[SOLVED] aws public subnet ec2 pull image from ecr fail after add VPC interface endpoint

aws public subnet ec2 pull image from ecr fail after add VPC interface endpoint

I use aws ecr to get login passwaord then pull docker image from private ECR at the public subnet EC2. This public subnet has already attached a internet gateway.

I already have an endpoint gateway for S3 before, so I created an interface endpoint for ECR (com.amazonaws.ap-southeast-1.ecr.dkr) follow the officail document, its subnet setting is the private subnet, also enable the private DNS.
https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#test-interface-endpoint-aws

After that public EC2 can get password by aws ecr, but docker login fail, private EC2 cannot get password by aws ecr.
EC2s allow all outbound rules and no NACL setting, they IAM role combines the AmazonEC2ContainerRegistryReadOnly and S3 access permission that shown as below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::prod-ap-southeast-1-starport-layer-bucket/*"
        }
    ]
}

Private EC2 aws ecr get-login-password --region ap-southeast-1 error messags is

Connect timeout on endpoint URL: "https://api.ecr.ap-southeast-1.amazonaws.com/"

Use dig showed the ip of api.ecr.ap-southeast-1.amazonaws.com is successful. I did not change any setting after created an interface endpoint. I don't know which step is wrong, please give me some suggestion. Thank you very much.

Update

I have a private VPC with 1 public subnet and 1 private subnet, each has it own route table, public subnet route table add internet gateway, private subnet route table add S3 endpoint.

Secority group
private subnet EC2

Inbound rules: source: sg-ALB, HTTP 80, source: sg-public-EC2, SSH 22
Outbound rule: All traffic

public subnet EC2

Inbound rules: source: All Ipv4, SSH 22
Outbound rule: All traffic

Public EC2 error meesage

Error response from daemon: Get "https://xxx.dkr.ecr.ap-southeast-1.amazonaws.com/v2/": 
net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

Update 2
I have hosted a private zoned by Route 53 in this VPC, no sure that could be a problem or not.

Solution

Your endpoint is using https, which means you have to allow port 443 in your security groups.