Security group egress rule to only permit ECR requests

Question

When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.

Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.

There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.

So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?

Answer 1

Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:

https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/

You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.