introduction to amazon ecs and aws fargate

© 2020, Amazon Web Services, Inc. or its Affiliates.

Introduction to Amazon ECS and AWS FargateContainers Immersion Day: Module 3


AWS container services landscape

ManagementDeployment, Scheduling, Scaling & Management of containerized applications

HostingWhere the containers run

Amazon Elastic Container Service

Amazon Elastic Kubernetes Service

Amazon EC2 AWS Fargate

Image RegistryContainer Image Repository

Amazon Elastic Container Registry


Scheduling and Orchestration

Cluster Manager Placement Engine

ECS


Amazon ECS constructs

Cluster• Resource grouping and isolation• IAM permissions boundary




Container Instance




Task• Running instance of a task

definition• One or more containers

Task definition• Template used by Amazon ECS

to launch tasks• Parallels to docker run

parameters• Defines requirements:

• CPU/Memory

• Container image(s)• Logging

• IAM role• Etc.

Container 1Container 1

{ ; }

JSON

Container Instance




Service• Maintains desired # of

running tasks• Replaces unhealthy tasks• ELB integration

Task• Running instance of a task

definition• One or more containers

Task definition• Template used by Amazon ECS

to launch tasks• Parallels to docker run

parameters• Defines requirements:

• CPU/Memory

• Container image(s)• Logging

• IAM role• Etc.

Container 1

Container 1

Container 1

Container 1Container 1

{ ; }

JSON

Container Instance


Task definition{"containerDefinitions": [{"memory": 128,"portMappings": [{"hostPort": 80,"containerPort": 80,"protocol": "tcp"

}],"essential": true,"name": "nginx-container","image": "nginx","logConfiguration": {"logDriver": "awslogs","options": {"awslogs-group": "ecs-log-streaming","awslogs-region": "us-west-2","awslogs-stream-prefix": "fargate-task-1"

}},

continued…

"cpu": 0}

],"networkMode": "awsvpc","executionRoleArn":

"arn:aws:iam::123456789012:role/ecsTaskExecutionRole","memory": "2048","cpu": "1024","requiresCompatibilities": ["FARGATE"

],"family": "example_task_1"

}

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Deploying on ECS: Tasks vs Services

On-Demand Workloads

ECS task schedulerRun once or at intervals

Batch jobsRunTask API

StartTask (custom)

Long-Running Apps

ECS service schedulerHealth managementScale-up and scale-downAZ awareGrouped containers

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Task placement

Cluster Constraints

Custom Constraints

Placement Strategies

Apply Filter

Satisfy CPU, memory, and networking requirements

Filter for location, instance-type, AMI, or other custom attribute constraints

Identify instances that meet spread or binpack placement strategy

Select final container instances for placement


AWS Fargate


Without Fargate, you end up managing more than just containers

EC2 Instance

ECS Agent

Container RungimeOS


- Patching and Upgrading OS, agents, etc.

- Scaling the instance fleet for optimal utilization


AWS Fargaterun serverless containers


AWS Fargate platform versions

AWS FargatePlatform version 1.4.0



Your containerized applications

Managed by AWSNo EC2 Instances to provision, scale or manage

ElasticScale up & down seamlessly. Pay only for what you use

IntegratedWith the AWS ecosystem: VPC Networking, Elastic Load Balancing, IAM Permissions, CloudWatch and more

AWS Fargate


Fully managed container environment with AWS ECS + Fargate

Bring existing code Production ready Powerful integrationsNo changes required of existing

code, works with existing workflows and microservices

built on Amazon ECS

ISO, PCI, HIPAA, SOC compliant. Launch ten or tens of thousands

of containers in seconds in 9 global regions (+7 in 2018)

Native AWS integrations for networking, security, CICD,

monitoring, and tracing

Fargate runs tens of millions of containers for AWS customers every week


Fargate launch type: Compute

50 different CPU/memory configurations per task to choose from

CPU Memory256 (.25 vCPU) 512 MB, 1 GB, 2 GB512 (.5 vCPU) 1 GB, 2 GB, 3 GB, 4 GB1,024 (1 vCPU) 2 GB, 3 GB, 4 GB, 5 GB, 6 GB, 7 GB, 8 GB2,048 (2 vCPU) 4 GB–16 GB (in 1 GB increments)4,096 (4 vCPU) 8 GB–30 GB (in 1 GB increments)


Auto Scaling


ECS Cluster

Amazon ECS cluster autoscaling

ECS Cluster

EC2 Instances

ECS Tasks

EC2 Auto Scaling Group

Capacity provider• Used to determine

infrastructure needed to run tasks.

Capacity provider strategy• Gives you control over how

your tasks use one or more capacity providers

Default capacity provider strategy• Determines capacity provider

strategy used if not other capacity provider or launch type is specified.


Amazon ECS capacity providers

ECS Cluster

ECS Capacity Provider

EC2 Instances

ECS Tasks

EC2 Auto Scaling Group

Capacity provider• Used to determine

infrastructure needed to run tasks.

Capacity provider strategy• Gives you control over how

your tasks use one or more capacity providers

Default capacity provider strategy• Determines capacity provider

strategy used if not other capacity provider or launch type is specified.

ECS Cluster

Three type of scaling policies

Amazon CloudWatch

AWS Cloud

ECS Cluster

ECS Service

AlarmAmazon Application

Auto Scaling

Target Tracking• Scale based on a target value for a

specific metric

Step Scaling• Scale based on a set of scaling

adjustments, or steps, that vary based on the size of the alarm breach

Scheduled Scaling• Scale based on the date and time


Networking


ECS and Fargate networking modes

Mode

Bridge YES NO

Host YES NO

awsvpc YES YES


Networking modes: Bridge

EC2 Instance / Container Instance

Container 1 Container 2

Host process (SSH)

Host eth0

Docker bridge

VPC

172.16.32.2:80 172.16.32.3:80

172.16.32.0/24

192.168.1.11:22

192.168.1.11:22

Security group


Networking modes: Host


Container 1Host process (SSH)

Host eth0

VPC

192.168.1.11:22

192.168.1.11:22

192.168.1.11:80

Security group


Private subnet

Networking modes: awsvpc

VPC

Public subnet

Security group

Task

ENI

Client Internet

VPC

Public subnet

Internet

Security group

Task

ENI

NAT gateway


Storage


Writable layer

Image layers

Writable layer


10 GB per task

Layer storage - ephemeral

• Container images are composed of layers - topmost layer is the writable layer to capture file changes made by the running container

• 20 GB layer storage available per task across all containers, including image layers

• Writes are not visible across containers

• Ephemeral storage is not available after the task stops

Image layers



fs-1324abcd

NFSMount

/usr/share/nginx/html

EFS storage

• Need persistence beyond the task lifecycle?

• Fargate platform version 1.4 supports mounting EFS file systems to containers in your task.

• Configure via NFS mounts in task definition• Can mount at different

container paths

/usr/share/nginx/html


Security


Working together

https://aws.amazon.com/compliance/shared-responsibility-model/

Security in the Cloud is a Shared Responsibility

Customer Data

Platform & Application Management

Operating System, Network & Firewall Configuration

Client Side Data Encryption & Data Integrity Authentication

Server Side EncryptionFile System and / or Data

Network Traffic ProtectionEncryption / Integrity / Identity

Optional – Opaque Data: 0s and 1s (In Transit and At Rest)

FoundationServices

AWS GlobalInfrastructure

AW

S Endpoints

AW

S IAM

Customer IA

M

Compute Storage Databases Networking

Regions Availability Zones

Edge Locations

Security IN the Cloud

Managed by customers

Security OF the Cloud

Managed by AWS

MANAGED BYAWS

MANAGED BYCUSTOMER

AWS GLOBALINFRASTRUCTURE

REGIONS AVAILABILITY ZONES

EDGE LOCATIONS

FOUNDATIONSERVICES

STORAGE DATABASES NETWORKINGCOMPUTEAW

SEN

DPO

INTS

AW

S IAM

NETWORK CONFIGURATION ROUTE TABLES VPC

ECS CONTROL PLANE

SECURITY GROUPS

NACLs

TASK

CONTAINER PATCHINGHARDENING MONITORING

DATANETWORK TRAFFIC

PROTECTIONSERVER-SIDE ENCRYPTION

CLIENT-SIDE ENCRYPTION

APPLICATION

CUSTO

MER IA

M

ECS AG

ENT

AWS IAM

HOST

APP

CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING

Shared responsibility model: Amazon ECS for EC2

Security: IAM Roles for Tasks


Dogs container

IAM Role

Cats containerDogs

BucketCats

Bucket

Undesired permission

Security: IAM Roles for Tasks


Dogs containerCats containerDogs

BucketCats

Bucket

IAM Role IAM Role

MANAGED BYAWS

MANAGED BYCUSTOMER

AWS GLOBALINFRASTRUCTURE

REGIONS AVAILABILITY ZONES

EDGE LOCATIONS

FOUNDATIONSERVICES

STORAGE DATABASES NETWORKINGCOMPUTEAW

SEN

DPO

INTS

AW

S IAM

NETWORK CONFIGURATION ROUTE TABLES VPC

ECS CONTROL PLANE

NACLs

TASK

CONTAINER PATCHINGHARDENING MONITORING

DATANETWORK TRAFFIC

PROTECTIONSERVER-SIDE ENCRYPTION

CLIENT-SIDE ENCRYPTION

APPLICATION

CUSTO

MER IA

M

ECS AG

ENT

AWS IAM

HOST

APP

CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING

Shared responsibility model: Amazon ECS for AWS Fargate

SECURITY GROUPS


Security: Benefits of Fargate

We do more, you do less.

• Patching (OS, Docker, ECS Agent, etc.)• Task isolation (via Clusters)• No --privileged mode for containers• Requires awsvpc network mode so there is

an ENI and SG per Task• Ecs-exec required for runtime access (ssh or

interactive commands)


Cost optimisation

Fargate Purchase Options

Fargate Compute Savings Plan Fargate SpotPay for containers

per-second with no long-term

commitment

Make a 1 or 3-year commitment and receive a

significant discount

Spare capacity with savings up to 70% off Fargate

standard pricing

Reserved Instances

Make a 1 or 3-year commitment and receive a

off On-Demand prices

Committed & steady-state usage

On-Demand

Pay for compute capacity with no

long-term commitments

Spiky workloads, to define needs

Spot Instances

Spare EC2 capacity at

off On-Demand prices

Fault-tolerant, flexible, stateless workloads

Capacity needs can change rapidly

Fault-tolerant, flexible workloads

Baseline compute needs known in

advance

New New

Amazon Fargate Spot

Spare compute Capacity

Save up to 70% over standard Fargate

Can be reclaimed(with two minute warning)

Automatic diversification


Fargate and Fargate Spot Capacity Provider Mix

Load

met

ric

Time

3 3 3 3 3

4

8 8 8

# Re

plic

as

6 6 6 6 68

16

16

16

Overprovision by 50%:Reduce metric target value by 1/3

Run 2/3 On-Demand, 1/3 on Spot

No performance gaps

+50% capacity for +5-10% cost


Questions?Introduction to Amazon ECS and AWS Fargate

introduction to amazon ecs and aws fargate

Documents