How to Pull Images from ECR to Private EC2 Without Internet

Dushyant KumarDushyant Kumar
5 min read

Instead of using a NAT gateway to connect to the internet, you can set up VPC endpoints to directly and securely pull container images from Amazon ECR (Elastic Container Registry) to your EC2 instances within your VPC (Virtual Private Cloud).

This way, your image transfers are:

More secure: Traffic stays within your VPC’s network and doesn’t go out to the public internet.
Faster: No need for the extra hop through a NAT gateway.
Simpler: No need to manage a NAT gateway.

Requirements

  1. VPC (Virtual Private Cloud): VPC is a virtual network dedicated to your AWS account. It enables you to launch AWS resources (like EC2 instances) into a virtual network that you define. It provides control over the virtual networking environment, including IP address ranges, subnets, routing tables, and security settings.

    Follow this link to create vpc:

    VPC CREATION

  2. ECR (Amazon Elastic Container Registry): ECR is a fully managed Docker container registry service provided by AWS. It allows users to store, manage, and deploy Docker container images. It’s integrated with other AWS services, facilitating seamless deployment of containerized applications.

  3. EC2 (Elastic Compute Cloud): EC2 is a web service that provides resizable compute capacity in the cloud. It allows users to rent virtual servers (known as instances) and run applications on them, offering scalability and flexibility based on computing needs.

    Follow below link to configure openvpn and private docker instance.
    OpenVPN+Docker

  4. VPC Endpoints: VPC endpoints are entities that enable direct connectivity between an AWS VPC and AWS services without requiring internet gateways, NAT devices, VPN connections, or AWS Direct Connect. They allow secure communication between resources within the VPC and AWS services like S3, DynamoDB, or ECR without going through the public internet.

Steps To Follow

  1. To set up a VPC, begin by accessing the “AWS Console”, navigate to VPC, and select “Create VPC and more”.
    For mode step-by-step VPC creation, follow the link below:

    VPC_creation_blok_link

  2. Now go to “EC2” instances and launch OpenVPN and private docker instance.

  3. When we create VPC, in that we have NAT gateway are present, so that we can download the packages from the internet to our private instance. We have update the instance, install docker, install AWS cli, install unzip etc.

     # Update system
 sudo apt update -y && sudo apt upgrade -y

 # Install unzip
 sudo apt install -y unzip

 # Install Docker
 sudo apt install -y docker.io
 sudo systemctl enable docker --now
 sudo usermod -aG docker $USER  # optional: run docker without sudo

 # Install AWS CLI v2
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 unzip awscliv2.zip
 sudo ./aws/install
 aws --version  # verify installation

    follow this official link to download docker:
    docker_installation

  4. As we have checked in the vpc section nat gateway are present.

    1. Now we have ECR repository we want to pull the image, follow the commands to pull the docker images.
      If you do not have ECR repository then you can create your ECR repository.

  1. We try to login to ECR repository we get message AWS cli command not found, then we install AWS cli.

  1. Now we install unzip package to unzip the AWS cli package.

  1. We have checked AWS cli are installed and checked the version.

  1. Now we checked the connectivity from the internet, we use ping command to check internet connectivity in the private instance.

  1. Now we delete the NAT gateway, we broke the internet connectivity for the private instance.

  1. Again we try to ping the 8.8.8.8 we do not get any response. We do not install or update the the packages from the internet.

  1. We configure the access key, secret access key with region.
    Make sure this keys do not expose anywhere. When remove this keys before blog publish.

  1. Now it’s time to create Endpoint. A VPC Endpoint allows you to privately connect your VPC to AWS services without using the public internet. This improves security by keeping traffic within the AWS network. There are two types: Interface Endpoints (powered by Private Link, connect to services via elastic network interfaces) and Gateway Endpoints (specifically for S3 and DynamoDB).

  1. Create end point for ECR service, follow the below steps.

  1. Provide the VPC, select subnet where the private instance belongs.

  1. Attach private docker security group. Then click for create endpoint.

17. Now follow the same process to create two more endpoint.

  1. After endpoint setup, we again do not login to ECR repository. What’s the issue now???

  1. Lets figure it out what’s the issue now we go to docker private instance security group, we make a new entry. We copy the docker private security group and open port 443 and paste same security group.
    Why it’s self-referencing (same security group as source)

    • By referencing the same SG in the inbound rule on port 443, you’re allowing the return HTTPS traffic between your private instance and the VPC Endpoint ENI (which may share/associate with the same SG).

    • Without this, the TLS handshake to ECR might fail because the return path on port 443 would be blocked.

In short

The inbound 443 rule is needed so your private instance can:

  1. Communicate securely with the ECR VPC Endpoint over HTTPS.

  2. Pull Docker images without needing a NAT Gateway or Internet Gateway.

  1. Now you login to your ECR repository.

  1. We easily pull the private ECR docker images.

Conclusion:

In this blog, we set up a private Docker instance with Docker, AWS CLI, configured access keys, and installed unzip. After removing the NAT Gateway, the instance lost internet access, so we created VPC Endpoints to enable pulling images from a private ECR repository. Initially, the ECR login failed, but by updating the private instance’s security group and allowing HTTPS (port 443) traffic within the same security group, the authentication succeeded. Finally, we were able to log in to ECR and successfully pull images without exposing the instance to the public internet.

This approach ensures a fully private, secure, and cost-efficient setup where your workloads can still interact with ECR even without direct internet access.

Follow for many such contents:

LinkedIn: linkedin.com/in/dushyant-kumar-dk

Blog: dashboard-blog-link

0
Subscribe to my newsletter

Read articles from Dushyant Kumar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSecrVPC Endpointsec2TrainWithShubham

Written by

Dushyant Kumar
Dushyant Kumar