Configuring ECR Replication

by · Published · Updated

The replication of Container images between AWS ECR (Elastic Container Registry) accounts provides significant advantages, including disaster recovery and easier multi-account management. Amazon ECR supports both cross-Region and cross-account replication. This advanced guide explains the step-by-step procedure for configuring AWS ECR replication between multiple accounts.

Pre-requisites

  1. AWS CLI installed and configured.
  2. AWS IAM roles with sufficient permissions.
  3. Source and destination AWS accounts.
  4. Source and destination repositories in ECR.

Considerations Before Proceeding

  • Only content pushed to a repository after configuring replication will be replicated.
  • An IAM role with appropriate permissions will be created during the process.
  • Registry permissions must be configured in the destination account to allow replication.
  • Changing permission policies mid-way might affect in-progress replications.
  • The number of unique destinations for a private registry is limited to 25 across all rules.

Steps

Step 1: Enable Replication at the source Account

Step 2: Configure Registry Permissions Policy in the Destination Account

In the destination AWS account, you need to grant permission for the source account to replicate images.

  1. Open the Amazon ECR console.
  2. Navigate to “Registry Permissions” and create a new permissions policy.
JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountReplication",
      "Effect": "Allow",
      "Principal": {
        "AWS": "Source_Account_ID"
      },
      "Action": [
        "ecr:ReplicateImage"
      ]
    }
  ]
}

Step 3: Configure ECR Replication in Source Account

Go back to the source account to configure the ECR replication rule.

  1. Open the ECR Console.
  2. Navigate to “Replication” under the desired registry.
  3. Create a new replication rule with the following settings:
    • Destination Region:
    • Destination Account:

You can also filter which repositories to replicate using a repository prefix.

Bash
aws ecr put-replication-configuration --region us-west-2 --replication-configuration file://replication-configuration.json

Step 4: Test Replication

After setting up the replication, push a new Docker image to the source repository to verify that the image replicates to the destination account.

Bash
docker push <source_repo_url>:<tag>

Monitor the replication status in the ECR console in the destination account. Successful replication usually takes less than 30 minutes.

Post-Configuration Actions

  • Manually delete any unnecessary replicated images and repositories.
  • Repository settings like tag immutability and image scanning are not replicated by default and need to be configured in the destination account.

Conclusion

By following these steps, you should be able to successfully set up ECR replication between different AWS accounts. This process ensures a more resilient and streamlined Docker image management across your AWS environment.

Post Views: 409

Tags:

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate ยป