I recently posted about Connecting to a private ECR repository using VPC Endpoints, which is a really useful approach when you want to keep your traffic to ECR within your VPC and not have it go out over the public internet.

However, sometimes you want to pull an ECR image which is itself on the public internet. Doing this in an environment which doesn’t have any internet access poses a slight issue!

Not to fear, AWS have thought of this and have introduced “pull through caches”. These provide a means by which it is possible to access certain, allowlisted public ECR registries from a private ECR configuration. Here’s how to set it up, using a Terraform based example:

Create a pull through cache rule

Add a pull through cache rule to your private ECR registry to instruct it to create a cache for the desired public ECR registry.

In this example I’m targeting AWS’ public ECR Gallery.

It is also necessary to assign a “prefix” to the cache rule.

Once created, this rule will ensure that any privately requested ECR images which match the upstream registry URL will be pulled in to the cache and made available for use within your VPC.

resource "aws_ecr_pull_through_cache_rule" "public_ecr_aws" {
  ecr_repository_prefix = "ecr-public"
  upstream_registry_url = "public.ecr.aws"

How do I reference images?

In order to pull an image through the cache the image URL needs to be in the following form:


Here’s a worked example, which specifies the using the aws-for-fluent-bit image from the aws-observability repository of AWS’ own ECR Public Gallery


Further reading

Let me know in the comments below if this helps you get your configuration working.

Until next time!