使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

ECR Private endpoint doesn't speed up image pull

0

I tried to set up a VPC endpoint for ECR, to speed up my deployments on ECS. I have 3 endpoints:

  • com.amazonaws.us-east-2.s3 (Gateway)
  • com.amazonaws.us-east-2.ecr.dkr (Interface)
  • com.amazonaws.us-east-2.ecr.api (Interface)

When I pull my images from an EC2 instance in this VPC, here are the pull timers:

  • Time of the docker pull without private endpoint: real 2m15.751s
  • Time of the docker pull with the endpoints: real 2m12.833s

Isn't the private endpoint supposed to speed up the docker images pull from my private ECR ?

A dig to the ECR registry shows that it indeed points to the internal network:

$ dig XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.13.1 <<>> XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2478
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. IN A

;; ANSWER SECTION:
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.34.215
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.41.209
XXXXXXXX.dkr.ecr.us-east-2.amazonaws.com. 60 IN A 10.24.38.246

;; Query time: 2 msec
;; SERVER: 10.24.0.2#53(10.24.0.2)
;; WHEN: Wed Aug 23 10:06:09 UTC 2023
;; MSG SIZE  rcvd: 121

The S3 endpoint policy is the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": [
				"arn:aws:s3:::prod-us-east-2-starport-layer-bucket/*",
				"arn:aws:s3:::amazonlinux.us-east-2.amazonaws.com/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2/*",
				"arn:aws:s3:::amazonlinux-2-repos-us-east-2.s3.dualstack/*"
			]
		},
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "*"
		}
	]
}

Is there a reason why the download speed from ECR didn't change ? Am I missing something ?

主題
網路與內容交付容器
標籤
Amazon VPC網路與內容交付Amazon Elastic Container Registry(ECR)容器
語言
English
RobinFrcd
已提問 9 個月前檢視次數 1218 次
1 個回答
2
已接受的答案

Using a VPC endpoint to pull your images from ECR is a security measure and can be a cost improvement, depending on your usage, but it is not a performance boost. The traffic/your images are no longer traversing the public Internet and instead go through the AWS backbone network, which better protects your data from malicious actors. On top, this saves e.g. data processing charges on your NAT Gateway. The latency improvement here is neglectable for a 2min+ image pull. You can learn more in this blog about VPC endpoints.

profile pictureAWS
Luca Schumann
已回答 9 個月前
profile pictureAWS
專家
Didier_Durand
已審閱 9 個月前
  • RobinFrcd
    9 個月前

    Someone said to me that after enabling VPC endpoints, his pod's startup time on EKS got divided by 3. But I guess there's some misunderstanding here then ! Thanks for your insight !

  • Didier_Durand 專家
    9 個月前

    Hi, the times are very similar because the download via private endpoint probably follows a very similar path to public endpoint: just a few segments less. But, on a large download like an image the global duration and processing at endpoints hide the slight improvement.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容