Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Single Interface VPC Endpoint for S3 (Route 53 zone s3.$region.amazonaws.com) + ECR: thats impossible?

0

I would like to use VPC endpoint by dafault in a specific VPC for S3 service. However, on workloads that use ECR, images cannot be pulled because apparently it is not possible to communicate with an internal AWS bucket that stores ECR images.

I find this issue here: https://github.com/aws/containers-roadmap/issues/1691

Possible architecture impacted: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html

  • Gary Mclean EXPERT
    3 years ago

    The question isn’t clear at this time

  • Evair Marinho
    3 years ago

    Updated, providing more info.

Topics
Networking & Content DeliveryStorage
Tags
Amazon Route 53Amazon VPCNetworking & Content DeliveryAmazon Simple Storage Service
Language
English
asked 3 years ago523 views
3 Answers
0

It’s still not fully clear. You can have a vpc endpoint for Ecr and an s3 gateway endpoint. This means you can pull images without an issue. The link you provided was for a different issue I think.

Or are you looking for a central vpc for all endpoints? If so create routes using s3 prefix list and route all traffic to this central vpc

Does that answer the question? Can add more if needed

EXPERT
answered 3 years ago
0

Using a single Interface VPC Endpoint for both Amazon S3 and Amazon Elastic Container Registry (ECR) is not possible due to differences in how these services handle private connectivity. Amazon S3 only supports Gateway VPC Endpoints, which route traffic through the VPC route table, whereas ECR requires Interface VPC Endpoints, which use Elastic Network Interfaces (ENIs) inside a private subnet. This means that s3.$region.amazonaws.com cannot be resolved through an Interface VPC Endpoint, making direct private connectivity to S3 via an Interface Endpoint impossible.

For correct private access, you need to set up:

A Gateway VPC Endpoint for S3 (com.amazonaws.$region.s3) and configure the VPC route table to send S3 traffic through it.

Interface VPC Endpoints for ECR, including:

api.ecr.$region.amazonaws.com (for ECR API calls)

dkr.ecr.$region.amazonaws.com (for Docker image pulls)

This setup allows your private resources to securely access S3 and ECR without needing an internet gateway or NAT Gateway. If you try to use a single Interface Endpoint for both services, it will fail because S3 does not support this connectivity model. Proper configuration of VPC Endpoints ensures a secure, cost-effective solution.

answered 8 months ago
0

To use Amazon S3 Static Website Hosting for redirecting requests, create an S3 bucket with the same name as your domain (e.g., example.com). In the S3 Console, go to Properties → Static Website Hosting, select Redirect requests, and enter the target URL (e.g., https://new-site.com). If needed, configure a bucket policy to allow public read access. This method is useful for domain migrations or URL redirections without a web server. After setup, test by visiting the bucket's endpoint URL, and requests should redirect to the specified destination seamlessly.

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content