Create VPC Endpoints

Create ecr.dkr Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

0001

3. In the Endpoint settings section,

  • For Name tag, enter ecr-dkr-endpoint.
  • For Service category, select AWS services.

0002

4. In the Services section,

  • Filter with ecr.dkr value.
  • Choose com.amazonaws.us-east-1.ecr.dkr.

0003

5. In the VPC section, select the VPC named fcj.

0004

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

0005

7. In the Security groups section, select fcj-vpc-endpoint security group.

0006

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Statement": [
		{
			"Sid": "PreventDelete",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "ecr:DeleteRepository",
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "AllowPull",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:BatchGetImage",
				"ecr:GetDownloadUrlForLayer"
			],
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "GetAuthorizationToken",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		}
	]
}

0007

9. Scroll down to the bottom. Click Create endpoint.

0008

Create ecr.api Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

0009

3. In the Endpoint settings section,

  • For Name tag, enter ecr-api-endpoint.
  • For Service category, select AWS services.

00010

4. In the Services section,

  • Filter with ecr.api value.
  • Choose com.amazonaws.us-east-1.ecr.api.

00011

5. In the VPC section, select the VPC named fcj.

00012

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

00013

7. In the Security groups section, select fcj-vpc-endpoint security group.

00014

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Statement": [
		{
			"Sid": "PreventDelete",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "ecr:DeleteRepository",
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "AllowPull",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:BatchGetImage",
				"ecr:GetDownloadUrlForLayer"
			],
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "GetAuthorizationToken",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		}
	]
}

00015

9. Scroll down to the bottom. Click Create endpoint.

00016

Create s3 Gateway Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

00017

3. In the Endpoint settings section,

  • For Name tag, enter s3-endpoint.
  • For Service category, select AWS services.

00018

4. In the Services section,

  • Filter with gateway type.
  • Choose com.amazonaws.us-east-1.s3.

00019

5. In the VPC section, select the VPC named fcj.

00020

6. In the Route tables setion, choose the main route table.

00021

7. In the Policy section,

  • Select custom.
  • Fill out the following policy.
{
	"Version": "2008-10-17",
	"Statement": [
		{
			"Sid": "Access-to-specific-bucket-only",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"
		}
	]
}

00022

8. Scroll down to the bottom. Click Create endpoint.

00023

Create secretsmanager Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

00024

3. In the Endpoint settings section,

  • For Name tag, enter secretsmanager-endpoint.
  • For Service category, select AWS services.

00025

4. In the Services section,

  • Filter with secretsmanager value.
  • Choose com.amazonaws.us-east-1.secretsmanager.

00026

5. In the VPC section, select the VPC named fcj.

00027

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

00028

7. In the Security groups section, select fcj-vpc-endpoint security group.

00029

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskRole"
			},
			"Action": [
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret"
			],
			"Resource": "arn:aws:secretsmanager:us-east-1:<YOUR-AWS-ACCOUNT-ID>:secret:*"
		}
	]
}

00030

9. Scroll down to the bottom. Click Create endpoint.

00031

Create CloudWatch Logs Interface Endpoint

CloudWatch Logs seem to be really essential for debugging your AWS services in many circumstances. For example, without enabling logging, it could take hours or even days to analyze AWS ECS tasks that failed to run properly.