Compute - Containers (ECS and EKS)

  • ECS is a container orchestration service
  • Helps you run Docker containers on EC2 machines
  • Tasks
    • An application can have many tasks.
    • A task contains one or more (max 10) containers.
    • Applications are defined using task definitions.
      • You can apply a single IAM role to a task definition.
      • Other task definitions include: Which docker images, CPU/memory, whether containers are linked, networking mode, ports that should be mapped/opened, whether task should continue if container finished or fails, commands to execute when container is started, environment variables to pass, data volumes.
    • A task definitions can have two launch types:
      • EC2 (original): Runs ECS on user-provisioned EC2 instances
        • Requires installation of ECS Container Agent
        • Both for Windows + Linux
        • Included in the Amazon ECS optimized AMI
        • Can also be installed on any EC2 instance that supports the ECS specification
      • Fargate: Runs ECS tasks on AWS provisioned compute (serverless)
    • Scheduling tasks
      • Service scheduler for long-running stateless tasks and applications.
      • Manually running tasks ideal for batch jobs that perform work and stop.
      • Scheduled tasks (cron): run based on cron expression or based on CloudWatch Events rule.
      • Custom schedulers: Your own schedulers or third party e.g. Blox.
  • ECS Clusters
    • Logical grouping of container instances that you can place tasks on.
    • Clusters can contain tasks using BOTH the Fargate and EC2 launch type
    • Each container instance may only be part of one cluster at a time
    • Clusters are Region-specific.
    • For tasks using the EC2 launch type, clusters can contain multiple different container instance types.
  • Made of:
    • EKS - Elastic Kubernetes Service
      • Running ECS on AWS-powered Kubernetes (running on EC2)
      • Pros:
        • Service discovery
        • Big open source ecosystem and good competence
        • Internal networking & network overlay
        • No vendor lock-in
      • Cons: more complexity & costs
    • ECR - Docker Container Registry
      • Hosted by AWS
      • Store, managed and deploy your containers on AWS
      • Fully integrated IAM & ECS
      • Sent over HTTPS (encryption in flight) and encrypted at rest
      • ECS pulls from ECR with IAM role, while CodeBuild pushes images (CI/CD) to ECR.
  • IAM security and roles at the ECS task level
  • Docker
    • Allows application to work the same way anywhere where docker is installed
    • Containers are isolated from each other
    • Control how much memory / CPU is allocated to your container
    • Ability to restrict network rules
    • More efficient than Virtual machines
    • Scale containers up and down very quickly
  • Use cases
    • Run microservices
      • Ability to run multiple docker containers on the same machine
      • Easy service discovery features to enhance communication
      • Direct integration with Application Load Balancers
      • Auto scaling capability
    • Run batch processing / scheduled tasks
      • Schedule ECS containers to run on On-demand / Reserved / Spot instances
    • Migrate applications to the cloud
      • Dockerize legacy applications running on premise
      • Move Docker containers to run on ECS
  • Concepts
    • ECS cluster: Set of EC2 instances
    • ECS service: Applications definitions running on EC2 cluster
  • Security
    • ECS IAM roles: Roles assigned to tasks to interact with AWS.
    • Security groups: Can be associated to container instances.
  • ALB Integration
    • 📝 Application Load Balancer (ALB) has a direct integration feature with ECS called “port mapping”
      • Allows you to run multiple instances of the same application on the same EC2 machine
      • Dynamic port mapping is not available in classic load balancer and allows the same port to be mapped to many.
        • E.g. containers on port 6789, 9586, 3748 can be exposed on port 80 /443 by application balancer.
    • Use cases:
      • Increased resiliency even if running on one EC2 instance
      • Maximize utilization of CPU / cores
      • Ability to perform rolling upgrades without impacting application uptime
  • ECS Setup & Config file
    • Run an EC2 instance, install the ECS agent with ECS config file
      • Or use an ECS-ready Linux AMI (still need to modify config file)
        • Config file is at /etc/ecs/ecs.config

            ECS_CLUSTER=MyCluster #Assign EC2 instance to an ECS cluster
            ECS_ENGINE_AUTH_DATA={..} #to pull images from private registries
            ECS_AVAILABLE_LOGGING_DRIVERS=[..] #CloudWatch container logging
            ECS_ENABLE_TASK_IAM_ROLE=true #Enable IAM roles for ECS tasks
          

Licenses and Attributions


Speak Your Mind