Accessing public Container Registries for downloading images to EKS


Hi experts,

I am a newbee to AWS so please excuse if my questions are simple/dumb...

I have successfully deployed my app to EKS in a scenario where there was public access to public container registries. Now I need to do the same for a private only VPC where there is no possibility to create an IGW for the VPC and no public IP addresses allowed.

What is allowed is to use ECR as the container registry and the site also has a forward proxy for Internet access.

Question is whether the forward proxy is of any help for downloading images, that run in pods, that are hosted on public registries down to an EKS cluster pods (example is Ingress Controller hosted on or must I make a copy of the images on ECR and modify the pod images to download from ECR as the proxy is of no help in this case?

And another related question: assuming the same scenario with no direct Internet access from EKS then pods will still be able to access AWS ECR as the container registry if I configure the appropriate VPC endpoint to ECR, right?


3 Answers

I think it is better to Configure your EKS nodes to use the forward proxy for outbound internet traffic. This usually involves setting environment variables or modifying the Docker daemon configuration on the nodes.Ensure that the nodes can reach the internet through the forward proxy. You might want to try running curl or wget commands on the nodes to verify.If your Ingress Controller images are hosted on public registries, make sure that the nodes can pull these images through the forward proxy

If your EKS cluster has no direct internet access, but you want to use private images stored in AWS ECR, you have a couple of options: Create a VPC endpoint for Amazon ECR in your VPC. This allows your EKS cluster to access ECR without going over the internet. Ensure that your nodes are configured to use this VPC endpoint. Alternatively, if you prefer not to set up the VPC endpoint, you can copy the images from public registries to your private ECR. This way, you have control over the image locations, and your nodes only need to access ECR.

Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)

profile picture
answered a month ago

Hi @Debolek!

Thank you for replying so quickly. I have some follow-up questions based on your reply:

  1. My EKS cluster is made up of a managed node-pool using launch templates and an autoscaler. How can I add in this scenario a reference via env. variables to the forward proxy for the nodes? Any example or pointer to some doc will be highly appreciated.

  2. If not using forward proxy but rather trying to make a copy of the docker images from the public registries they are currently in to the account's private registry in ECR - is there any example script that you can provide which achieves this copy of images to ECR?


answered a month ago

Hello MIA Analytics and Debolek, I just wanted to add a reminder that when using VPC Endpoints with Amazon ECR, to remember both the interface endpoint for ECR manifests and the S3 gateway endpoint for the image layers.

Here is some documentation on that. If you're going with the VPC Endpoint method, I hope this helps.

profile pictureAWS
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions