'Security group egress rule to only permit ECR requests

When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.

Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.

There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.

So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?

amazon-ecsamazon-vpcamazon-ecr


Solution 1:[1]

You can use AWS PrivateLink to achieve this; see Amazon ECR interface VPC endpoints (AWS PrivateLink).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 ArVID220u

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function