphaned ENIs already consumed the available networking capacity

Step-by-Step Fix

  1. 1.Read the exact task and service failure reason
  2. 2.Start with the service events and the stopped task details so you know whether the failure is subnet capacity, instance density, or something else in the awsvpc path.

```bash aws ecs describe-services \ --cluster my-cluster \ --services my-service \ --query "services[0].events[0:10].[createdAt,message]"

aws ecs describe-tasks \ --cluster my-cluster \ --tasks <task-id> \ --query "tasks[0].[lastStatus,stopCode,stoppedReason,attachments]" ```

  1. 1.Check subnet IP capacity in every subnet assigned to the service
  2. 2.Fargate needs a free private IP for every task ENI. A single exhausted subnet in the placement list can cause repeated pending failures.
bash
aws ec2 describe-subnets \
  --subnet-ids subnet-aaa subnet-bbb subnet-ccc \
  --query "Subnets[*].[SubnetId,AvailabilityZone,AvailableIpAddressCount]"
  1. 1.Inspect ENI density if the service runs on ECS with EC2 instances
  2. 2.EC2-backed tasks can fail even when the subnet has free IPs if the container instance type cannot attach more ENIs or secondary addresses.

```bash aws ecs list-container-instances --cluster my-cluster

aws ecs describe-container-instances \ --cluster my-cluster \ --container-instances <container-instance-arn> \ --query "containerInstances[*].[ec2InstanceId,remainingResources]" ```

  1. 1.Validate the service networking configuration before redeploying
  2. 2.Make sure the service references the intended subnets and security groups, then force a fresh deployment after fixing capacity or placement.

```bash aws ecs describe-services \ --cluster my-cluster \ --services my-service \ --query "services[0].networkConfiguration.awsvpcConfiguration"

aws ecs update-service \ --cluster my-cluster \ --service my-service \ --force-new-deployment ```

Prevention

  • Keep Fargate services spread across multiple subnets with healthy private IP headroom
  • Match ECS EC2 instance types to the ENI density your task count actually requires
  • Alert on low subnet IP availability before deployments start failing
  • Review awsvpc subnet selection whenever new services or autoscaling rules are introduced
  • `