AWS Connecting Private VPC subnet to ECR, CloudWatch, S3 with VPC Endpoint (AWS Private Link)

Why we need this?

When deploying container with ECS, we need ECR, CloudWatch etc.

Only instance is in the VPC.

ECR (with S3 underlying service) and ECS itself are out of VPC. All of them are managed by AWS. Access it will need outbound traffic.

The alternative to creating VPC Endpoint are:

1. Make everything public (you don’t want this)
2. Using NAT Gateway

Using NAT will have the traffic outbound like below diagram drawn by AWS.

Source Image: https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/

But it seems less efficient. All service should be in the same LAN, so here we have VPC Endpoint.

Three type of Endpoint

1. Interface VPC Endpoint
   All services
2. Gateway VPC Endpoint
   Only for S3 and DynamoDB
3. Loadbalancer VPC Endpoint

If using AWS services, type 1 and 2 will be used.

Note: AWS Private Link are the commercial name of VPC Endpoint connection service.

Creating VPC Endpoint

First, go to VPC console → Endpoint (NOT Endpoint Services) → Create Endpoint.

Step 1: Services

On this page close AWS services, and search through the list.

Warning: Some service need more than one endpoint for example ECR need

1. com.amazonaws.region.ecr.api
2. com.amazonaws.region.ecr.dkr
3. Another S3 Gateway endpoint because ECR use S3 under the hood

Step 2: Subnet

Setting Endpoint to point to your private subnet

Step 3: DNS

This is important to enable private DNS.

This will make AWS inject list of name that will go through this endpoint

Step 3: Firewall

Don’t forget to open the firewall (Security group)

Then we finish creating it.

Resolving Mechanism through ENI

At this point, you might wonder that is it need to be IP in the route table?

No, it resolves through ENI (Elastic Network Interface).

ENI works just like your another Wifi card, LAN cable or your VPN, it is another ‘interface’.

Interface will look at the DNS injected and if request host is in that list, it send the traffic through VPC Endpoint.

Otherwise, it fallback to route table or other network setting.

Bonus: How to debug if needed?

When things don’t go the way you expect, one not efficient but easy way to debug is to create an EC2 in that subnet.

Here you can try ping, netcat, telnet or dig the DNS from here.

Hope this helps !