Can I use AWS ECR from within a private subnet

Question

I have a private subnet inside a VPC, that cannot route to the internet. I'm trying to access amazon ECR, but getting a timeout. My guess is that ECR requires internet connection, however I cannot find any documentation that says that.

Does ECR require internet connection? Is there a way to use it from within a private subnet?

Answer 1

Update 2020

Interface VPC Endpoints are now supported for ECR; meaning now we can configure an endpoint from our private subnet to ECR without a NAT Gateway and still be able to pull images from it.

Documentation: Amazon ECS interface VPC endpoints (AWS PrivateLink)

Answer 2

An VPC endpoint for ECR is not available, but requested as the first issue on AWS' container roadmap (created 2018-11-28), implemented as a PrivateLink. It's in state "Coming soon".

It will cost minimum around 22$/month (PrivateLink costs for 3 availability zones in us-east, without traffic costs), if they don't state it otherwise.

Answer 3

A private subnet is truly private and only in/out traffic that you specify will be allowed. S3 has VPC Endpoints that allow you to connect to S3 (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) without routing through the public internet. VPC endpoint functionality for AWS ECR has been requested (https://forums.aws.amazon.com/thread.jspa?threadID=222124) but to the best of my knowledge it is not yet currently available.