[英]Security group egress rule to only permit ECR requests
When using ECR to store container images for use with ECS, the EC2 instance (or Fargate service) must have a security group that permits access (over the public internet) to the account-specific repository URI.使用 ECR 存储容器映像以供 ECS 使用时,EC2 实例(或 Fargate 服务)必须具有允许(通过公共 Internet)访问账户特定存储库 URI 的安全组。
Many organisations have strict IP whitelisting rules, which generally doesn't permit enabling outbound port 443 for all IPs.许多组织都有严格的 IP 白名单规则,通常不允许为所有 IP 启用出站端口 443。
There's no VPC endpoint interface\/gateway available for ECR, and presumably like most AWS services, its IP address is elastic and could change at any point.没有可用于 ECR 的 VPC 端点接口\/网关,并且大概像大多数 AWS 服务一样,它的 IP 地址是弹性的,并且可以随时更改。
So how an you add an egress rule to a security group that permits outbound access over port 443 to an ECR URI, without opening it up to all IP addresses?那么,如何将出口规则添加到允许通过端口 443 对 ECR URI 进行出站访问的安全组,而不向所有 IP 地址开放呢?
Although the IP address of the endpoint could change, it would only change to another IP address in a fairly large CIDR block.尽管端点的 IP 地址可能会更改,但它只会更改为相当大的 CIDR 块中的另一个 IP 地址。 Amazon publish all of their IP address ranges in a .json file obtainable here:
亚马逊在 .json 文件中发布了他们所有的 IP 地址范围,该文件可在此处获得:
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/ https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
You could narrow it down to the IP address range for the EC2 and AMAZON services in the region which you deploy to.您可以将其缩小到您部署到的区域中 EC2 和 AMAZON 服务的 IP 地址范围。 Albeit the range is fairly large.
虽然范围相当大。
You can use AWS PrivateLink to achieve this;您可以使用 AWS PrivateLink 来实现这一点; see Amazon ECR interface VPC endpoints (AWS PrivateLink) .
请参阅Amazon ECR 接口 VPC 终端节点 (AWS PrivateLink) 。
DNS (UDP) 53 for 0.0.0.0/0
打开DNS (UDP) 53 for 0.0.0.0/0
打开HTTPS 443 for 0.0.0.0/0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.