Amazon Extends AWS PrivateLink Support For ECR and ECS Services

Recently, Amazon announced its AWS PrivateLink support for Elastic Container Service (ECS) and Elastic Container Registry (ECR).This will enable you to create endpoints for ECS and ECR that appear as elastic network interfaces with a private IP address within their VPC..

Amazon has announced its AWS PrivateLink support for its Elastic Container Service (ECS) and Elastic Container Registry (ECR). With AWS PrivateLink support, customers will be able to create endpoints for ECS and ECR that appear as elastic network interfaces with a private IP address within their VPC - Virtual Private Cloud.
 
According to the company, AWS PrivateLink is a networking technology aimed to facilitate access to AWS services in a highly scalable and available way while keeping all the network traffic within the AWS network. Before this technology, Amazon EC2 instances were required to route traffic via the public internet to download Docker images stored in ECR or communicate to the ECS control plane.
 
With PrivateLink support, the EC2 instances get the capability to privately obtain these images from Amazon ECR through both private as well as public subnets. Also, the instances are able to communicate with the ECS control plane via AWS PrivateLink endpoints, eliminating the need for use of an internet gateway or NAT gateway. Moreover, by not traversing the internet the exposure to threats such as distributed denial-of-service and brute force attacks are also minimized.
 
AWS PrivateLink Support for Its ECR and ECS Services 
Source: Amazon 
 
The networking architecture with AWS PrivateLink is considerably simpler. "It enables enhanced security by allowing you to deny your private EC2 instances access to anything other than these AWS services. That’s assuming that you want to block all other outbound internet access for those instances," wrote the company.
 
To implement this network architecture, you will need to create some AWS PrivateLink resources
  • AWS PrivateLink endpoints for ECR - allowing instances in your VPC to communicate with ECR to download image manifests.
  •  Gateway VPC endpoint for Amazon S3 - allowing instances to download the image layers from the underlying private Amazon S3 buckets that host them.
  • AWS PrivateLink endpoints for ECS - allowing instances to communicate with the telemetry and agent services in the ECS control plane.
 To learn more, you can visit the official announcement here.