By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECR Private endpoint doesn't speed up image pull

0

I tried to set up a VPC endpoint for ECR, to speed up my deployments on ECS. I have 3 endpoints:

  • com.amazonaws.us-east-2.s3 (Gateway)
  • com.amazonaws.us-east-2.ecr.dkr (Interface)
  • com.amazonaws.us-east-2.ecr.api (Interface)

When I pull my images from an EC2 instance in this VPC, here are the pull timers:

  • Time of the docker pull without private endpoint: real 2m15.751s
  • Time of the docker pull with the endpoints: real 2m12.833s

Isn't the private endpoint supposed to speed up the docker images pull from my private ECR ?

A dig to the ECR registry shows that it indeed points to the internal network:

$ dig XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.13.1 <<>> XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2478
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. IN A

;; ANSWER SECTION:
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.34.215
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.41.209
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.38.246

;; Query time: 2 msec
;; SERVER: 10.24.0.2#53(10.24.0.2)
;; WHEN: Wed Aug 23 10:06:09 UTC 2023
;; MSG SIZE  rcvd: 121

The S3 endpoint policy is the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": [
				"arn:aws:s3:::prod-us-east-2-starport-layer-bucket/*",
				"arn:aws:s3:::amazonlinux.us-east-2.amazonaws.com/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2.s3.dualstack/*"
			]
		},
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "*"
		}
	]
}

Is there a reason why the download speed from ECR didn't change ? Am I missing something ?

Topics
Networking & Content DeliveryContainers
Tags
Amazon VPCNetworking & Content DeliveryAmazon Elastic Container Registry (ECR)Containers
Language
English
RobinFrcd
asked 8 months ago1152 views
1 Answer
2
Accepted Answer

Using a VPC endpoint to pull your images from ECR is a security measure and can be a cost improvement, depending on your usage, but it is not a performance boost. The traffic/your images are no longer traversing the public Internet and instead go through the AWS backbone network, which better protects your data from malicious actors. On top, this saves e.g. data processing charges on your NAT Gateway. The latency improvement here is neglectable for a 2min+ image pull. You can learn more in this blog about VPC endpoints.

profile pictureAWS
Luca Schumann
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
  • RobinFrcd
    8 months ago

    Someone said to me that after enabling VPC endpoints, his pod's startup time on EKS got divided by 3. But I guess there's some misunderstanding here then ! Thanks for your insight !

  • Didier_Durand EXPERT
    8 months ago

    Hi, the times are very similar because the download via private endpoint probably follows a very similar path to public endpoint: just a few segments less. But, on a large download like an image the global duration and processing at endpoints hide the slight improvement.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content