DEV Community

Learn2Skills for AWS Community Builders

Posted on • Edited on

Amazon ECR Private image replication

You can configure your Amazon ECR private registry to support the replication of your repositories. Amazon ECR supports both cross-Region and cross-account replication.

The following should be considered when using private image replication.
• Only repository content pushed to a repository after replication is configured is replicated. Any preexisting content in a repository isn't replicated. Once replication is configured for a repository, Amazon ECR keeps the destination and source synchronized.
• The first time you configure your private registry for replication, Amazon ECR creates a service-linked IAM role on your behalf. The service-linked IAM role grants the Amazon ECR replication service the permission it needs to create repositories and replicate images in your registry.
• For cross-account replication to occur, the private registry destination must grant permission to allow the source registry to replicate its images.
• If the permission policy for a private registry are changed to remove a permission, any in-progress replications previously granted may complete.
• A Region must be enabled for an account prior to any replication actions occurring within or to that Region.
• Cross-Region replication is not supported between AWS partitions. For example, a repository in uswest-2 can't be replicated to cn-north-1.
• The replication configuration for a private registry may contain up to 25 unique destinations across all rules, with a maximum of 10 rules total. Each rule may contain up to 100 filters.
• The replication configuration supports filtering which repositories in a private registry are replicated by specifying a repository prefix.
• A replication action only occurs once per image push. For example, if you configured cross-Region replication from us-west-2 to us-east-1 and from us-east-1 to us-east-2, an image pushed to us-west-2 replicates to only us-east-1, it doesn't replicate again to us-east-2. This behavior applies to both cross-Region and cross-account replication.
• The majority of images replicate in less than 30 minutes, but in rare cases the replication might take longer.

Configuring private image replication
Replication settings are configured separately for each Region. Use the following steps to configure replication for your private registry.

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories
  2. From the navigation bar, choose the Region to configure your registry replication settings for.
  3. In the navigation pane, choose Private registry.
  4. On the Private registry page, on the Replication section, choose Edit
  5. On the Replication page, choose Add replication rule
  6. On the Destination types page, choose whether to enable cross-Region replication, cross-account replication, or both and then choose Next.
  7. If cross-Region replication is enabled, then for Configure destination regions, choose one or more Destination regions and then choose Next
  8. If cross-account replication is enabled, then for Cross-account replication, choose the cross-account replication setting for the registry. For Destination account, enter the account ID for the destination account and one or more Destination regions to replicate to. Choose Destination account + to configure additional accounts as replication destinations.
  9. (Optional) On the Add filters page, specify one or more filters for the replication rule and then choose Add. Repeat this step for each filter you want to associate with the replication action. Filters are specified as repository name prefixes. If no filters are specified, all images are replicated. Choose Next once all filters have been added.
  10. On the Review and submit page, review the replication rule configuration and then choose Submit rule.

To configure registry replication settings (AWS CLI)

  1. Create a JSON file containing the replication rules to define for your registry. A replication configuration may contain up to 10 rules, with up to 25 unique destinations across all rules and 100 filters per each rule. To configure cross-Region replication within your own account, you specify your own account ID. For more examples, { "rules": [{ "destinations": [{ "region": "destination_region", "registryId": "destination_accountId" }], "repositoryFilters": [{ "filter": "repository_prefix_name", "filterType": "PREFIX_MATCH" }] }] }
  2. Create a replication configuration for your registry. aws ecr put-replication-configuration \ --replication-configuration file://replication-settings.json \ --region us-west-2
  3. Confirm your registry settings. aws ecr describe-registry \ --region us-west-2

Viewing replication status
The replication status of an individual container image can be viewed by querying using either the image tag or image digest.

Checking replication status (AWS Management Console)

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region that is the source of your replicated registry.
  3. In the navigation pane, choose Repositories
  4. On the Repositories page, choose the repository to check the replication status of
  5. On the repository details page, choose the Image tag to check the replication status of.
  6. For Image replication status, verify the replication status. You can view the replication status based on the image tag or image digest.

Checking replication status (AWS CLI)

The replication status of the contents of a repository can be viewed based on the image tag using the following command.

aws ecr describe-image-replication-status \
--repository-name repository_name \
--image-id imageTag=image_tag \
--region us-west-2

The replication status of the contents of a repository can be viewed based on the image digest using the following command.
aws ecr describe-image-replication-status \
--repository-name repository_name \
--image-id imageDigest=image_digest \
--region us-west-2


Top comments (0)