New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECR PrivateLink Support #1

Closed
abby-fuller opened this Issue Nov 28, 2018 · 20 comments

Comments

10 participants
@abby-fuller
Copy link
Contributor

abby-fuller commented Nov 28, 2018

Provide customers with private endpoint access to their Amazon ECR repositories.

@abby-fuller abby-fuller created this issue from a note in containers-roadmap (We're Working On It) Nov 28, 2018

@abby-fuller abby-fuller added the ECR label Nov 28, 2018

@abby-fuller abby-fuller changed the title Provide customers with private endpoint access to their Amazon ECR repositories. ECR PrivateLink Nov 28, 2018

@abby-fuller abby-fuller moved this from We're Working On It to Coming Soon in containers-roadmap Nov 28, 2018

@coultn

This comment has been minimized.

Copy link

coultn commented Dec 5, 2018

This should address or least mitigate the need for https://github.com/aws/amazon-ecs-agent/issues/1447.

@pauncejones pauncejones changed the title ECR PrivateLink ECR PrivateLink Support Dec 5, 2018

@copumpkin

This comment has been minimized.

Copy link

copumpkin commented Dec 11, 2018

As well as adding an enthusiastic vote for this, I'd like to vote for endpoint policies on the PrivateLink when it comes 😄 same with #20 and #22 of course

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Jan 25, 2019

As well as adding an enthusiastic vote for this, I'd like to vote for endpoint policies on the PrivateLink when it comes 😄 same with #20 and #22 of course

We decided to break out this feature in order to ship PrivateLink sooner: #132

@abby-fuller abby-fuller moved this from Coming Soon to Just Shipped in containers-roadmap Jan 25, 2019

@abby-fuller

This comment has been minimized.

Copy link
Contributor Author

abby-fuller commented Jan 25, 2019

shipped 1/25!

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Jan 26, 2019

We're reopening this because we need to clarify a few details: You need to upgrade to the latest ECS agent, 1.25.1. If you rely on the ECR credentials helper, you need to upgrade, too. Fargate support is not available yet, but will be available soon.

@jtoberon jtoberon reopened this Jan 26, 2019

@jtoberon jtoberon moved this from Just Shipped to Coming Soon in containers-roadmap Jan 26, 2019

@copumpkin

This comment has been minimized.

Copy link

copumpkin commented Jan 27, 2019

@jtoberon what goes wrong if you use it with Fargate? I just saw a blog post on the AWS blog about using them all together, so I'm a bit confused now.

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Jan 28, 2019

@copumpkin the blog refers to ECS in EC2 mode. Apologies for the confusion. Currently, if you use Fargate with ECR PrivateLink, then pulls will fail. When Fargate works for all Platform Versions, then we will close this issue.

@copumpkin

This comment has been minimized.

Copy link

copumpkin commented Jan 28, 2019

@angusfz

This comment has been minimized.

Copy link

angusfz commented Jan 28, 2019

Just try to use Fargate with ECR Privatelink but task start fail with error CannotPullContainerError: inactivity time exceeded timeout

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Jan 28, 2019

@angusfz

Just try to use Fargate with ECR Privatelink but task start fail with error CannotPullContainerError: inactivity time exceeded timeout

@angusfz Please see the information provided above: "Currently, if you use Fargate with ECR PrivateLink, then pulls will fail. When Fargate works for all Platform Versions, then we will close this issue."

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Feb 5, 2019

Yes, this is fully solved now.

@jtoberon jtoberon closed this Feb 5, 2019

@jtoberon jtoberon moved this from Coming Soon to Just Shipped in containers-roadmap Feb 5, 2019

@RyPeck

This comment has been minimized.

Copy link

RyPeck commented Feb 6, 2019

ECR FAQs should be updated to reflect this great new feature.

Q: Can I access Amazon ECR inside a VPC?
To use Amazon ECR within a VPC, your instances must be able to communicate with the Internet. You can do this with Amazon VPC NAT Gateway.
https://aws.amazon.com/ecr/faqs/

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Feb 6, 2019

ECR FAQs should be updated to reflect this great new feature.

Q: Can I access Amazon ECR inside a VPC?
To use Amazon ECR within a VPC, your instances must be able to communicate with the Internet. You can do this with Amazon VPC NAT Gateway.
https://aws.amazon.com/ecr/faqs/

Nice catch. Thank you!

@angusfz

This comment has been minimized.

Copy link

angusfz commented Feb 11, 2019

Yes, this is fully solved now.

@jtoberon Does this mean Fargate can work with PrivateLink ?

@jtoberon

This comment has been minimized.

Copy link

jtoberon commented Feb 11, 2019

Yes.

@ronkorving

This comment has been minimized.

Copy link

ronkorving commented Feb 12, 2019

@jtoberon
So why does https://aws.amazon.com/about-aws/whats-new/2019/01/aws-fargate--amazon-ecs--and-amazon-ecr-now-have-support-for-aws/ mention that @gilinachum linked to say AWS Fargate support for PrivateLink will be available soon.? I'm confused :)

@Sodki

This comment has been minimized.

Copy link

Sodki commented Feb 12, 2019

@ronkorving At the time it was going to come soon, but now it's here.

@ronkorving

This comment has been minimized.

Copy link

ronkorving commented Feb 12, 2019

Awesome, thanks! :) That was very soon then :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment