In a recent blog post, Amazon announced AWS PrivateLink support for its Elastic Container Service (ECS) and Elastic Container Registry (ECR). With AWS PrivateLink support, customers can create endpoints for ECS and ECR that appear as elastic network interfaces with a private IP address within their Virtual Private Cloud (VPC).
AWS PrivateLink is a networking technology aimed to facilitate access to AWS services in a highly scalable and available way, while keeping all the network traffic within the AWS network. Without this technology, Amazon EC2 instances need to route traffic via the public internet to download Docker images stored in ECR or communicate to the ECS control plane.
With PrivateLink support, Amazon EC2 instances can privately obtain these images from Amazon ECR through both private as well as public subnets. The instances can also communicate with the ECS control plane via AWS PrivateLink endpoints, removing the need for use of an internet gateway or NAT gateway. Finally, by not traversing the internet the exposure to threats such as distributed denial-of-service and brute force attacks are minimized.
In the blog post, Nathan Peck, developer for container services at AWS, stated that the networking architecture with AWS PrivateLink becomes considerably more straightforward. Furthermore, he wrote:
It enables enhanced security by allowing you to deny your private EC2 instances access to anything other than these AWS services. That’s assuming that you want to block all other outbound internet access for those instances.
To implement this network architecture, customers will need to create several AWS PrivateLink resources:
- AWS PrivateLink endpoints for ECR - allowing instances in your VPC to communicate with ECR to download image manifests.
- Gateway VPC endpoint for Amazon S3 - allowing instances to download the image layers from the underlying private Amazon S3 buckets that host them.
- AWS PrivateLink endpoints for ECS - allowing instances to communicate with the telemetry and agent services in the ECS control plane.
Source: https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/
A typical creation of an AWS PrivateLink interface for ECR is through the endpoint creation wizard in the VPC Console. ECR itself requires two interface endpoints:
- com.amazonaws.region.ecr.api
- com.amazonaws.region.ecr.dkr
A user proceeds through a series of steps, as explained in the blog post, to create these endpoints, by:
- Selecting AWS Services and an endpoint
- Specifying the VPC and subnets to which the AWS PrivateLink interface should be added
- Enabling a Private DNS Name, which is required for the endpoint
- Defining a security group for the interface itself
- Creation of the endpoint
Source: https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/
Next, for the creation of the ECR endpoints, users will also need to create a gateway VPC endpoint for S3, for ECR to store the Docker images layers. By selecting "com.amazonaws.region.s3" on the list of AWS services and by choosing the VPC hosting, the ECS cluster users can add the S3 gateway endpoint. Lastly, users can create the AWS PrivateLink interface endpoint for ECS by creating three interface endpoints in the same way as for ECR. These endpoints are:
- com.amazonaws.region.ecs-agent
- com.amazonaws.region.ecs-telemetry
- com.amazonaws.region.ecs
With these AWS PrivateLink resources, all container orchestration traffic stays inside the VPC, and the instances in the ECS cluster can communicate directly with the ECS control plane. Furthermore, the instances can download Docker Images directly without needing to make any connections outside of your VPC using an internet gateway or NAT gateway. The latter, according to Reddit post on an Amazon ECR PrivateLink question, saves costs:
6-7TB through a NAT Gateway would be ~32.85/mo for connecting hours, plus $270 for data transfer ($0.045/GB processed, assuming ECR in the same region). PrivateLink would be 1/4 that. $7.30/mo for connecting hours and $60-70 for 6-7TB processed.
For more pricing details on AWS PrivateLink, see the pricing page.