Download - Introduction to Amazon ECS and AWS Fargate
![Page 1: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/1.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Introduction to Amazon ECS and AWS FargateContainers Immersion Day: Module 3
![Page 2: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/2.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS container services landscape
ManagementDeployment, Scheduling, Scaling & Management of containerized applications
HostingWhere the containers run
Amazon Elastic Container Service
Amazon Elastic Kubernetes Service
Amazon EC2 AWS Fargate
Image RegistryContainer Image Repository
Amazon Elastic Container Registry
![Page 3: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/3.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon Elastic Container Service
![Page 4: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/4.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Scheduling and Orchestration
Cluster Manager Placement Engine
ECS
![Page 5: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/5.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. © 2020, Amazon Web Services, Inc. or its Affiliates.
![Page 6: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/6.jpg)
![Page 7: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/7.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
![Page 8: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/8.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Container Instance
![Page 9: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/9.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Task• Running instance of a task
definition• One or more containers
Task definition• Template used by Amazon ECS
to launch tasks• Parallels to docker run
parameters• Defines requirements:
• CPU/Memory
• Container image(s)• Logging
• IAM role• Etc.
Container 1Container 1
{ ; }
JSON
Container Instance
![Page 10: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/10.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS constructs
Cluster• Resource grouping and isolation• IAM permissions boundary
Service• Maintains desired # of
running tasks• Replaces unhealthy tasks• ELB integration
Task• Running instance of a task
definition• One or more containers
Task definition• Template used by Amazon ECS
to launch tasks• Parallels to docker run
parameters• Defines requirements:
• CPU/Memory
• Container image(s)• Logging
• IAM role• Etc.
Container 1
Container 1
Container 1
Container 1Container 1
{ ; }
JSON
Container Instance
![Page 11: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/11.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Task definition{"containerDefinitions": [{"memory": 128,"portMappings": [{"hostPort": 80,"containerPort": 80,"protocol": "tcp"
}],"essential": true,"name": "nginx-container","image": "nginx","logConfiguration": {"logDriver": "awslogs","options": {"awslogs-group": "ecs-log-streaming","awslogs-region": "us-west-2","awslogs-stream-prefix": "fargate-task-1"
}},
continued…
"cpu": 0}
],"networkMode": "awsvpc","executionRoleArn":
"arn:aws:iam::123456789012:role/ecsTaskExecutionRole","memory": "2048","cpu": "1024","requiresCompatibilities": ["FARGATE"
],"family": "example_task_1"
}
![Page 12: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/12.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploying on ECS: Tasks vs Services
On-Demand Workloads
ECS task schedulerRun once or at intervals
Batch jobsRunTask API
StartTask (custom)
Long-Running Apps
ECS service schedulerHealth managementScale-up and scale-downAZ awareGrouped containers
![Page 13: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/13.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Task placement
Cluster Constraints
Custom Constraints
Placement Strategies
Apply Filter
Satisfy CPU, memory, and networking requirements
Filter for location, instance-type, AMI, or other custom attribute constraints
Identify instances that meet spread or binpack placement strategy
Select final container instances for placement
![Page 14: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/14.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Fargate
![Page 15: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/15.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Without Fargate, you end up managing more than just containers
EC2 Instance
ECS Agent
Container RungimeOS
![Page 16: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/16.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
- Patching and Upgrading OS, agents, etc.
- Scaling the instance fleet for optimal utilization
![Page 17: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/17.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon Elastic Container Service
![Page 18: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/18.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Fargaterun serverless containers
Amazon Elastic Container Service
![Page 19: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/19.jpg)
AWS Fargate platform versions
AWS FargatePlatform version 1.4.0
Amazon Elastic Container Service
![Page 20: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/20.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Your containerized applications
Managed by AWSNo EC2 Instances to provision, scale or manage
ElasticScale up & down seamlessly. Pay only for what you use
IntegratedWith the AWS ecosystem: VPC Networking, Elastic Load Balancing, IAM Permissions, CloudWatch and more
AWS Fargate
![Page 21: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/21.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fully managed container environment with AWS ECS + Fargate
Bring existing code Production ready Powerful integrationsNo changes required of existing
code, works with existing workflows and microservices
built on Amazon ECS
ISO, PCI, HIPAA, SOC compliant. Launch ten or tens of thousands
of containers in seconds in 9 global regions (+7 in 2018)
Native AWS integrations for networking, security, CICD,
monitoring, and tracing
Fargate runs tens of millions of containers for AWS customers every week
![Page 22: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/22.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fargate launch type: Compute
50 different CPU/memory configurations per task to choose from
CPU Memory256 (.25 vCPU) 512 MB, 1 GB, 2 GB512 (.5 vCPU) 1 GB, 2 GB, 3 GB, 4 GB1,024 (1 vCPU) 2 GB, 3 GB, 4 GB, 5 GB, 6 GB, 7 GB, 8 GB2,048 (2 vCPU) 4 GB–16 GB (in 1 GB increments)4,096 (4 vCPU) 8 GB–30 GB (in 1 GB increments)
![Page 23: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/23.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Auto Scaling
![Page 24: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/24.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
ECS Cluster
Amazon ECS cluster autoscaling
ECS Cluster
EC2 Instances
ECS Tasks
EC2 Auto Scaling Group
Capacity provider• Used to determine
infrastructure needed to run tasks.
Capacity provider strategy• Gives you control over how
your tasks use one or more capacity providers
Default capacity provider strategy• Determines capacity provider
strategy used if not other capacity provider or launch type is specified.
![Page 25: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/25.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Amazon ECS capacity providers
ECS Cluster
ECS Capacity Provider
EC2 Instances
ECS Tasks
EC2 Auto Scaling Group
Capacity provider• Used to determine
infrastructure needed to run tasks.
Capacity provider strategy• Gives you control over how
your tasks use one or more capacity providers
Default capacity provider strategy• Determines capacity provider
strategy used if not other capacity provider or launch type is specified.
ECS Cluster
![Page 26: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/26.jpg)
Three type of scaling policies
Amazon CloudWatch
AWS Cloud
ECS Cluster
ECS Service
AlarmAmazon Application
Auto Scaling
Target Tracking• Scale based on a target value for a
specific metric
Step Scaling• Scale based on a set of scaling
adjustments, or steps, that vary based on the size of the alarm breach
Scheduled Scaling• Scale based on the date and time
![Page 27: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/27.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking
![Page 28: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/28.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
ECS and Fargate networking modes
Mode
Bridge YES NO
Host YES NO
awsvpc YES YES
![Page 29: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/29.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking modes: Bridge
EC2 Instance / Container Instance
Container 1 Container 2
Host process (SSH)
Host eth0
Docker bridge
VPC
172.16.32.2:80 172.16.32.3:80
172.16.32.0/24
192.168.1.11:22
192.168.1.11:22
Security group
![Page 30: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/30.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Networking modes: Host
EC2 Instance / Container Instance
Container 1Host process (SSH)
Host eth0
VPC
192.168.1.11:22
192.168.1.11:22
192.168.1.11:80
Security group
![Page 31: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/31.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Private subnet
Networking modes: awsvpc
VPC
Public subnet
Security group
Task
ENI
Client Internet
VPC
Public subnet
Internet
Security group
Task
ENI
NAT gateway
![Page 32: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/32.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Storage
![Page 33: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/33.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Writable layer
Image layers
Writable layer
Container 1 Container 2
10 GB per task
Layer storage - ephemeral
• Container images are composed of layers - topmost layer is the writable layer to capture file changes made by the running container
• 20 GB layer storage available per task across all containers, including image layers
• Writes are not visible across containers
• Ephemeral storage is not available after the task stops
Image layers
![Page 34: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/34.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Container 1 Container 2
fs-1324abcd
NFSMount
/usr/share/nginx/html
EFS storage
• Need persistence beyond the task lifecycle?
• Fargate platform version 1.4 supports mounting EFS file systems to containers in your task.
• Configure via NFS mounts in task definition• Can mount at different
container paths
/usr/share/nginx/html
![Page 35: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/35.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Security
![Page 36: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/36.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Working together
https://aws.amazon.com/compliance/shared-responsibility-model/
Security in the Cloud is a Shared Responsibility
Customer Data
Platform & Application Management
Operating System, Network & Firewall Configuration
Client Side Data Encryption & Data Integrity Authentication
Server Side EncryptionFile System and / or Data
Network Traffic ProtectionEncryption / Integrity / Identity
Optional – Opaque Data: 0s and 1s (In Transit and At Rest)
FoundationServices
AWS GlobalInfrastructure
AW
S Endpoints
AW
S IAM
Customer IA
M
Compute Storage Databases Networking
Regions Availability Zones
Edge Locations
Security IN the Cloud
Managed by customers
Security OF the Cloud
Managed by AWS
![Page 37: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/37.jpg)
MANAGED BYAWS
MANAGED BYCUSTOMER
AWS GLOBALINFRASTRUCTURE
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
FOUNDATIONSERVICES
STORAGE DATABASES NETWORKINGCOMPUTEAW
SEN
DPO
INTS
AW
S IAM
NETWORK CONFIGURATION ROUTE TABLES VPC
ECS CONTROL PLANE
SECURITY GROUPS
NACLs
TASK
CONTAINER PATCHINGHARDENING MONITORING
DATANETWORK TRAFFIC
PROTECTIONSERVER-SIDE ENCRYPTION
CLIENT-SIDE ENCRYPTION
APPLICATION
CUSTO
MER IA
M
ECS AG
ENT
AWS IAM
HOST
APP
CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING
Shared responsibility model: Amazon ECS for EC2
![Page 38: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/38.jpg)
Security: IAM Roles for Tasks
EC2 Instance / Container Instance
Dogs container
IAM Role
Cats containerDogs
BucketCats
Bucket
Undesired permission
![Page 39: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/39.jpg)
Security: IAM Roles for Tasks
EC2 Instance / Container Instance
Dogs containerCats containerDogs
BucketCats
Bucket
IAM Role IAM Role
![Page 40: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/40.jpg)
MANAGED BYAWS
MANAGED BYCUSTOMER
AWS GLOBALINFRASTRUCTURE
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
FOUNDATIONSERVICES
STORAGE DATABASES NETWORKINGCOMPUTEAW
SEN
DPO
INTS
AW
S IAM
NETWORK CONFIGURATION ROUTE TABLES VPC
ECS CONTROL PLANE
NACLs
TASK
CONTAINER PATCHINGHARDENING MONITORING
DATANETWORK TRAFFIC
PROTECTIONSERVER-SIDE ENCRYPTION
CLIENT-SIDE ENCRYPTION
APPLICATION
CUSTO
MER IA
M
ECS AG
ENT
AWS IAM
HOST
APP
CONTAINER INSTANCE CONFIG. PATCHINGHARDENING MONITORING
Shared responsibility model: Amazon ECS for AWS Fargate
SECURITY GROUPS
![Page 41: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/41.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Security: Benefits of Fargate
We do more, you do less.
• Patching (OS, Docker, ECS Agent, etc.)• Task isolation (via Clusters)• No --privileged mode for containers• Requires awsvpc network mode so there is
an ENI and SG per Task• Ecs-exec required for runtime access (ssh or
interactive commands)
![Page 42: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/42.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Cost optimisation
![Page 43: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/43.jpg)
Fargate Purchase Options
Fargate Compute Savings Plan Fargate SpotPay for containers
per-second with no long-term
commitment
Make a 1 or 3-year commitment and receive a
significant discount
Spare capacity with savings up to 70% off Fargate
standard pricing
Reserved Instances
Make a 1 or 3-year commitment and receive a
off On-Demand prices
Committed & steady-state usage
On-Demand
Pay for compute capacity with no
long-term commitments
Spiky workloads, to define needs
Spot Instances
Spare EC2 capacity at
off On-Demand prices
Fault-tolerant, flexible, stateless workloads
Capacity needs can change rapidly
Fault-tolerant, flexible workloads
Baseline compute needs known in
advance
New New
![Page 44: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/44.jpg)
Amazon Fargate Spot
Spare compute Capacity
Save up to 70% over standard Fargate
Can be reclaimed(with two minute warning)
Automatic diversification
![Page 45: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/45.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Fargate and Fargate Spot Capacity Provider Mix
Load
met
ric
Time
3 3 3 3 3
4
8 8 8
# Re
plic
as
6 6 6 6 68
16
16
16
Overprovision by 50%:Reduce metric target value by 1/3
Run 2/3 On-Demand, 1/3 on Spot
No performance gaps
+50% capacity for +5-10% cost
![Page 46: Introduction to Amazon ECS and AWS Fargate](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c130a8dc1ce45a8a5635d3/html5/thumbnails/46.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Questions?Introduction to Amazon ECS and AWS Fargate