diff --git a/network/infrastructure/construct.py b/network/infrastructure/construct.py
index bfd87db8..21d0ceb2 100644
--- a/network/infrastructure/construct.py
+++ b/network/infrastructure/construct.py
@@ -67,6 +67,9 @@ def __init__(
                 "cloudwatch-logs": aws_ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
                 "s3": aws_ec2.GatewayVpcEndpointAwsService.S3,
                 "dynamodb": aws_ec2.GatewayVpcEndpointAwsService.DYNAMODB,
+                "ecr": aws_ec2.InterfaceVpcEndpointAwsService.ECR,
+                "ecr-docker": aws_ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
+                "sts": aws_ec2.InterfaceVpcEndpointAwsService.STS,
             }
 
             for id, service in vpc_endpoints.items():
diff --git a/standalone_base_infrastructure/network_construct.py b/standalone_base_infrastructure/network_construct.py
index d8785d4a..3911c5e3 100644
--- a/standalone_base_infrastructure/network_construct.py
+++ b/standalone_base_infrastructure/network_construct.py
@@ -42,6 +42,9 @@ def __init__(
             "cloudwatch-logs": aws_ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
             "s3": aws_ec2.GatewayVpcEndpointAwsService.S3,
             "dynamodb": aws_ec2.GatewayVpcEndpointAwsService.DYNAMODB,
+            "ecr": aws_ec2.InterfaceVpcEndpointAwsService.ECR,  # allows airflow to pull task images
+            "ecr-docker": aws_ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,  # allows airflow to pull task images
+            "sts": aws_ec2.InterfaceVpcEndpointAwsService.STS,  # allows airflow tasks to assume access roles
         }
 
         for id, service in vpc_endpoints.items():