introduction to amazon ecs and aws fargate
TRANSCRIPT
© 2020, Amazon Web Services, Inc. or its Affiliates.
Introduction to Amazon ECS and AWS FargateContainers Immersion Day: Module 3
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS container services landscape
ManagementDeployment, Scheduling, Scaling & Management of containerized applications
HostingWhere the containers run
Amazon Elastic Container Service
Amazon Elastic Kubernetes Service
Amazon EC2 AWS Fargate
Image RegistryContainer Image Repository
Amazon Elastic Container Registry
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon Elastic Container Service
© 2020, Amazon Web Services, Inc. or its Affiliates.
Scheduling and Orchestration
Cluster Manager Placement Engine
ECS
© 2020, Amazon Web Services, Inc. or its Affiliates. © 2020, Amazon Web Services, Inc. or its Affiliates.
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Container Instance
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Task• Running instance of a task
definition• One or more containers
Task definition• Template used by Amazon ECS
to launch tasks• Parallels to docker run
parameters• Defines requirements:
• CPU/Memory
• Container image(s)• Logging
• IAM role• Etc.
Container 1Container 1
{ ; }
JSON
Container Instance
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Service• Maintains desired # of
running tasks• Replaces unhealthy tasks• ELB integration
Task• Running instance of a task
definition• One or more containers
Task definition• Template used by Amazon ECS
to launch tasks• Parallels to docker run
parameters• Defines requirements:
• CPU/Memory
• Container image(s)• Logging
• IAM role• Etc.
Container 1
Container 1
Container 1
Container 1Container 1
{ ; }
JSON
Container Instance
© 2020, Amazon Web Services, Inc. or its Affiliates.
Task definition{"containerDefinitions": [{"memory": 128,"portMappings": [{"hostPort": 80,"containerPort": 80,"protocol": "tcp"
}],"essential": true,"name": "nginx-container","image": "nginx","logConfiguration": {"logDriver": "awslogs","options": {"awslogs-group": "ecs-log-streaming","awslogs-region": "us-west-2","awslogs-stream-prefix": "fargate-task-1"
}},
continued…
"cpu": 0}
],"networkMode": "awsvpc","executionRoleArn":
"arn:aws:iam::123456789012:role/ecsTaskExecutionRole","memory": "2048","cpu": "1024","requiresCompatibilities": ["FARGATE"
],"family": "example_task_1"
}
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploying on ECS: Tasks vs Services
On-Demand Workloads
ECS task schedulerRun once or at intervals
Batch jobsRunTask API
StartTask (custom)
Long-Running Apps
ECS service schedulerHealth managementScale-up and scale-downAZ awareGrouped containers
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Task placement
Cluster Constraints
Custom Constraints
Placement Strategies
Apply Filter
Satisfy CPU, memory, and networking requirements
Filter for location, instance-type, AMI, or other custom attribute constraints
Identify instances that meet spread or binpack placement strategy
Select final container instances for placement
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Fargate
© 2020, Amazon Web Services, Inc. or its Affiliates.
Without Fargate, you end up managing more than just containers
EC2 Instance
ECS Agent
Container RungimeOS
© 2020, Amazon Web Services, Inc. or its Affiliates.
- Patching and Upgrading OS, agents, etc.
- Scaling the instance fleet for optimal utilization
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon Elastic Container Service
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Fargaterun serverless containers
Amazon Elastic Container Service
AWS Fargate platform versions
AWS FargatePlatform version 1.4.0
Amazon Elastic Container Service
© 2020, Amazon Web Services, Inc. or its Affiliates.
Your containerized applications
Managed by AWSNo EC2 Instances to provision, scale or manage
ElasticScale up & down seamlessly. Pay only for what you use
IntegratedWith the AWS ecosystem: VPC Networking, Elastic Load Balancing, IAM Permissions, CloudWatch and more
AWS Fargate
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fully managed container environment with AWS ECS + Fargate
Bring existing code Production ready Powerful integrationsNo changes required of existing
code, works with existing workflows and microservices
built on Amazon ECS
ISO, PCI, HIPAA, SOC compliant. Launch ten or tens of thousands
of containers in seconds in 9 global regions (+7 in 2018)
Native AWS integrations for networking, security, CICD,
monitoring, and tracing
Fargate runs tens of millions of containers for AWS customers every week
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fargate launch type: Compute
50 different CPU/memory configurations per task to choose from
CPU Memory256 (.25 vCPU) 512 MB, 1 GB, 2 GB512 (.5 vCPU) 1 GB, 2 GB, 3 GB, 4 GB1,024 (1 vCPU) 2 GB, 3 GB, 4 GB, 5 GB, 6 GB, 7 GB, 8 GB2,048 (2 vCPU) 4 GB–16 GB (in 1 GB increments)4,096 (4 vCPU) 8 GB–30 GB (in 1 GB increments)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Auto Scaling
© 2020, Amazon Web Services, Inc. or its Affiliates.
ECS Cluster
Amazon ECS cluster autoscaling
ECS Cluster
EC2 Instances
ECS Tasks
EC2 Auto Scaling Group
Capacity provider• Used to determine
infrastructure needed to run tasks.
Capacity provider strategy• Gives you control over how
your tasks use one or more capacity providers
Default capacity provider strategy• Determines capacity provider
strategy used if not other capacity provider or launch type is specified.
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS capacity providers
ECS Cluster
ECS Capacity Provider
EC2 Instances
ECS Tasks
EC2 Auto Scaling Group
Capacity provider• Used to determine
infrastructure needed to run tasks.
Capacity provider strategy• Gives you control over how
your tasks use one or more capacity providers
Default capacity provider strategy• Determines capacity provider
strategy used if not other capacity provider or launch type is specified.
ECS Cluster
Three type of scaling policies
Amazon CloudWatch
AWS Cloud
ECS Cluster
ECS Service
AlarmAmazon Application
Auto Scaling
Target Tracking• Scale based on a target value for a
specific metric
Step Scaling• Scale based on a set of scaling
adjustments, or steps, that vary based on the size of the alarm breach
Scheduled Scaling• Scale based on the date and time
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking
© 2020, Amazon Web Services, Inc. or its Affiliates.
ECS and Fargate networking modes
Mode
Bridge YES NO
Host YES NO
awsvpc YES YES
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking modes: Bridge
EC2 Instance / Container Instance
Container 1 Container 2
Host process (SSH)
Host eth0
Docker bridge
VPC
172.16.32.2:80 172.16.32.3:80
172.16.32.0/24
192.168.1.11:22
192.168.1.11:22
Security group
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking modes: Host
EC2 Instance / Container Instance
Container 1Host process (SSH)
Host eth0
VPC
192.168.1.11:22
192.168.1.11:22
192.168.1.11:80
Security group
© 2020, Amazon Web Services, Inc. or its Affiliates.
Private subnet
Networking modes: awsvpc
VPC
Public subnet
Security group
Task
ENI
Client Internet
VPC
Public subnet
Internet
Security group
Task
ENI
NAT gateway
© 2020, Amazon Web Services, Inc. or its Affiliates.
Storage
© 2020, Amazon Web Services, Inc. or its Affiliates.
Writable layer
Image layers
Writable layer
Container 1 Container 2
10 GB per task
Layer storage - ephemeral
• Container images are composed of layers - topmost layer is the writable layer to capture file changes made by the running container
• 20 GB layer storage available per task across all containers, including image layers
• Writes are not visible across containers
• Ephemeral storage is not available after the task stops
Image layers
© 2020, Amazon Web Services, Inc. or its Affiliates.
Container 1 Container 2
fs-1324abcd
NFSMount
/usr/share/nginx/html
EFS storage
• Need persistence beyond the task lifecycle?
• Fargate platform version 1.4 supports mounting EFS file systems to containers in your task.
• Configure via NFS mounts in task definition• Can mount at different
container paths
/usr/share/nginx/html
© 2020, Amazon Web Services, Inc. or its Affiliates.
Security
© 2020, Amazon Web Services, Inc. or its Affiliates.
Working together
https://aws.amazon.com/compliance/shared-responsibility-model/
Security in the Cloud is a Shared Responsibility
Customer Data
Platform & Application Management
Operating System, Network & Firewall Configuration
Client Side Data Encryption & Data Integrity Authentication
Server Side EncryptionFile System and / or Data
Network Traffic ProtectionEncryption / Integrity / Identity
Optional – Opaque Data: 0s and 1s (In Transit and At Rest)
FoundationServices
AWS GlobalInfrastructure
AW
S Endpoints
AW
S IAM
Customer IA
M
Compute Storage Databases Networking
Regions Availability Zones
Edge Locations
Security IN the Cloud
Managed by customers
Security OF the Cloud
Managed by AWS
MANAGED BYAWS
MANAGED BYCUSTOMER
AWS GLOBALINFRASTRUCTURE
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
FOUNDATIONSERVICES
STORAGE DATABASES NETWORKINGCOMPUTEAW
SEN
DPO
INTS
AW
S IAM
NETWORK CONFIGURATION ROUTE TABLES VPC
ECS CONTROL PLANE
SECURITY GROUPS
NACLs
TASK
CONTAINER PATCHINGHARDENING MONITORING
DATANETWORK TRAFFIC
PROTECTIONSERVER-SIDE ENCRYPTION
CLIENT-SIDE ENCRYPTION
APPLICATION
CUSTO
MER IA
M
ECS AG
ENT
AWS IAM
HOST
APP
CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING
Shared responsibility model: Amazon ECS for EC2
Security: IAM Roles for Tasks
EC2 Instance / Container Instance
Dogs container
IAM Role
Cats containerDogs
BucketCats
Bucket
Undesired permission
Security: IAM Roles for Tasks
EC2 Instance / Container Instance
Dogs containerCats containerDogs
BucketCats
Bucket
IAM Role IAM Role
MANAGED BYAWS
MANAGED BYCUSTOMER
AWS GLOBALINFRASTRUCTURE
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
FOUNDATIONSERVICES
STORAGE DATABASES NETWORKINGCOMPUTEAW
SEN
DPO
INTS
AW
S IAM
NETWORK CONFIGURATION ROUTE TABLES VPC
ECS CONTROL PLANE
NACLs
TASK
CONTAINER PATCHINGHARDENING MONITORING
DATANETWORK TRAFFIC
PROTECTIONSERVER-SIDE ENCRYPTION
CLIENT-SIDE ENCRYPTION
APPLICATION
CUSTO
MER IA
M
ECS AG
ENT
AWS IAM
HOST
APP
CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING
Shared responsibility model: Amazon ECS for AWS Fargate
SECURITY GROUPS
© 2020, Amazon Web Services, Inc. or its Affiliates.
Security: Benefits of Fargate
We do more, you do less.
• Patching (OS, Docker, ECS Agent, etc.)• Task isolation (via Clusters)• No --privileged mode for containers• Requires awsvpc network mode so there is
an ENI and SG per Task• Ecs-exec required for runtime access (ssh or
interactive commands)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Cost optimisation
Fargate Purchase Options
Fargate Compute Savings Plan Fargate SpotPay for containers
per-second with no long-term
commitment
Make a 1 or 3-year commitment and receive a
significant discount
Spare capacity with savings up to 70% off Fargate
standard pricing
Reserved Instances
Make a 1 or 3-year commitment and receive a
off On-Demand prices
Committed & steady-state usage
On-Demand
Pay for compute capacity with no
long-term commitments
Spiky workloads, to define needs
Spot Instances
Spare EC2 capacity at
off On-Demand prices
Fault-tolerant, flexible, stateless workloads
Capacity needs can change rapidly
Fault-tolerant, flexible workloads
Baseline compute needs known in
advance
New New
Amazon Fargate Spot
Spare compute Capacity
Save up to 70% over standard Fargate
Can be reclaimed(with two minute warning)
Automatic diversification
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fargate and Fargate Spot Capacity Provider Mix
Load
met
ric
Time
3 3 3 3 3
4
8 8 8
# Re
plic
as
6 6 6 6 68
16
16
16
Overprovision by 50%:Reduce metric target value by 1/3
Run 2/3 On-Demand, 1/3 on Spot
No performance gaps
+50% capacity for +5-10% cost
© 2020, Amazon Web Services, Inc. or its Affiliates.
Questions?Introduction to Amazon ECS and AWS Fargate