Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

ECR Private endpoint doesn't speed up image pull

0

I tried to set up a VPC endpoint for ECR, to speed up my deployments on ECS. I have 3 endpoints:

  • com.amazonaws.us-east-2.s3 (Gateway)
  • com.amazonaws.us-east-2.ecr.dkr (Interface)
  • com.amazonaws.us-east-2.ecr.api (Interface)

When I pull my images from an EC2 instance in this VPC, here are the pull timers:

  • Time of the docker pull without private endpoint: real 2m15.751s
  • Time of the docker pull with the endpoints: real 2m12.833s

Isn't the private endpoint supposed to speed up the docker images pull from my private ECR ?

A dig to the ECR registry shows that it indeed points to the internal network:

$ dig XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.13.1 <<>> XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2478
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. IN A

;; ANSWER SECTION:
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.34.215
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.41.209
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.38.246

;; Query time: 2 msec
;; SERVER: 10.24.0.2#53(10.24.0.2)
;; WHEN: Wed Aug 23 10:06:09 UTC 2023
;; MSG SIZE  rcvd: 121

The S3 endpoint policy is the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": [
				"arn:aws:s3:::prod-us-east-2-starport-layer-bucket/*",
				"arn:aws:s3:::amazonlinux.us-east-2.amazonaws.com/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2.s3.dualstack/*"
			]
		},
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "*"
		}
	]
}

Is there a reason why the download speed from ECR didn't change ? Am I missing something ?

Argomenti
Networking e distribuzione di contenutiContainer
Tag
Amazon VPCNetworking e distribuzione di contenutiRegistro dei container di Amazon Elastic (ECR)Container
Lingua
English
RobinFrcd
posta 9 mesi fa1218 visualizzazioni
1 Risposta
2
Risposta accettata

Using a VPC endpoint to pull your images from ECR is a security measure and can be a cost improvement, depending on your usage, but it is not a performance boost. The traffic/your images are no longer traversing the public Internet and instead go through the AWS backbone network, which better protects your data from malicious actors. On top, this saves e.g. data processing charges on your NAT Gateway. The latency improvement here is neglectable for a 2min+ image pull. You can learn more in this blog about VPC endpoints.

profile pictureAWS
Luca Schumann
con risposta 9 mesi fa
profile pictureAWS
ESPERTO
Didier_Durand
verificato 9 mesi fa
  • RobinFrcd
    9 mesi fa

    Someone said to me that after enabling VPC endpoints, his pod's startup time on EKS got divided by 3. But I guess there's some misunderstanding here then ! Thanks for your insight !

  • Didier_Durand ESPERTO
    9 mesi fa

    Hi, the times are very similar because the download via private endpoint probably follows a very similar path to public endpoint: just a few segments less. But, on a large download like an image the global duration and processing at endpoints hide the slight improvement.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente