CI/CD Without Internet: ECR Pull Through Cache for Private Builds

The Challenge: Accessing Images in Isolated Networks

Imagine your CI/CD runners or ECS tasks operating within private subnets—a common scenario in high-security or regulated environments. These instances:

• Lack internet gateways
• Cannot directly access external registries like Docker Hub or private ECR repositories
• Reached external Docker image registry pull rate limit
• Shouldn’t rely on NAT gateways solely for image retrieval

Yet, your pipelines need base images such as node:18-alpine, python:3.12-slim, or ubuntu:22.04. This creates a conflict between maintaining strict security and ensuring efficient pipeline operations.

The Solution: AWS ECR Pull Through Cache

ECR Pull Through Cache enables your AWS account to act as a private mirror for both public and private registries, including Docker Hub, Quay, and even other ECR repositories. When a private VPC attempts to pull an image, it retrieves it from your ECR repository, eliminating the need for direct internet access.

Key Benefits:

• 🔒 Enhanced Security: No public internet access required.
• 🔑 No External Registry Rate Limits: Use images from external registries without exhausting pull limits.
• 🚀 Improved Performance: Cache frequently used images close to your workloads.
• 💸 Cost Efficiency: Reduce or eliminate NAT gateway usage.
• 🛡️ Centralized Control: Audit, restrict, and manage image usage effectively.

How It Works

1. Create a Pull Through Cache Rule: Define a rule in ECR that specifies the upstream registry (e.g., Docker Hub, Quay, or another ECR repository) and a namespace prefix.
2. Configure Authentication: For private registries, store credentials in AWS Secrets Manager with the prefix ecr-pullthroughcache/.
3. Pull Images Using ECR URI: Use the ECR URI with the specified namespace to pull images.

docker pull <account-id>.dkr.ecr.<region>.amazonaws.com/<namespace>/node:18-alpine

On the first pull, ECR fetches and caches the image. Subsequent pulls retrieve the image directly from your ECR cache.

Accessing ECR in Private VPCs

To enable access to ECR from isolated environments, set up VPC Interface Endpoints for the following:

• com.amazonaws.<region>.ecr.api
• com.amazonaws.<region>.ecr.dkr
• com.amazonaws.<region>.s3 (required for image layers)

This setup allows services like EC2, ECS, or CodeBuild within private subnets to interact with ECR without internet access.

Example: CodeBuild in a Private Subnet

With the pull through cache and VPC endpoints configured, your buildspec.yml might look like this:

phases:
  build:
    commands:
      - docker pull <account-id>.dkr.ecr.<region>.amazonaws.com/<namespace>/python:3.12-slim
      - docker build -t myapp .
      - docker push <your-private-ecr>

This process operates seamlessly within an isolated subnet.

Bonus: Creating a Pull Through Cache Rule in Terraform

resource "aws_ecr_pull_through_cache_rule" "dockerhub" {
  ecr_repository_prefix = "dockerhub"
  upstream_registry_url = "https://registry-1.docker.io"
  credential_arn       = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"
}

Conclusion

For teams operating in secure, isolated AWS environments, AWS ECR Pull Through Cache offers a robust solution to access necessary container images without compromising security or efficiency. By caching images from both public and private registries within your AWS account, you ensure faster builds, reduced costs, and enhanced control over your CI/CD pipelines.