[ECR] [request]: PrivateLink - Integration with Amazon S3 *interface* endpoint

[mayk0gan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request As known, ECR requires also connectivity to s3, for pulling the docker images. If one creates a repository in us-east-1 for example, AWS will save the corresponding images in some bucket in the same region (us-east-1 in this example). The case becomes trickier when it comes to using ECR's PrivateLink endpoint (specifically - in cross region orchestration).

AWS posted while ago this article which somewhat appears as not found in the last few weeks. However, following this guide we can create cross-regional orchestrations which evolves many AWS services - even communicate with S3 bucket in another region using S3 VPC Interface (and not gateway).

The problem is that ECR works solely with S3 VPC Gateway and not interface, which doesn't allow cross-region communication (using VPC peering/ transit gateways). So my request is as follows: integrate ECR endpoint with optional S3 VPC endpoint (instead of in addition to vpc gateway), which would allow the case from above (and many more) - as it wouldn't be bounded to only intra-regional communication (as in most available services).

Which service(s) is this request for? ECR, PrivateLink, S3 Interface Endpoint

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Described above. We run in every AWS region, and need to pull various docker containers (potentially 100+) in a daily basis. Without the requested integration - it would make us to replicate all of our docker containers (thousands), across all regions - which is costly, harder to maintain and personally - I believe that it's really unneeded - as it makes AWS ECR Endpoint much less powerful from what it could be. This would allow us to maintain a single registry in a single region, and pull images from multiple regions - which would simplify it as describe above.

Are you currently working around this issue? I tried to find a work around, but still didn't find one.

[rpadovani]

I subscribe this. The S3 gateway forces us to open our network ACLs to countless public IP addresses (and then update them, since they change and there is no native way to keep the ACLs up to date).

With an interface, I can have very strict networks ACL to be sure our traffic doesn't leave the VPC.

[hachemguetif]

S3 interface supports private DNS with AWS PrivateLink [1].

[1] https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/