Amazon Elastic Container Registry (ECR)
AWS Elastic Container Registry (ECR) is a container image repository that is fully managed by AWS. A container image repository securely stores images of containers like Docker images. Images can be pushed to AWS ECR Repositories and consumed from AWS services like AWS Elastic Container Service (ECS) or AWS Elastic Kubernetes Service (EKS). AWS ECR features high availability and can elastically scale image storage.
What is AWS ECR ?
A common issue developers used to have is they would write code on their laptops, which ran on their operating system and used certain versions of the languages and tools. But when this code had to be deployed to production, there could be conflicts due to operating system architectures or different versions of languages. Containers and images solved this problem by abstracting away the runtime environment and letting developers focus on writing code. To capitalize on the rising trend of using images as a form of deployment, AWS has built AWS Elastic Container Registry.
AWS Elastic Container Registry (ECR) is a fully managed container image repository offered by Amazon, enabling developers to easily share container images and deploy these images in containerized environments like AWS Elastic Container Service (ECS) or AWS Elastic Kubernetes Service (EKS). AWS ECR has a lot of security features built in and allows you to either keep your images private or share them publically.
To understand AWS ECR completely we need to understand the following key terminologies first :
- Container :
A container contains all the required dependencies, libraries, and code to run an application. Containers are like mini virtual machines which are independent of the underlying hardware's operating system. This enables containers to be portable and scalable.
- Image :
If the container enables you to run applications, images enable you to "save" the required dependencies, libraries, and code. Images are like snapshots of the mini virtual machines and can be shared easily.
- Docker :
Docker is one of the ways of running containers. Docker can run an image as a container on your laptop or in a production environment. This enables you to use the same image across different environments without changing the application code.
Components of AWS ECR
AWS ECR is made up of the following components :
- Registry :
Each AWS Account is provided one AWS ECR Private Registry, where you can create one or more repositories. Each registry is given a unique URL based on your AWS Account ID and current AWS Region. The format is https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com.
- Repository :
An AWS ECR Repository is where you push and pull images. Both Docker images and Open Container Initiative (OCI) images are supported.
- Image :
An image is the fundamental component of AWS ECR. Images are stored in repositories and can be downloaded either from the internet or by AWS Services like AWS ECS or AWS EKS.
- Authorization Token :
An authorization token needs to be generated to authenticate to AWS ECR and enable a user to push and pull images.
- Repository Policy :
Repository policies can be used to control access to AWS ECR repositories and the images inside each repository.
How Does AWS ECR Work ?
AWS ECR is primarily used as an image repository. Let's understand how to use AWS ECR :
- Users develop applications on their workstation or an AWS EC2 Instance.
- Once they have completed developing the application, they define a Dockerfile that contains how the image for this application should be built.
- Then users can generate an authorization token and connect the Docker CLI on their workstation or AWS EC2 Instance to the remote AWS ECR repository.
- Using the docker push command, the users can push the application's image to AWS ECR.
- AWS ECR encrypts and stores the image on AWS S3, and the image is available for consumption.
- AWS ECS or EKS can now pull the new image and deploy it for customers.
Features of AWS ECR
AWS ECR comes with a lot of features. Let's look at a few key features :
- High Availability and Durability :
AWS ECR stores container images and artifacts in AWS Simple Storage Service (S3), which is designed for 99.999999999% of uptime and data durability. This ensures your images are also always available and protected against failures. AWS ECR can also automatically replicate your data to multiple AWS Regions for high-availability applications built across two or more regions.
- Docker and OCI Support :
AWS ECR has Docker and Open Container Initiative (OCI) support out of the box. This allows you to use the Docker CLI commands to interact with AWS ECR. AWS ECR lets you store both Docker container images and OCI artifacts in your AWS ECR Repositories.
- Cross-Region and Cross-Account Sharing :
With AWS ECR, you can set up auto-replication policies which replicate images created in certain repositories to different regions in the same AWS Account or to entirely different AWS Accounts. You can also enable public access to your repositories.
- Lifecycle Policy :
You can design lifecycle policies in AWS ECR to manage the lifecycle of your image. With these policies, an image can be automatically deleted after a certain time period from the date of creation of that image.
- Image Scanning :
AWS ECR repositories can be configured to be scanned on each image push, where the image is scanned for software vulnerabilities. This enables you to address these vulnerabilities before deploying to your customer base.
AWS ECR Security
AWS ECR comes with a few security features to enable you to secure your repositories and images.
- Identity and Access Management :
AWS IAM enables you to define granular access control policies and apply these on the private repositories, such that only specified AWS Users or AWS Accounts can access your images.
- Data Protection :
AWS ECR images are encrypted at rest using AWS S3 server-side encryption. The images can also be encrypted using a key stored in AWS Key Management Service (AWS KMS) for enhanced security.
- AWS PrivateLink :
To secure the connection of your Virtual Private Cloud (VPC) to your AWS ECR, you can configure AWS ECR to use a VPC Endpoint. VPC Endpoints are powered by AWS PrivateLink, which restricts all network traffic between your VPC and AWS ECR to the Amazon network. This way you do not need to use the internet to push or pull images from AWS ECR to AWS Services in your VPC (like AWS EKS), securing your connection to AWS's private network.
AWS ECR Use Cases
AWS ECR can be used in a variety of ways, such as :
- Image Repository :
The most common use case of AWS ECR is using it as an image repository for your containerized application. AWS ECR images are stored in AWS S3, which ensures the high availability of your images and AWS ECR integrates easily with Docker.
- Image Management :
AWS ECR has a lot of powerful image management tools. You can define replication policies to automatically replicate images to other AWS Regions or AWS Accounts, use lifecycle policies to automatically delete old images, and use IAM to define granular access rules.
- Container Orchestrator Integration :
AWS ECR integrates easily with Amazon's offering of container orchestrator services - AWS Elastic Container Service (ECS) and AWS Elastic Kubernetes Service (EKS). These services can pull images from AWS ECR and can be used for automated production deployment of applications.
- Public Container Image Gallery :
AWS ECR also allows you to enable public access to your repositories. You can share your containers on the internet for a minimal cost and do not need to worry about maintenance or availability.
Getting Started with AWS ECR
You can get started with AWS ECR using the AWS Console or by using the AWS CLI. Let's take a look at the steps of creating a new AWS ECR Repository and uploading a new Docker image.
- An AWS Account
- Docker CLI installed on your system
- Docker image that you want to push to AWS ECR
Create an Image Repository
- Go to the AWS Console. Search for "ECR", and then select "Elastic Container Registry".
- Choose Get Started.
- For Visibility Settings, choose Private.
- For Repository name, provide a name for the repository.
- For Tag immutability, Image scan settings and Encryption settings, keep the options disabled.
- Choose Create repository. In a few minutes, your AWS ECR Repository will be created.
Build, Tag, and Push a Docker Image
- Go to the AWS Console. Search for "ECR", and then select "Elastic Container Registry".
- Select the AWS ECR Repository you created earlier.
- Click the View push commands button to view the steps to push an image to your new repository.
- On your system, run the commands one by one. Ensure you tag your image correctly as per your application's name before running the docker push command.
- In a few minutes, your image will be available on the AWS ECR Repository.
You can learn how to use the AWS CLI to interact with AWS ECR by visiting this link.
List of Available Commands
AWS provides a few commands that can be run using the AWS CLI to interact with AWS ECR.
Here are a few key commands :
- create-repository :
Create a new repository in a registry.
- describe-images :
Provides all the details for one or more images.
- get-authorization-token :
Fetch an authorization token that can be used by a Docker client to push/pull images.
- list-images :
List all the available images in a repository.
- tag-resource :
Attach a tag to a certain image.
Benefits of AWS ECR
Using AWS ECR as your image repository has a lot of benefits :
- Completely Managed :
AWS manages all the different infrastructure requirements of AWS ECR, and scales as your number of images scales. AWS provides high availability and strong data durability out of the box.
- Automated Image Lifecycle :
AWS ECR offers many tools to manage the lifecycle, from replication to deletion. These policies can be defined per repository and can be tested before being applied.
- Docker Support Built-In :
Docker is one of the most popular formats of defining containers, and AWS ECR has support for Docker built-in, without the need for any other configurations.
- Streamlined Deployment Workflow :
With the help of AWS ECR and container orchestrator services like AWS ECS or AWS EKS, you can build a robust deployment workflow, which can support automated deployment and failure recovery.
AWS ECR Pricing
There are no upfront charges for using AWS ECR - you pay for only the amount of data you store in your public or private ECR repositories.
As part of the AWS Free Tier, you get 500 MB per month of storage for your private repositories for one year.
There is no charge for data transfer in (uploading a new image), but for data transfer out (pulling an image) there is a charge based on the data transferred.
- Storage Costs : \$0.10 per GB
- Data Transfer In : \$0.00 per GB
- Data Transfer Out * (private repositories) : Starts at $0.09 per GB for the first ~10 TB, reduces to as low as $0.05 per GB
- Data Transfer Out * (public repositories) : Without using an AWS Account, you can transfer 500 GB per month at no cost. When using an AWS Account, the first 5 TB is $0.00 per GB and $0.09 per GB afterward to non-AWS Regions. Any amount of data transferred to AWS Regions is \$0.00 per GB.
* : Rates are provided for us-west-2, might vary per region
- AWS ECR is a fully managed container image repository service offered by AWS.
- AWS ECR is made up of different components - registry, repository, image, authorization token, and repository policy.
- AWS ECR has a lot of features such as - high availability and durability, Docker and OCI support, cross-Region and cross-Account sharing, lifecycle policy, and image scanning.
- AWS ECR is suitable for a variety of use cases - image repository, image management, container orchestrator integration, and public container image gallery.
- There are a lot of benefits of using AWS ECR - completely managed by AWS, automated image lifecycle, built-in Docker support, and streamlined deployment workflow.
- AWS ECR does not charge for using the service. You only pay for the data you store and the data you transfer out (for example, when pulling images).