Can Managed Compute Enviroments make use of PrivateLink ECS and ECR

Question

In the documentation for Manged Compute Environments(  ) it says:  
  
"Managed compute environments launch Amazon ECS container instances into the VPC and subnets that you specify when you create the compute environment. Amazon ECS container instances need external network access to communicate with the Amazon ECS service endpoint. If your container instances do not have public IP addresses (because the subnets you've chosen do not provide them by default), then they must use network address translation (NAT) to provide this access. For more information, see NAT Gateways in the Amazon VPC User Guide. For help creating a VPC, see Tutorial: Creating a VPC with Public and Private Subnets for Your Compute Environments."  
  
Is it possible to launch managed compute resources into a private subnet and use PrivateLink for Amazon ECS, and Amazon ECR as shown in:  
  
https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/  
  
If so does this eliminate the need for a public IP or NAT instance for Managed Compute resources placed in a private subnet?  
  
TIA

AWS-User-0016272 · Answer

Hello,  
  
AWS Batch uses ECS in the backend for orchestration and ECS supports private links. Hence, Batch can also be used with VPC private links and Batch will not require either IGW or NAT.  
  
Below are the list of private links that needs to be created:  
For ECS:  
com.amazonaws.region.ecs-agent  
com.amazonaws.region.ecs-telemetry  
com.amazonaws.region.ecs  
  
For ECR:  
com.amazonaws.region.ecr.dkr  
com.amazonaws.region.ecr.api  
com.amazonaws.region.s3 (S3 gateway endpoint)  
  
CloudWatch  
Additionally if you are using awslogs driver with EC2 or Fargate Launch Type, you have to add CloudWatch endpoint as below:  
com.amazonaws.region.logs

Can Managed Compute Enviroments make use of PrivateLink ECS and ECR

Relevant content