api.ecr.eu-west-2.amazonaws.com resolves to external IP instead of interface endpoint

0

We have setup multiple endpoints all the same way within our organisation but the api.ecr.eu-west-2.amazonaws.com seems to resolve to the external IP rather than the interface endpoints. An example of the different responses can be seen below, is there a reason for this or a fix?

$ nslookup rds.eu-west-2.amazonaws.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   rds.eu-west-2.amazonaws.com
Address: 172.16.1.60
Name:   rds.eu-west-2.amazonaws.com
Address: 172.16.2.132
Name:   rds.eu-west-2.amazonaws.com
Address: 172.16.3.168

$ nslookup api.ecr.eu-west-2.amazonaws.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
api.ecr.eu-west-2.amazonaws.com canonical name = ecr.eu-west-2.amazonaws.com.
Name:   ecr.eu-west-2.amazonaws.com
Address: 52.94.53.88
1回答
0

Might be worth checking which ECR endpoint type you used, as there are two options when creating an endpoint for ECR:

com.amazonaws.region.ecr.dkr: This endpoint is used for the Docker Registry APIs. Docker client commands such as push and pull use this endpoint.

com.amazonaws.region.ecr.api: This endpoint is used for calls to the Amazon ECR API. API actions such as DescribeImages and CreateRepository go to this endpoint.

I've tested, and confirmed an nslookup with com.amazonaws.region.ecr.api returns the interface endpoint.

AWS
Tom-B
回答済み 1年前
  • Hi Tom,

    Thanks for the reply, we have both of the endpoints deployed but the error message we got was that it was unable to retreieve ecr registry auth. This was caused by "https://api.ecr.eu-west-2.amazonaws.com/": dial tcp 52.94.53.88:443: i/o timeout. Which is because we're blocking external access so trying to get it through the endpoint.

  • Alex, Are you using a custom dhcp option set in this VPC?

  • No we are just using the default DHCP set

  • Please check your VPC DNS setting are set to: DNS hostnames: Enabled DNS resolution: Enabled

    I was able to re-create your issue with DNS hostnames disabled, though it did take a while after enabling the setting for it to start using the local IP's

  • Hi Tom,

    Thanks for reaching out again. I've checked in all the VPC's and both the DNS settings we're enabled.

    The setup of these are that the endpoints are setup in a network account and the hosted zones for them is then associated with the other accounts. Seems strange that all the other endpoints are fine just the ECR one causing issues.

    Thanks Alex

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ