Skip to main content

Cost-Efficient Container Management: Configuring a Private AWS ECR with Pull-Through Caching from Elastio’s Public ECR

© 2024 Elastio Software, Inc. All Rights Reserved.

Cost-Efficient Container Management: Configuring a Private AWS ECR with Pull-Through Caching from Elastio’s Public ECR

Greg Aligiannis
Updated

Overview

This guide provides a step-by-step approach to configuring a private Amazon Elastic Container Registry (ECR) with pull-through caching from Elastio’s public ECR. This setup significantly reduces network costs and enhances security by eliminating the need for public internet access when pulling the latest ransomware models.

By deploying a private ECR within your VPC, you ensure that all container image retrievals occur without requiring NAT gateway traversal, optimizing costs and removing external network dependencies. When an Elastio image is requested, the system first checks the private ECR; if the image is not the latest, it automatically retrieves from Elastio’s public ECR with the newest model updates and stores for future use—providing seamless, cost-efficient, and secure access to required container images.

A private ECR must be created in every AWS region where the Elastio Cloud Connector is deployed to ensure availability and performance.

Prerequisites

  • AWS account with permissions to create and manage ECR repositories
  • AWS CLI installed and configured (optional)
  • IAM permissions to create and configure ECR repositories

Step 1: Configure Pull-Through Cache Rule

Reference Amazon AWS:  Creating a pull through cache rule in Amazon ECR

  1. In the Amazon ECR console, navigate to the newly created private repository.
  2. Click on the Pull through cache settings tab.
  3. Click Create rule.
  4. Under the Upstream registry, select Public.
  5. Enter the upstream registry ID for Elastio's public ECR.
  6. Click Save rule.


 

Using the AWS CLI:

aws ecr put-pull-through-cache-rule --ecr-repository-prefix ecr-public --upstream-registry-url public.ecr.aws/elastio

Step 2: Validate the Configuration

After setting up the private ECR, test it by pulling an image:

docker pull <aws-account-id>.dkr.ecr.<region>.amazonaws.com/ecr-public:<tag>

If the image is not found in the private ECR, it should automatically be pulled from the public ECR and cached.

 

Step 3: Configure Elastio Cloud Connector to Use Private ECR

Once the private ECR is configured, update the Elastio Cloud Connector deployment to use the private ECR repository.

Modify CloudFormation Stack Parameter

  1. Open the AWS CloudFormation console.
  2. Navigate to the stack where the Elastio Cloud Connector is deployed.
  3. Click Update.
  4. Select Use current template and click Next.
  5. Locate the parameter that specifies the container image repository (e.g., ecr-public).
     
  6. Update the value to reference the private ECR repository you created:
    {{account_id}}.dkr.ecr.{{region}}.amazonaws.com/ecr-public
  7. Click Next, review the changes, and click Update stack.

After the update, the Elastio Cloud Connector will pull container images from the private ECR repository, ensuring optimal performance and cost savings.

Important Networking Note

  • The initial image pull requires internet access to fetch the image from the public ECR.
  • Subsequent pulls will be served from the private ECR, reducing NAT gateway data transfer costs.

This setup ensures a seamless experience while optimizing AWS network expenses for containerized deployments of Elastio Cloud Connector.

Related articles