Search code examples
amazon-web-servicesdockeramazon-ecr

AWS ECR docker login using vpc endpoint

I am finding so difficult to confirm if there is a possibility to use the docker commands, like docker login pointing out a vpc endpoint instead of the typical <aws_account_id>.dkr.ecr..amazonaws.com URI.

Can anyone help me to clarify if there is possibility of using the vpc endpoint or it must be a communication done through the public domain name?

Thanks on behalf!

Solution

  • When you add an endpoint, and if your VPC has DNS enabled, the typical/public amazonaws.com service name will actually resolve to the ecr gateway private ip from your VPC. If you want to avoid routing through the public internet you will probably also need other endpoints like ECS, but yes it can work.

    When using an Interface type VPC endpoint...

    You can use Route 53 to configure split-horizon DNS, where you use the same domain name for both a public website and an endpoint service powered by AWS PrivateLink. DNS requests for the public hostname from the consumer VPC resolve to the private IP addresses of the endpoint network interfaces, but requests from outside the VPC continue to resolve to the public endpoints.

    (Taken from PrivateLink AWS docs)

    Updated following comment:

    The DNS name <aws_account_id>.dkr.ecr.amazonaws.com will resolve to a private IP in your VPC(ie the endpoint), but only from inside your VPC. DNS lookups over the internet will resolve that same name to the public IPs. This is split-horizon DNS.

    You can test it by:

    1. Logging to an instance inside the VPC then performing a DNS lookup from the instance. The IP returned by the instances DNS should be the endpoints private ip which will be in the CIDR range assigned to the VPC (eg starting 10. 172. or 192.).
    2. Perform a lookup from your computer - without any VPN into AWS. You will receive a public IP.

    Refer to the docs as there are pre-requisites for this to work, but there is no separate public/private dns hostnames, just public/private IP's.

    Updated following comment:

    so if I would like I would be able to launch the docker login command against the vpc endpoint? That was my question, I know how the URI works but not at all what is referencing that docker login command argument or if it is used as a idetinfier for getting the account id.

    "I would be able to launch the docker login command against the vpc endpoint" - then use the VPC with the endpoint. Your passing the docker executable a DNS name ....amazonaws.com, the docker exe will use the operating system DNS resolver to convert that dnsname into an IP. Inside your VPC with the endpoint that name will resolve to the endpoint ip.

    "...identifier for getting the account id" - That URL is your private container registry. The docker login docs describe the webservice and local files involved. The registry is (very basically) a webservice with a file store behind it for your images. You need to use the AWS API to fetch the credentials to authenticate before you can pull/push to your registry.