AWS EC2 Container Service – ECS
- AWS EC2 Container Service – ECS is a highly scalable, high-performance container management service that supports Docker containers and allows running applications on a managed cluster of EC2 instances.
- ECS
- is a regional service that simplifies running application containers in a highly available manner across multiple AZs within a region.
- eliminates the need to install, operate, and scale the cluster management infrastructure.
- helps schedule the placement of containers across the cluster based on the resource needs and availability requirements.
- allows the integration of your own custom scheduler or third-party schedulers to meet business or application specific requirements.
- provides a serverless option with AWS Fargate.
ECS Launch Types
EC2 Launch Type
- EC2 launch type – Configure and deploy EC2 instances in your cluster to run your containers.
- EC2 launch type is suitable for the following workloads:
- Workloads that require consistently high CPU core and memory usage
- Large workloads that need to be optimized for price
- Applications need to access persistent storage
- You must directly manage your infrastructure
AWS Fargate Launch Type
- AWS Fargate is a technology that provides a serverless pay-as-you-go option with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances.
- With AWS Fargate, there is no need to provision, configure, or scale clusters of virtual machines to run containers and also removes the need to choose server types, decide when to scale the clusters or optimize cluster packing.
- Fargate launch type is suitable for the following workloads:
- Large workloads that need to be optimized for low overhead
- Small workloads that have an occasional burst
- Tiny workloads
- Batch workloads
ECS Components
Containers and Images
- Applications deployed on ECS must be architected to run in Docker containers, which is a standardized unit of software development, containing everything that the software application needs to run: code, runtime, system tools, system libraries, etc.
- Containers are created from a read-only template called an image.
- Images are typically built from a Dockerfile and stored in a registry from which they can be downloaded and run on the container instances.
- ECS can be configured to access a private Docker image registry within a VPC, Docker Hub or is integrated with EC2 Container Registry (ECR)
Clusters
- An ECS cluster is a logical grouping of EC2 container instances to run tasks or services.
- ECS downloads the container images from the specified registry and runs those images on the container instances within your cluster.
Task Definitions
- Task definition is a description of an application that contains one or more docker containers.
- Task definition is needed to prepare an application to run on ECS
- Task definition is a text file in JSON format that describes one or more containers that form your application.
- Task definitions specify various parameters for the application, such as containers to use, their repositories, ports to be opened, and data volumes
- Task Execution Role is used by the ECS agent and container runtime environment to prepare the containers to run for e.g. pull images from ECR, manage logs etc. It is not used by the task itself.
- Task Role grants additional AWS permissions that are assumed by the containers running in the task.
- Network mode specifies the Docker networking mode to use for the containers in the task. The valid values are
none
,bridge
,awsvpc
, andhost
.
Tasks and Scheduling
- A task is the instantiation of a task definition on a container instance within the cluster.
- After a task definition is created for the application within ECS, you can specify the number of tasks that will run on the cluster.
- ECS task scheduler is responsible for placing tasks on container instances, with several different scheduling options available
Services
- ECS Service helps to run and maintain a specified number of instances of a task definition simultaneously.
- Service can optionally be configured to use Elastic Load Balancing to distribute traffic evenly across the tasks in the service.
- EC2 Launch Type supports ALB, NLB, and Classic Load Balancer.
- Fargate Launch Type supports only ALB and NLB.
- ALBs are recommended as they offer several features
- Each service can serve traffic from multiple load balancers and expose multiple load-balanced ports by specifying multiple target groups.
- supported by tasks hosted on both Fargate and EC2 instances.
- allow containers to use dynamic host port mapping (so that multiple tasks from the same service are allowed per container instance).
- support path-based routing and priority rules (so that multiple services can use the same listener port on a single ALB).
Container Agent
- Container agent runs on each instance within an ECS cluster
- Container Agent sends information about the instance’s current running tasks and resource utilization to ECS, and starts and stops tasks whenever it receives a request from ECS
ECS vs Elastic Beanstalk
- ECS helps in having a more fine-grained control for custom application architectures.
- Elastic Beanstalk is ideal to leverage the benefits of containers but just want the simplicity of deploying applications from development to production by uploading a container image.
- Elastic Beanstalk is more of an application management platform that helps customers easily deploy and scale web applications and services.
- With Elastic Beanstalk, specify container images to be deployed, with the CPU & memory requirements, port mappings and container links.
- Elastic Beanstalk abstracts the finer details and automatically handles all the details such as provisioning an ECS cluster, balancing load, auto-scaling, monitoring, and placing the containers across the cluster.
ECS vs Lambda
- EC2 Container Service is a highly scalable Docker container management service that allows running and managing distributed applications in Docker containers.
- AWS Lambda is an event-driven task compute service that runs code (Lambda functions) in response to “events” from event sources like SES, SNS, DynamoDB & Kinesis Streams, CloudWatch etc.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- You need a solution to distribute traffic evenly across all of the containers for a task running on Amazon ECS. Your task definitions define dynamic host port mapping for your containers. What AWS feature provides this functionally?
- Application Load Balancers support dynamic host port mapping.
- CloudFront custom origins support dynamic host port mapping.
- All Elastic Load Balancing instances support dynamic host port mapping.
- Classic Load Balancers support dynamic host port mapping.
- Your security team requires each Amazon ECS task to have an IAM policy that limits the task’s privileges to only those required for its use of AWS services. How can you achieve this?
- Use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS task definition
- Use IAM roles on the Amazon ECS container instances to associate IAM role with each ECS task on that instance
- Connect to each running amazon ECS container instance and add discrete credentials
- Reboot each Amazon ECS task programmatically to generate new instance metadata for each task