It sounds like the security groups aren’t being passed to ECS because of where that JSON is placed in the pool’s base job template. For ECS push work pools in Prefect 3.x, the security groups must be set under the RunTask API kwargs, i.e. under

variables.run_task_kwargs.networkConfiguration

. If you put just

{"awsvpcConfiguration": {...}}

at the root (or under the wrong key), Prefect won’t pass it through and ECS will launch the task without your SGs (falling back to the VPC’s default behavior). Try updating your pool’s base job template so it includes this structure exactly (note the exact camelCase key names expected by ECS/Boto3):

{
  "variables": {
    "run_task_kwargs": {
      "networkConfiguration": {
        "awsvpcConfiguration": {
          "subnets": [
            "subnet-3asdasdads"
          ],
          "securityGroups": [
            "sg-asdasd"
          ],
          "assignPublicIp": "ENABLED"
        }
      }
    }
  }
}

Tips: - Key names are case-sensitive:

networkConfiguration

,

awsvpcConfiguration

,

subnets

,

securityGroups

,

assignPublicIp

. - Put this under the work pool’s Base job template (Edit pool → Base job template). If you’ve customized the template a lot, you can “Reset to default” then add just the

run_task_kwargs

block above. - After saving, run another flow and check the ECS task’s ENI details in the console; you should see your SG attached there. If it still doesn’t attach SGs: - Confirm you’re editing the pool’s Base job template (not just passing runtime parameters elsewhere). - Make sure your task definition uses

awsvpc

network mode (required for Fargate). - Update to the latest

prefect-aws

worker version in your worker environment. - Enable debug logs on the worker to confirm what it’s sending to ECS; you should see a log line with the

run_task_kwargs

used. Docs for reference: Prefect AWS ECS guide If you’d like, paste your pool’s current Base job template here (sanitized) and I’ll pinpoint exactly where to place the config.