Security group egress rule to only permit ECR requests
up vote
1
down vote
favorite
When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.
Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.
There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.
So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?
amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr
add a comment |
up vote
1
down vote
favorite
When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.
Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.
There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.
So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?
amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.
Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.
There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.
So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?
amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr
When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.
Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.
There's no VPC endpoint interface/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.
So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?
amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr
amazon-web-services amazon-ec2 amazon-ecs amazon-vpc amazon-ecr
edited Nov 7 at 14:31
asked Nov 7 at 13:53
Adam
634816
634816
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
add a comment |
up vote
1
down vote
accepted
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block. Amazon publish all of their IP address ranges in a .json file obtainable here:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to. Albeit the range is fairly large.
answered Nov 7 at 14:53
d1ll1nger
1,022713
1,022713
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
add a comment |
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
Thank you! I'm going to write a lambda that will periodically update the SG on the fly based on those ranges. Not perfect, but it's better than completely opening up the port.
– Adam
Nov 9 at 8:56
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53190853%2fsecurity-group-egress-rule-to-only-permit-ecr-requests%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown