AWS ECR Cross Account/Region Replication

Dealing with multiple AWS cloud accounts or Regions for dev/stage/prod and don’t want to build & push container images multiple times? You’ve come to the right place.

AWS ECR Background Image

Use Cases Covered:

• Multiple AWS Accounts
• Multi region application deployments
• Disaster Recovery Planning

This Article assumes you have enough IAM permissions to set up replication of container registry images,

Let’s Configure Source Account First

From UI:

From CLI:

Here’s the replication Rule that needs to be configured on the source account where Images will be pushed 1st.

CRR Rule JSON

• Destinations — Other AWS Account or Region,
• RepositoryFilters — Only repos to replicate instead of everything. You have to mention the prefix of the image

aws ecr put-replication-configuration \
     --replication-configuration file://ecr-crr.json \
     --region us-east-1

After running the command the output should be shown on the display (p.s.: If you have existing rules it’ll override them, make sure to run them wisely)

One more example that configures different rules in different accounts

Multi Account Replication with Different Prefix

Now Its time to configure destination account.

On the destination account configure below policy rule below to allow replication to happen between two accounts.

From UI:

From CLI:

Create the below file that has policy defined as per the requirment

Apply with the below command:

aws ecr put-registry-policy \
      --policy-text file://ecr-crr-dest-permissions.json \
      --region us-east-1

Whoah! Your replication is configured successfully. Please note that it does not replicate existing images it will only replicate images which are created after the rule is configured.

Important Things to Consider:

• Replication cannot work transitively. It means if replication is configured from Account A to Account B and for the same image replication configured from Account B to Account C then it won’t replicate the image. You have to configure replication from Account A to Account C.
• A replication configuration may contain up to 10 rules, with up to 25 unique destinations across all rules and 100 filters per each rule.
• For cross-account replication to occur, the destination account must configure a registry permissions policy to allow replication to occur

Ref:

• https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html
• https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-settings-configure.html
• https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions-create.html