Post

AWS - Amazon ECS


AWS - Amazon ECS Elastic container service

Screen Shot 2020-05-06 at 20.40.15

Screen Shot 2020-05-06 at 20.40.36

Screen Shot 2020-12-29 at 22.46.12


basic

  • Use API calls to run container-enabled applications

Benefits

  1. orchestration the execution of Docker Containers
    • highly scalable, high-performance container orchestration service
    • supports Docker and win containers.
    • no additional charge for ECS.
    • pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to store and run your application.
  2. remove the complexity of standing up the infrastructure
    • Using API calls
      • to launch and stop container-enabled applications,
      • query the complete state of clusters,
      • access many familiar features like security groups, LB, EBS volumes and IAM roles.
    • can use any AMI that meets the Amazon ECS AMI specification.

    • highly scalable
      • only need to scale out the service need to
      • instead of the entire application
    • Fault Tolerant
      • single error in one container will not bring down the entire application
    • easy maintain
      • easier to maintain, update nad change than large monolithic applications.
  3. Maintains and scales the fleet of nodes

    that run your Containers

    • easily run applications on a managed cluster of EC2 instances.
      • eliminates the install, operate, and scale of own cluster management infrastructure
      • more fine-grained control for customer application architectures.
    • use Elastic Beanstalk
      • to handle the provisioning of an Amazon ECS cluster, balancing load, auto-scaling, monitoring, and placing your containers across your cluster.
    • schedule the placement of containers across clusters based on resource needs and availability requirements.

    • can associate a service on ECS to an Application Load Balancer (ALB) for the Elastic Load Balancing (ELB) service.
      • The ALB supports a target group that contains a set of instance ports.
      • can specify a dynamic port in the ECS task definition, gives the container an unused port when it is scheduled on the EC2 instance.
  • ECS provides Blox
    • a collection of open source projects for container management and orchestration.
    • Blox makes it easy to consume events from ECS, store the cluster state locally and query the local data store through APIs.

ECS VS EKS

  • the Elastic Container Service for Kubernetes (Amazon EKS)
    • to deploy, manage, and scale containerized applications using Kubernetes on AWS.

Pasted Graphic


ECS LAUNCH TYPES

Screen Shot 2020-12-29 at 22.56.38

determines the type of infrastructure on which your tasks and services are hosted.

do you want to manage the ecs cluster that run the container

  • clusters of virtual Machines
  • no: Serverless Fargate Launch Type
  • yes: EC2 Launch Type

pic


Fargate Launch Type

  • a serverless infrastructure managed by AWS.
  • run containerized applications without the provision and manage the backend infrastructure
  • Just register task definition, Fargate launches the container for you.
  • Container Registry
    • Elastic Container Registry (ECR) or Docker Hub
  • pic

EC2 Launch Type

  • run containerized applications on EC2 instances you manage.
  • if you want to control the installation, configurationa nd managemnet of your compute environment
  • Container Registry
    • Elastic Container Registry (ECR) or Docker Hub
    • Self-hosted Private repositories

      , only supported by the EC2 Launch Type.

  • pic

Amazon-ECS-EC2-vs-Fargate-1024x583


ECS Clusters

  • a logical grouping of container instances to place tasks on.
  • A default cluster is created but you can then create multiple clusters to separate resources.
  • ECS allows the definition of a specified number (desired count) of tasks to run in the cluster.

  • Clusters can contain tasks using the Fargate and EC2 launch type.

  • For clusters with the EC2 launch type
    • clusters can contain different container instance types.
  • Each container instance may only be part of one cluster at a time.
  • “Services” provide auto-scaling functions for ECS.
  • Clusters are region specific.
  • create IAM policies for clusters to allow or restrict users’ access to specific clusters.

IMAGES

  • Containers are created from a read-only template called an image which has the instructions for creating a Docker container.
  • Images are built from a Dockerfile.
    • Only Docker containers are currently supported.
  • An image contains the instructions for creating a Docker container.
  • Images are stored in a registry such as
    • DockerHub
    • AWS Elastic Container Registry (ECR).
    • private Docker repositories
      • ECR supports private Docker repositories with resource-based permissions using AWS IAM in order to access repositories and images.
  • Developers can use the Docker CLI to push, pull and manage images.

Amazon Elastic Container Registry (Amazon ECR)

Pasted Graphic 11

  • a fully managed AWS Docker container registry
  • secure, scalable and reliable.
    • easy for developers to store, manage, and deploy Docker container images.
    • eliminates the need to operate your own container repositories or scaling the underlying infrastructure.
  • store, run, manage, retrieve and deploy container images

    for applications that run on Amazon ECS.

    • integrated with Amazon ECS
    • no additional charge for Amazon ECS.
    • no upfront fees or commitments.
    • pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to store and run your application.
    • pay only for the amount of data stored in your repositories and data transferred to the Internet.
  • Specify the Amazon ECR repository in task definition, and Amazon ECS will retrieve the appropriate images for your applications.
  • Amazon ECR supports Docker Registry HTTP API version2
    • which enables you to interact with Amazon ECR by using Docker CLI commands or your preferred Docker tools.
  • you can maintain your existing development workflow and access Amazon ECR from any Docker environment—whether it is in the cloud, onpremises, or on your local machine.
  • You can transfer your container images to and from Amazon ECS via HTTPS.
  • Your images are automatically encrypted at rest using Amazon S3 server-side encryption.

TASKS

  • A task is a single running copy of any containers defined by a task definition

  • A task definition is required to run Docker containers in Amazon ECS.
    • a JSON file
    • Task definitions use Docker images to launch containers.
    • specify the number of tasks to run (i.e. the number of containers), up to a maximum of 10.
  • Some of the parameters can specify in a task definition include:
    • Which Docker images to use with the containers in your task.
    • How much CPU and memory to use with each container.
    • Whether containers are linked together in a task.
    • The Docker networking mode to use for the containers in your task.
    • What (if any) ports from the container are mapped to the host container instances.
    • Whether the task should continue if the container finished or fails.
    • The commands the container should run when it is started.
    • Environment variables that should be passed to the container when it starts.
    • Data volumes that should be used with the containers in the task.
    • IAM role the task should use for permissions.
  • You can use Amazon ECS Run task to run one or more tasks once.


SERVICE SCHEDULER

  • schedule ECS using Service Scheduler and Custom Scheduler.
  • Ensures that the specified number of tasks are constantly running and reschedules tasks when a task fails.
  • Can ensure tasks are registered against an ELB.

CUSTOM SCHEDULER

  • create your own schedulers to meet business needs.
  • Leverage third party schedulers such as Blox.
  • The Amazon ECS schedulers leverage the same cluster state information provided by the Amazon ECS API to make appropriate placement decisions.

ECS CONTAINER AGENT

  • The ECS container agent allows container instances to connect to the cluster.
  • The container agent runs on each infrastructure resource on an ECS cluster.
  • The ECS container agent is included in the Amazon ECS optimized AMI and can also be installed on any EC2 instance that supports the ECS specification (only supported on EC2 instances).
  • Linux and Windows based.
  • For non-AWS Linux instances to be used on AWS you must manually install the ECS container agent.

ECS AUTO SCALING

Service Auto Scaling

  • ECS service can optionally be configured to use Service Auto Scaling
    • to adjust the desired task count up or down automatically.
  • Service Auto Scaling leverages the Application Auto Scaling service to provide this functionality.
    • supports the following types of scaling policies:
    • Target Tracking Scaling Policies
      • Increase or decrease the number of tasks that service runs based on a target value for a specific CloudWatch metric
      • similar to the way that your thermostat maintains the temperature of your home.
      • You select temperature and the thermostat does the rest.
    • Step Scaling Policies
      • Increase or decrease the number of tasks that your service runs in response to CloudWatch alarms.
      • Step scaling is based on a set of scaling adjustments, known as step adjustments, which vary based on the size of the alarm breach.

Cluster Auto Scaling

  • new feature released in December 2019.
  • Uses a new ECS resource type called a Capacity Provider.
  • A Capacity Provider can be associated with an EC2 Auto Scaling Group (ASG).
  • When you associate an ECS Capacity Provider with an ASG and add the Capacity Provider to an ECS cluster, the cluster can now scale your ASG automatically by using two new features of ECS:
    • Managed scaling, with an automatically-created scaling policy on your ASG, and a new scaling metric (Capacity Provider Reservation) that the scaling policy uses; and
    • Managed instance termination protection, which enables container-aware termination of instances in the ASG when scale-in happens.
  • Prefer to learn by doing? Watch the AWS Hands-On Labs video tutorial below to learn how to create an Amazon ECS cluster and a task running WordPress. We’ll show you how to do this using a combination of the AWS ECS CLI and the console.

Security/SLA

  • EC2 instances use an IAM role to access ECS.
  • IAM can be used to control access at the container level using IAM roles.
  • The container agent makes calls to the ECS API on your behalf through the applied IAM roles and policies.
  • You need to apply IAM roles to container instances before they are launched (EC2 launch type).
  • AWS recommend limiting the permissions that are assigned to the container instance’s IAM roles.
  • Assign extra permissions to tasks through separate IAM roles (IAM Roles for Tasks).
  • ECS tasks use an IAM role to access services and resources.
  • Security groups attach at the instance or container level.
  • You have root level access to the operating system of the EC2 instances.
  • The Compute SLA guarantees a Monthly Uptime Percentage of at least 99.99% for Amazon ECS.

LIMITS

Soft limits (default):

  • Clusters per region = 1000.
  • Instances per cluster = 1000.
  • Services per cluster = 500.

Hard limits:

  • One load balancer per service.
  • 1000 tasks per service (the “desired” count).
  • Max 10 containers per task definition.
  • Max 10 tasks per instance (host).

PRICING

EC2 Launch Type:

  • No additional charge
  • pay for the EC2 resources you launch including instances, EBS volumes and load balancers

Fargate:

  • You pay for the vCPU and memory allocated to the containers you run.

Screen Shot 2020-12-29 at 23.00.49

.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.