AWS ECS

AWS ECS (Elastic Container Service)

Amazon Elastic Container Service (ECS) is a fully managed container orchestration service that allows you to run, stop, and manage Docker containers on a cluster of EC2 instances or with serverless computing using Fargate. ECS is tightly integrated with other AWS services, such as IAM, VPC, CloudWatch, and ELB, making it easy to deploy, manage, and scale containerized applications.

Key Concepts of AWS ECS

  1. What is ECS?
    • Amazon ECS is a container orchestration service that simplifies the running of Docker containers at scale.
    • It supports both EC2 launch type (where you manage the underlying instances) and Fargate launch type(serverless, where AWS manages the underlying infrastructure).
  2. Core Components of ECS:
    • Cluster: A logical grouping of EC2 instances (or Fargate resources) that you use to run containerized applications.
    • Task Definition: A blueprint for your application that specifies which Docker containers to run, their configurations (like memory, CPU, ports), and how they should interact.
    • Task: An instance of a task definition that runs on ECS.
    • Service: A service is responsible for running and maintaining a specified number of tasks concurrently in an ECS cluster. It ensures that the desired number of tasks are running and reschedules tasks if they fail.
    • Container Instance: An EC2 instance running the ECS agent, which manages tasks and containers.
    • Fargate: A serverless compute engine for containers that eliminates the need to manage the EC2 instances manually.
    • ECS Scheduler: Responsible for placing tasks on container instances based on resource requirements.
  3. Launch Types in ECS:
    • EC2 Launch Type: You manage the EC2 instances in your ECS cluster. You have full control over the EC instance types, scaling, and security settings.
    • Fargate Launch Type: Serverless; AWS automatically provisions and manages the compute resources for your containers. You only define the compute requirements for each container (CPU, memory).

ECS Task Definitions

  1. What is a Task Definition?
    • Task Definition is a JSON file that describes one or more containers that form your application. It defines:
      • Container images (Docker images).
      • Resources: CPU and memory limits.
      • Port mappings.
      • Environment variables.
      • Volumes and mount points.
      • Networking configurations.
  2. Task Definition Parameters:
    • containerDefinitions: Contains configurations for each container in the task.
    • family: The name of the task definition family.
    • networkMode: Network settings for your containerized tasks (e.g., bridge, host, awsvpc).
    • taskRoleArn: IAM role used by the ECS task for AWS service interactions (e.g., accessing S3, DynamoDB).
  3. Updating Task Definitions:
    • Immutable: Once registered, task definitions are immutable. Each change creates a new revision (e.g., taskDefinition:1taskDefinition:2).
    • Rollbacks: When using services, ECS can automatically roll back to a previous task definition if there’s a failure.

ECS Services and Scaling

  1. What is a Service in ECS?
    • An ECS Service ensures that a specified number of tasks are always running and managed according to the task definition.
    • Auto Scaling: ECS can automatically scale the number of tasks up or down based on custom metrics or the desired count.
    • Deployment: ECS provides rolling updates for services, minimizing downtime when updating containerized applications.
  2. Service Types:
    • Daemon Service: Runs one task on each container instance in the cluster (e.g., monitoring or logging containers).
    • Replica Service: Runs a specific number of tasks across the cluster, such as when running a stateless web application with multiple instances.
  3. Service Discovery:
    • ECS integrates with AWS Cloud Map for service discovery, allowing services to discover each other dynamically without hardcoding IP addresses.

Networking Modes in ECS

  1. Bridge Mode:
    • Default Docker networking mode. Containers in a task share the EC2 instance’s network interface but have their own IP addresses on a private bridge network.
    • Typically used for legacy applications or when fine-grained control over networking is needed.
  2. Host Mode:
    • The container directly uses the EC2 instance’s network interface. The container’s ports are bound to the host machine’s ports.
    • Useful for applications that need to directly access EC2 instance-level networking.
  3. Awsvpc Mode:
    • The container gets its own Elastic Network Interface (ENI), meaning each container gets a unique IP address.
    • This is required when running Fargate tasks or when the application needs to integrate tightly with VPC resources.
    • Ideal for applications requiring advanced networking features like load balancing and security groups.

ECS Security

  1. IAM Roles and Permissions:
    • Task Role: Defines what AWS resources the task (and the containers within it) can access.
    • Execution Role: ECS uses this role to pull Docker images from Amazon ECR, log to CloudWatch, etc.
  2. Security Groups:
    • ECS tasks can be associated with security groups when using the awsvpc network mode (for both Fargate and EC2 tasks). Security groups control inbound and outbound traffic.
  3. Secrets Management:
    • ECS supports AWS Secrets Manager and AWS Systems Manager Parameter Store for securely managing environment variables (e.g., database credentials, API keys) used by containers.
  4. Container-Level Security:
    • ECS uses the Docker runtime for containers, so it benefits from container-level isolation. Additionally, ECS integrates with Amazon Inspector for vulnerability scanning.

ECS Monitoring and Logging

  1. CloudWatch Logs:
    • ECS automatically integrates with CloudWatch Logs for logging container output (stdout/stderr). You can configure log groups and streams for each container.
  2. CloudWatch Metrics:
    • ECS provides several CloudWatch metrics like CPU and memory usage, task success/failure, and deployment metrics.
    • Metrics can be used for setting up Auto Scaling policies.
  3. ECS Events:
    • ECS emits events related to task status, deployment progress, and scaling activities. These events are valuable for debugging and monitoring.

Scaling ECS Tasks

  1. Horizontal Scaling:
    • ECS services can scale horizontally by adding or removing tasks.
    • Scaling is achieved via ECS service auto-scaling policies that adjust the number of tasks based on CloudWatch metrics (e.g., CPU utilization or custom application metrics).
  2. Vertical Scaling:
    • For EC2 launch type, vertical scaling refers to changing the EC2 instance types in the ECS cluster to meet performance needs.
  3. Auto Scaling Policies:
    • ECS supports scaling based on CloudWatch metrics like CPU, memory utilization, or custom metrics.
    • Target Tracking: Automatically adjusts the desired task count to maintain a specific metric (e.g., keep CPU usage at 60%).
    • Step Scaling: Allows you to configure policies for scaling up or down by a fixed amount.

ECS Pricing

  • EC2 Launch Type: You pay for the EC2 instances you provision, along with associated resources like EBS storage, network data transfer, etc.
  • Fargate Launch Type: You pay for the amount of CPU and memory used by the containers and the duration for which they run.
  • ECS Services: There are no additional charges for using ECS; you’re billed for the underlying compute resources (EC2 instances or Fargate).
  • ECR (Elastic Container Registry): Charges for storing Docker images in Amazon ECR.

Common Use Cases for ECS

  1. Microservices:
    • ECS is ideal for running microservices architectures, where each service is a Docker container that can scale independently.
  2. Batch Jobs:
    • Running batch jobs using ECS tasks, which can be scheduled using CloudWatch Events or Lambda.
  3. Web Applications:
    • ECS is great for deploying scalable, stateless web applications by running multiple replicas of your containers behind a load balancer.
  4. Real-time Processing:
    • Running real-time data processing applications (like streaming data) in containers using ECS.
  5. Hybrid Workloads:
    • ECS allows you to run both legacy applications (on EC2) and modern microservices (on Fargate), making it suitable for hybrid cloud workloads.

Common Interview Questions

  1. What is AWS ECS?
    • ECS is a fully managed container orchestration service that allows you to deploy and manage Docker containers at scale on AWS infrastructure.
  2. What are the differences between EC2 and Fargate launch types in ECS?
    • EC2 Launch Type: You manage the EC2 instances yourself and are responsible for provisioning, patching, and scaling.
    • Fargate Launch Type: AWS manages the infrastructure. You specify CPU and memory, and Fargate provisions the compute resources dynamically.
  3. How do you define an ECS Task Definition?
    • A task definition is a blueprint for your containers, specifying what

containers to run, what resources they need, environment variables, volumes, and other configurations.

  1. What is the difference between ECS and EKS?
    • ECS: A managed container orchestration service for Docker containers that runs natively on AWS infrastructure.
    • EKS: A managed Kubernetes service for running containerized applications. EKS allows for Kubernetes orchestration, which is more flexible but also more complex than ECS.
  2. How does ECS handle scaling?
    • ECS can scale tasks horizontally (by increasing or decreasing the number of tasks) and vertically (by changing the EC2 instance types in the cluster). Auto Scaling policies can be set based on CloudWatch metrics.

This cheat sheet should give you a solid foundation for understanding AWS ECS, its components, and key features like task definitions, services, scaling, and security. It also includes best practices and potential interview questions.

Tags: ,

Leave a Reply