By using AWS re:Post, you agree to the AWS re:Post Terms of Use

ipv6-only instance cannot access ECR registry

0

i tried to deploy a cluster service where vpc and subnets are all dual stacks, and where auto assignment of ipv6 on creations is on, and also is still on the assignment of ipv4

If I change network configuration of cluster service to disable public on launch, i receive a public ipv6. on another experiment, this allow my instance go outside through the internet gateway, because routing and nacls allows ipv4 and ipv6 traffic in and out.

But in this specific case, my new instances are not created. I see this

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-south-1.amazonaws.com/": dial tcp [64:<redacted>::fa1:88ec]:443: i/o timeout. Please check your task network configuration.

I have egress route

  PublicRouteTableIgwRouteIpv6:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationIpv6CidrBlock: ::/0
      GatewayId: !Ref InternetGateway

and also

  PublicNaclEntryInboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNacl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: false

  PublicNaclEntryOutboundIpv6:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNacl
      Ipv6CidrBlock: ::/0
      RuleNumber: 101
      Protocol: -1
      RuleAction: allow
      Egress: true
2 Answers
0

ECR doesn't seem to support IPv6 yet, as don't many other AWS services. The current list of services that do support IPv6 is here: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html

However, since your instances still have private IPv4 addresses, I think you could fix the issue by creating a VPC endpoint for ECR in your VPC. Also ensure that your instances are using the normal Route 53 Resolver for DNS resolution, or if not, you'll have to configure your DNS resolver to resolve the public DNS names for ECR to the private IP addresses of the VPC endpoint.

There are more details about using VPC endpoints for ECR in this documentation article: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

EXPERT
answered 6 months ago
profile pictureAWS
EXPERT
reviewed 6 months ago
profile picture
EXPERT
reviewed 6 months ago
  • Can you explain this? "Also ensure that your instances are using the normal Route 53 Resolver for DNS resolution, or if not, you'll have to configure your DNS resolver to resolve the public DNS names for ECR to the private IP addresses of the VPC endpoint."

  • In the last link there Is this information: "Amazon ECS tasks hosted on Fargate don't require the Amazon ECS interface VPC endpoints.". Please explain

0

DNS resolution is important in this case, because by default, when you deploy a VPC interface endpoint for an AWS service, such as ECR, the built-in DNS resolver in your VPC (called Route 53 Resolver) will automatically resolve the public names of the corresponding AWS service, such as ecr.eu-south-1.amazonaws.com, to the IP addresses of the VPC endpoints in your VPC for the same service.

If you used any DNS resolver outside your VPC, the name ecr.eu-south-1.amazonaws.com, for example, would resolve to the IPv4 IP address on the public internet, which your systems with internet access only over IPv6 can't reach. That's why it's convenient to use AWS's built-in resolver, which automatically integrates with the DNS names registered to the VPC endpoint services.

VPCs use Route 53 Resolver by default, so unless you've configured your systems to use an external DNS service, you are very likely using Route 53 Resolver. You can confirm simply by deploying the VPC endpoint for ECR in your VPC and testing to see if your issue is fixed.

I agree you shouldn't need an endpoint for ECS but for ECR.

EXPERT
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions