diff --git a/main.tf b/main.tf
index 48ccf584a..fbda01b86 100644
--- a/main.tf
+++ b/main.tf
@@ -367,6 +367,46 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
   route_table_id  = "${aws_route_table.public.id}"
 }
 
+##########################
+# VPC Endpoint for ECR API
+##########################
+data "aws_vpc_endpoint_service" "ecr_api" {
+  count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}"
+
+  service = "ecr.api"
+}
+
+resource "aws_vpc_endpoint" "ecr_api" {
+  count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}"
+
+  vpc_endpoint_type = "Interface"
+  vpc_id       = "${local.vpc_id}"
+  security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}"
+  private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}"
+}
+
+##########################
+# VPC Endpoint for ECR DKR
+##########################
+data "aws_vpc_endpoint_service" "ecr_dkr" {
+  count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}"
+
+  service = "ecr.dkr"
+}
+
+resource "aws_vpc_endpoint" "ecr_dkr" {
+  count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}"
+
+  vpc_endpoint_type = "Interface"
+  vpc_id       = "${local.vpc_id}"
+  security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}"
+  private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}"
+}
+
 ############################
 # VPC Endpoint for DynamoDB
 ############################
diff --git a/variables.tf b/variables.tf
index cff021398..9430fefa3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -178,6 +178,46 @@ variable "enable_s3_endpoint" {
   default     = false
 }
 
+variable "enable_ecr_api_endpoint" {
+  description = "Should be true if you want to provision an ecr api endpoint to the VPC"
+  default     = false
+}
+
+variable "ecr_api_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ecr_api_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint"
+  default     = false
+}
+
+variable "ecr_api_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint"
+  default     = []
+}
+
+variable "enable_ecr_dkr_endpoint" {
+  description = "Should be true if you want to provision an ecr dkr endpoint to the VPC"
+  default     = false
+}
+
+variable "ecr_dkr_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ecr_dkr_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint"
+  default     = false
+}
+
+variable "ecr_dkr_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint"
+  default     = []
+}
+
 variable "enable_ssm_endpoint" {
   description = "Should be true if you want to provision an SSM endpoint to the VPC"
   default     = false