Mais conteĂșdo relacionado Semelhante a Deep Dive on Amazon Elastic Container Service (ECS) I AWS Dev Day 2018 (20) Deep Dive on Amazon Elastic Container Service (ECS) I AWS Dev Day 20181. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brent Langston - @brentContained
Developer Advocate, AWS
April 2018 (Dev Days)
Amazon ECS Deep Dive
From zero to production
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About me
Brent Langston
Sr Developer Advocate
Amazon Web Services
âą 16 years of dev, SRE, and systems architecture background
âą Developer: Python/Ruby/Crystal/Node
âą Helped build: Tumblr.com, Spotify.com, HiOscar.com and
CloudPassage.com
Twitter: @brentContained
Email: blangs@amazon.com
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this talk
âą Build and deploy a containerized microservices application
âą Twitter analyzer
âą Go, RPC, Amazon Kinesis Firehose, AWS SSM Parameter Store
âą Amazon ECS
âą Deployment
âą Availability
âą Cost optimization
âą Scaling
âą Security
âą Monitoring & logging
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Components
Development cluster
Container instance Container instance
Container instance
Production cluster
Container instance Container instance
Container instance
Amazon Elastic Container Service
(Amazon ECS)
Container
Container
Volume
Task definition
Amazon Elastic Container Registry
(Amazon ECR)
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Components
Development cluster
Container instance Container instance
Container instance
Production cluster
Container instance Container instance
Container instance
Amazon Elastic Container Service
(Amazon ECS)
Container
Container
Volume
Task definition
Amazon EC2 Container Registry
(Amazon ECR)
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Component: ECS
AWS is responsible for
operations of the cloud
You are responsible for operations in the cloud
using the building blocks provided.
Deployment
Security
Patching
Monitoring
Scaling
Availability
Cost Control
$ aws ecs create-cluster --cluster-name dev
AWS
Customer
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Component: ECR
Deployment
Security
Cost Control
AWS
Customer
Monitoring
Scaling
Availability
Patching
AWS is responsible for
operations of the cloud
You are responsible for operations in the cloud
using the building blocks provided.
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Component: Container Instances
Development cluster
Cluster instance Cluster instance
Cluster instance
Deployment Cost Control
Patching Monitoring
Scaling Availability
Security
AWS
Customer
AWS is responsible for
operations of the cloud
You are responsible for operations in the cloud
using the building blocks provided.
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Instances: Building Blocks Provided
Deployment
Security
Patching
Monitoring
Scaling
Availability
Cost Control
CloudFormation
Update your AMI, replace instances
CloudWatch
Auto Scaling group
Reserved Instances
CLI SDKs etc...
IAM Inspector VPC Flow Logs etc...
Spot Fleet
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Component: Tasks & Containers
Container
Container
Volume
Deployment
Security
Patching
Monitoring
Scaling
Availability
Logging
AWS
Customer
AWS is responsible for
operations of the cloud
You are responsible for operations in the cloud
using the building blocks provided.
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Should I Set This Up?
Use the AWS
Management
Console?
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Should I SetThis Up?
Flex your scripting skills?
What happens if my
script fails halfway
through?
How long
should I pause?
How do I upgrade /
roll back?
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployments should be:
- A self-contained, deployable unit
- Repeatable
- Auditable
- Self-documenting
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation: Infrastructure-as-Code
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Time to deploy!
âŠorâŠ
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Time to updateâŠ
âŠorâŠ
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
When a new environment is requiredâŠ
âŠorâŠ
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CLI
ECR
CloudFormation (YAML)
Resources:
MyRepository:
Type: AWS::ECR::Repository
Properties:
Name: myapp
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Using ECR
Use AWS CLI to perform âdocker loginâ
Tip: Use the Amazon ECR Credential Helper for automatic logins
https://github.com/awslabs/amazon-ecr-credential-helper
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CLI
ECS Cluster
CloudFormation (YAML)
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: preprod
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ECS Container Instances
âą Highly available architecture, distributed
across multipleAvailability Zones
âą VPC with public and private subnets
âą Application Load Balancer with path based
routing for inbound traffic
âą NAT gateways for outbound traffic
âą Auto Scaling group of container instances
âą CloudWatch Logs for centralized container
logging
Private Subnet
Availability Zone Availability Zone
Internet
Gateway
Public Subnet Public Subnet
Private Subnet
Nat GatewayNat Gateway
AutoScaling GroupContainer InstanceContainer Instance Container InstanceContainer Instance
Application
Load Balancer
CloudWatch Logs
(container logs)
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inbound Traffic
âą Incoming HTTP/HTTPS traffic comes in via
theApplication Load Balancer (ALB) in
public subnets
âą The ALB uses path based routing to route
/products/* to the container instances in
private subnets running our productâs
service
âą Supports dynamic host port mapping,
allowing multiple containers of the same
type on each host
Internet
Gateway
AutoScaling GroupContainer Instance Container Instance
Application
Load Balancer
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Outbound Traffic
âą Our container instances are in private
subnets, with no direct internet access
âą At some point, they might need access to
external services
âą NAT gateways provide a highly scalable and
available solution
Private Subnet
Internet
Gateway
Public Subnet Public Subnet
Private Subnet
Nat GatewayNat Gateway
Container Instance Container Instance
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logging
Container Instance Container Instance
CloudWatch Logs
(container logs)
âą ECS integrates directly with CloudWatch
Logs (as well as others)
âą Centralized collection of container logs
âą Centralized collection of instance logs
âą Search, filter, and alert on log conditions
âą (more to come laterâŠ)
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
tl;dr - ECS Reference Architecture on GitHub
https://github.com/awslabs/ecs-refarch-cloudformation
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let's build an application
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Parameter Store
(for Twitter Credentials)
Overview
Tweet
Collector
Twitter API
Tweet
Archiver
Kinesis Firehose
Amazon S3 (archive)
AWS Lambda (realtime)
Elasticsearch (analyze)
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Microservices and RPC at Twitch
âą Used for inter-service communication
âą Structured RPCs are much easier to
design and maintain compared to REST
âą Focus on data models, not
transports/routing
âą Works with protobufs or JSON
âą HTTP/1 compatible (unlike gRPC)
âą Simplicity
https://blog.twitch.tv/twirp-a-
sweet-new-rpc-framework-for-
go-5f2febbf35f
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RPC with Twitch Twirp
âą Write a spec describing your API
(using protobufs)
âą Generate a client and server from
the specification
âą Limited to Go today, but more
language support in progress.
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tweet Collector
âą Written in Go
âą Uses Twitter API to subscribe to
search terms
âą Environment variables:
âą SEARCH_TERMS
âą ARCHIVE_ENDPOINT
âą IAM role:
âą AWS SSM Parameter Store
(for Twitter API credentials)
âą Sends tweets to archiving service via
client SDK generated by Twitch
Twirp.
AWS Parameter Store
(for Twitter Credentials)
Tweet
Collector
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tweet Archiver
âą Written in Go
âą Hosts RPC server that receives tweets
âą Sends tweets to Amazon Kinesis via aws-sdk-go
âą Environment variables
âą KINESIS_STREAM_NAME
âą IAM role
âą Write access to Kinesis stream
âą Responds with Kinesis sequence number or error
Tweet
Archiver
Kinesis Firehose
33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Local
âą Run locally with docker-
compose
âą Logs to stdout/stderr
âą Local AWS credentials
âą Build/push containers
Development Workflow
AWS
âą Deploy to ECS with
CloudFormation
âą Logs in AWS CloudTrail Logs
âą IAM Task Role
âą Metrics in CloudWatch
34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://github.com/paulmaddox/rpc-demo
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Taking it further
âą Sentiment analysis with
Amazon Comprehend
âą Dashboards with Amazon
Quicksight
https://aws.amazon.com/blogs/
machine-learning/build-a-
social-media-dashboard-using-
machine-learning-and-bi-
services
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What else do we need for
production?
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cost Optimization
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reserved Instances
Up to 75%
Savings*
âą Use Auto Scaling groups
âą Reserve ECS container
instances when you have
known baseline capacity
requirements.
âą Use On-Demand pricing for
capacity peaks.
* Dependent on specific AWS service, size/type, and region
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Spot Instances
Up to 90%
Savings*
âą Use Spot Fleet to maintain
instance availability and
define cluster based on
required CPU/memory.
* Compared to On-Demand price based on specific EC2 instance type, region, and Availability Zone
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple ECS Clusters
Creating multiple ECS clusters is easy, and often more cost efficient.
Consider availability and compute requirements.
Example: Development Cluster
Spot Fleet
Example: Production Cluster
Auto Scaling group with Reserved Instances for baseline and
On-Demand for capacity peaks
Example: Batch Processing Cluster
Spot Fleet of GPU Instances
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling ECS Container Instances Automatically
Min
Desired
Scale out as needed
Max
âą Use Auto Scaling groups
âą Set Auto Scaling group
min, max, desired
âą Scale in and out based on
CloudWatch alarms
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling ECS Container Instances Automatically
Tip
Use the ECS cluster
MemoryReservation
CloudWatch metric
Tutorial: Scaling Container Instances with CloudWatch Alarms
44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Auto Scaling for ECS Services
45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Auto Scaling for ECS Services
46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patching ECS Container Instances
ECSLaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: ami-1924770e
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
MinSize: 2
MaxSize: 8
DesiredCapacity: 2
AutoScalingRollingUpdate:
MinInstancesInService: 2
MaxBatchSize: 2
PauseTime: PT15M
WaitOnResourceSignals: true
1. Ensure you have an
AutoScalingRollingUpdate policy
on your Auto Scaling group
2. Update the AMI in your
CloudFormation template
3. aws cloudformation update-stack
4. Let CloudFormation perform a rolling
update to your ECS container
instances
48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patching Containers
49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Minimal Containers
âą Use the smallest FROM
base container to minimize
surface attack
âą FROM scratch is ideal for
Go and other languages
that compile a (near) static
binary
50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Roles
IAM roles for container instances:
âą Bound to the ECS container instance
âą Applies to all containers running on the host
âą Pulling images from ECR
âą CloudWatch Logs
IAM roles for tasks:
âą Bound to specific ECS tasks
âą Task-specific access to AWS services
Tip Use principle of least privilege â prefer IAM roles for tasks where applicable
51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring & Logging
52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring with CloudWatch
53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring with CloudWatch
54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prometheus
https://github.com/slok/ecs-exporter
55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Centralized Logging with CloudWatch Logs
âą Defined within the task definition
âą Available log drivers
âą awslogs
âą fluentd
âą gelf
âą journald
âą json-file
âą splunk
âą Syslog
56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Centralized Logging with CloudWatch Logs
57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tip: Use Metric Filters with CloudWatch Logs
5
58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Everything about everything ECS.
https://github.com/nathanpeck/awesome-ecs
59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
https://ecsworkshop.com
Twitter: @brentContained
Email: blangs@amazon.com
Notas do Editor SIMPLY not JUST / Mention Tagging Mention Change Sets Quite a lot of text Security is #1 priority Mention expiring the logs