Amazon ECR Pull Through Cache (PTC)

What is ECR Pull Through Cache?

Normally, to use an external image in the private environmet, we have to manually download the image and push it to ECR. With Pull Through Cache, we can simply pull the image using our ECR URL. AWS ECR automatically fetches the images from the upstream registry, caches it in our private registry and keeps it up to date with latest version.

What are the public registries are supported?

No Auth registries like AWS Public ECR, Kubernetes, Quay.
Auth registries like Docker Hub, Azure ACR, GHCR, Gitlab SaaS, Chainguard.
Even Cross Account AWS ECR also but it require IAM authemtication.

How does It Works?

Create a Rule to define which upstream registry we want to sync for an example let's say Docker Hub.
Let's pull an image with our private URL of ECR. <aws_account_id>.dkr.ecr.<region>.amazonaws.com/docker-hub/library/nginx:latest
Rest automatic caching by AWS ECR, ECR will create repository for us and stores the image and it will check for updates in every 24 hours for latest updates.

Why It's Good Feature?

Obvisouly performance, once the images cached into the ECR we can directly pull it from the ECR privatly no need to travel over the internet.
Security is key as image is in the ECR we can utilize the ECR buit in security tools to scan the images and also we can apply our own lifecycle policy.
Reliability, as if upstream refistry goes down still our image is still available, which all Kubernetes engineers have feeled this issue when Docker has remove so many images from it's regiestry and it has created a huge chaos.

What's Bingo here?

ECR Pull through the cache eliminates the manual download, re-tag and push workflow and it will give the convenience the public registries with the security and speed of AWS private network ad environment.

References

Visit me:

DE

Source

This article was originally published by DEV Community and written by Harsh Viradia.

Read original article on DEV Community

Back to Discover