Lets say I have an EKS cluster, an EC2 instance and my local machine, I can pull images from my private ECR without any issues. But when I pull a generic image like nginx, it will come from Docker Hub straight to me. Would it be possible to redirect this pull to enter my ECR first (so that it gets scanned for vulnerabilities, and maybe even for caching purposes perhaps) and then from my ECR to where I pulled from?

If this is not possible, what would be a good alternative?

AWS container team person here. Can you clarify one thing? Would you be ok to point your manifests to ECR (acting as a hub/cache for external registries) or do you want to keep your manifests pointing to DockerHub but somewhat transparently go through ECR for caching? I am asking because we are working on the former scenario.

You can subscribe here to see the progress and leave comments.

It is not possible to redirect your request to pull generic image to ECR and then to Docker Hub.

I understand your concern to pull images from Docker Hub directly. So what you can do what we have done in our projects is:

1. pull generic image from Docker Hub for one time
2. Using that image, build your own image with any customisations you may require or not.
3. Publish the newly created image to your ECR repo.
4. Going forward use your only ECR repo to pull that image.

In this way, you will have full control on the image you have. Also, it would be more secure to pull it from your ECR repo rather then again and again using Docker Hub. Also, you can do any customisation you want.

You can utilize ECR pull through cache rules for this.

https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html