Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security group egress rule to only permit ECR requests

When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.

Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.

There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.

So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?

like image 246
Adam Avatar asked Nov 27 '22 00:11

Adam


1 Answers

Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:

https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/

You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.

like image 86
d1ll1nger Avatar answered Dec 06 '22 04:12

d1ll1nger