Want to implement an AWS Elastic Container Registry Replication practice in your DevOps solution? But don’t know how to start and where to go. Folks, now you are on the right path.
We’re pursuing this to safeguard our production resources in the ap-south-1 (Mumbai) region from potential disasters and connectivity issues. Ensuring resource distribution across other AWS regions is critical. Our microservices-driven applications rely on Docker images, including custom ones crucial for disaster recovery. AWS Container Registry offers a secure, efficient solution for storing and managing Docker images, simplifying image storage, and enabling seamless sharing across private or public environments.
So, here you may wonder how we can replicate the same images from its registry to another AWS Account(cross-accounts) or in the same account in different regions(cross-region).
Pre-requisite:
- Need two AWS Accounts with admin access to Amazon ECR service and programmatic access for it(to pull/push images).
- Login/Signup: https://aws.amazon.com/console/
Note: 1st AWS Account: Source account
2nd AWS Account: Destination account
Enough theory part let’s take action for this,
Login to 1st AWS Account: Source(select the respective region I have chosen here ap-south-1(Mumbai))
We have to create a replication rule. A Source account enables the Replication rule, as below:
Action 1: Go to Amazon Elastic Container Registry
Action 2: Select Private Registry in the left pane and in that select Replication
Action 3: Click on the Add rule, and you will get 4 Steps.
Action 4: Choose step 1: Destination types have two types:
i) Cross-region replication: click on the first toggle button If you need ECR replication across regions within the same account that is Cross-region replication,
Click on Next for Step 2, and then you will get the cross-region replication step where you have to select your destination region names. You can mention multiple regions.
Click on Next, in step 3, As per your repository naming convention in your organization you can put a filter on it and if you don’t want to apply any filter then just simply put it blank as this is an optional step but this means like all repository will replicate to other regions of AWS. Click on next and review & submit the rule.
So till now, we have set up cross-region replications.
ii) Cross-account replication: click on the second toggle button if you need ECR replication across different accounts that are Cross-account replication.) Click the next button.
In Step 2: Cross-account replication, you have to put the destination account number and the region.
Click on Next, and you may put the filter as the above step mentioned in cross-region replication. then Review and Submit.
Here we go, we have created the replication rule in the Source account.
iii) Cross-account & Cross-region Replication: You can enable both toggles for cross-account with multiple regions in the destination account. The steps will be the same as discussed in the i), and ii) steps.
Action 5: Then, we have to create registry permissions in the Destination account to allow ECR repos images as below,
whereas,
1. principal of source account root(arn:aws:iam::<source_account>:root),
2. Taking action on “ecr:*” is the best practice that aws suggested, we can perform all actions from creating a repository to replicating images and many more.
3. Take ecr resource of the source account like “arn:aws:ecr:ap-south-1:<source_account>:repository/*”. All repositories can replicate to this destination account. see the below permission:
So let’s see the magic now, I have created one replication-testing repository in the source account. and will be pushing one sample image with the latest tag.
Folks, here you can see the newly created pushed images in the destination account and specified region.
Summarizing it:
- This is the best practice and strategy for disaster recovery plans, where once everything is set, in your hands all ECR repos will be there in the destination account.
- We don’t have to create any AWS private ECR repository in the destination account, it will be created automatically, once the replication rule and permission are applied.
- The only thing is that AWS still won’t support the feature of old image replication. Only newly pushed images can be replicated.
- Also, manifests of images can be replicated within the repos.
- If we wanted to delete the image from the source/destination repository it would delete only from that repos. Don’t worry about other images residing in the destination/source repository.
- A replication configuration may contain up to 10 rules, with up to 25 unique destinations across all rules and 100 filters per each rule.
- Cost: Prices may vary for respective regions. Will pay only for what we have replicated images. Can apply life cycle policy. To delete older images with tags.
Example: If 1GB image size then the price for the ap-south-1(Mumbai) region would be,
1 GB per month x 0.10 USD = 0.10 USD
That’s all from this blog, keep learning!!
References:
https://aws.amazon.com/blogs/containers/using-amazon-ecr-replication-rules-to-optimize-your-application-delivery-process/ https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/
https://invenioit.com/continuity/disaster-recovery-statistics/
https://n2ws.com/blog/aws-cloud/aws-cloud-data-protection-survey
Blog Pundits: Prakash Jha and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us
