Security group egress rule to only permit ECR requests











up vote
1
down vote

favorite
1












When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.



Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.



There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.



So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?










share|improve this question




























    up vote
    1
    down vote

    favorite
    1












    When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.



    Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.



    There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.



    So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?










    share|improve this question


























      up vote
      1
      down vote

      favorite
      1









      up vote
      1
      down vote

      favorite
      1






      1





      When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.



      Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.



      There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.



      So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?










      share|improve this question















      When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.



      Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.



      There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.



      So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?







      amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 7 at 14:31

























      asked Nov 7 at 13:53









      Adam

      634816




      634816
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:



          https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/



          You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.






          share|improve this answer





















          • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
            – Adam
            Nov 9 at 8:56











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53190853%2fsecurity-group-egress-rule-to-only-permit-ecr-requests%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:



          https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/



          You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.






          share|improve this answer





















          • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
            – Adam
            Nov 9 at 8:56















          up vote
          1
          down vote



          accepted










          Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:



          https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/



          You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.






          share|improve this answer





















          • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
            – Adam
            Nov 9 at 8:56













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:



          https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/



          You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.






          share|improve this answer












          Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:



          https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/



          You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 7 at 14:53









          d1ll1nger

          1,022713




          1,022713












          • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
            – Adam
            Nov 9 at 8:56


















          • Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
            – Adam
            Nov 9 at 8:56
















          Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
          – Adam
          Nov 9 at 8:56




          Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
          – Adam
          Nov 9 at 8:56


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53190853%2fsecurity-group-egress-rule-to-only-permit-ecr-requests%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()