7

When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.

Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.

There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.

So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?

Adam
  • 959
  • 1
  • 10
  • 22

3 Answers3

2

Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:

https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/

You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.

d1ll1nger
  • 1,571
  • 12
  • 16
  • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port. – Adam Nov 09 '18 at 08:56
1

You can use AWS PrivateLink to achieve this; see Amazon ECR interface VPC endpoints (AWS PrivateLink).

ArVID220u
  • 374
  • 3
  • 10
-5

Open DNS (UDP) 53 for 0.0.0.0/0 and HTTPS 443 for 0.0.0.0/0

Vadim Kovrizhkin
  • 1,575
  • 4
  • 16
  • 27
  • Thank you, but that would open all traffic on ports 53 and 443, which is against our security policy. – Adam Mar 11 '19 at 23:10
  • I would suggest following to "least privilege" principle e.g. don't open your component worldwide - open it to the known components only. – Arthur Gurov Apr 08 '20 at 17:08