ECR Public: a briefly introduction
Recently, AWS release an interesting service called AWS ECR Public. It is a public container image registry allows developers to pull images without rate limit(under some premises which we’d talk about them later). Obviously, the announcement of this service is a countermeasure against inconvenience which Docker Hub rate limit brings. For instance, for most of users runs containers on AWS ECS or AWS EKS, they usually pull images from Docker Hub instead of hosting a copy on AWS ECR under their account. Once deployment/releasing frequency raises, probability of encountering rate limit issue will raise for them. To solve the issue, in addition to hosting images on AWS ECR, they could only rely on some workarounds(like this). Besides, as a cloud service provider, though many users are effected by this issue, implementing vendor-specific solutions to handle problems caused by third-party tools/software is also not a beneficial decision for AWS. Providing a public seems be a simple, clean and straightforward approach.
Recently, I also help many users to solve questions about the ECR Public(it’s really a popular service). Therefore, to make people gain more insights about current status this service, I summarize questions I’m frequently asked recently in this article:
1. Is logging in to ECR Public required?
Roughly speaking, no. You could simply perform “docker pull” to pull any container images hosted ECR Public on any hosts you prefer, from EC2 instances to your own laptop. Even if you don’t have AWS account, you could still pull images from it. But there still some restrictions:
- For anonymously pulling: For each month, the total bandwidth is 500GB. Exceeding the limit will makes you be blocked
- For AWS users: You could consider to log in to your AWS account via “aws ecr-public” command, then you could gain up to 5TB free bandwidth. Exceeding the limit will generate ECR Public data transfer fee.
2. Isn’t there any way to keep me from being charged?
Basically, for workloads running on the AWS cloud, image pulling traffics won’t be charged. But please notice that, it does still depends on your network design. The ECR Public it doesn’t charge image pulling traffic from Internet Gateway, but if traffics themselves does.
For instance, if you pull container images on an EC2 instance with public IP address and is placed in public subnet, it’s totally free. By contrast, if you do the same thing on an EC2 instance placed in a private subnet which use NAT gateway to retransmit requests, you’ll still be charged for NAT Gateway data transfer costs.
Moreover, you don’t have to logging in to the ECR Public on the AWS cloud. So you don’t have to anything for workloads running on ECS container instances and EKS worker nodes.
3. Could I pull images from ECR Public privately?
Presently, the ECR Public haven’t supported AWS PrivateLink yet(unlike the AWS ECR).
From the pricing policy, you can find that the AWS gives consideration benefits for their users. I believe it could also provides incentives to peoples to move their workloads to the AWS cloud. It’s not only a favorable service developers but a great business decision as a cloud provider.
Hope this article is helpful for you. You could send me a message if you’re interested in the service or if you have any ideas. 😎 For more information about AWS ECR Public, you could also refer to the following links:
- Blog post — Amazon Elastic Container Registry Public: A New Public Container Registry — https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/
- Official document — https://docs.aws.amazon.com/AmazonECR/latest/public/what-is-ecr.html
