Collision Conference 2018 - AWS Developer Workshops How To: Run Your Containers on AWS with ECS & Fargate, Abby Fuller

1. How to: run your containers on
AWS with ECS and Fargate
Abby Fuller
@abbyfuller

2. Quick show of hands: who here has worked with
containers before?

3. First things first…
What are containers and why are customers using them?

4. What are containers?
A container is an atomic, self-contained package of software that
includes everything it needs to run (code, runtime, libraries,
packages, etc.).
A popular, widely-used container platform is Docker. More on that
here: https://www.docker.com

5. Let’s talk container basics
Docker pull
Docker build
Docker run
Docker tag
Docker push

6. Why are containers so popular?
• Portable
• Lightweight
• Standardized
• Easy to deploy
• Along with containers, comes the “monolith to microservices” story:
containers and microservices go hand in hand (more on that in a second)

7. OK, so what are microservices?
”Service oriented architecture
composed of loosely coupled elements
that have bounded contexts.”
- Adrian Cockroft

8. Why do containers and microservices go
together?
• One job, one service à container
• Can deploy and scale containers independently
• This means that a high traffic service, like a messaging service, might need
to be scaled frequently, but a low traffic service, like an internal
dashboard, doesn’t need to be scaled at the same time

9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Running one container is easy

10. Managing many containers is hard
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS
Server
Guest OS

11. Enter container orchestration tools

12. What are container orchestration tools?
Framework for managing, scaling, deploying containers.

13. Let’s recap the container options on AWS

14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What does the landscape look like all together?
Amazon ECS
(available now)
Amazon EKS
(preview)
Fargate mode for
ECS
(available now)
Fargate mode
for EKS
(available
2018)

15. ECS
Easiest way to deploy and manage
containers
Integration with entire AWS platform
ALB, Auto Scaling, Batch, Elastic Beanstalk,
CloudFormation, CloudTrail, CloudWatch Events,
CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot,
IAM, NLB, Parameter Store, and VPC
Scales to support clusters of any size
Service integrations (like ALB and NLB) are at
container level
1
2
3

16. EKS
Managed Kubernetes on AWS
Highly available Automated
version upgrades
Integration with
other AWS
services
Etcd
Master
Managed
Kubernetes
control plane
CloudTrail, CloudWatch,
ELB, IAM, VPC, PrivateLink

17. Fargate
Launch quickly
Scale easily
No infrastructure
Resource based pricing
Containers on demand
Manage everything at
container level

18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
“When someone asks you for a sandwich,
they aren’t asking you to put them in charge
of a global sandwich logistic chain. They just
want a sandwich”
P.S., the sandwich is Fargate

19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AMAZON CONTAINER SERVICES
So you want to run a (managed) container on AWS
Choose your orchestration tool1
Choose your launch type2
ECS EKS
EC2 Fargate EC2 Fargate

20. So how do you know which one is right for you?

21. Fargate vs EC2 mode
• Depends on your workload.
• For Fargate: if you have a Task Definition, and you’re ok with awsvpc
networking mode, try Fargate. Some caveats: can’t exec into the
container, or access the underlying host (this is also a good thing)
• For EC2 mode: good if you need to customize!

22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What are the differences between ec2 mode and
Fargate?
• Change in networking mode: "networkMode": "awsvpc”
• Only specify container port, no host port:
• "portMappings":
• [{"containerPort": ”8081"}]
• No links (only local loopback)
• No ELB Classic, only ALB or NLB. ALB needs to use target type IP, not
instance.
• Launch Type: Fargate
• Windows containers only on EC2, not Fargate

23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
New and important!
• requiresCompatibilities parameter.
• "requiresCompatibilities": ["FARGATE"]
• You can have tasks that have multiple compatibilities:
• "requiresCompatibilities": ["FARGATE”, “EC2”]

24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Hang on, what’s awsvpc?
• New task level networking type.
• Each Task is assigned an ENI (Elastic Network Interface), and a private IP (and
optionally a public IP, if you’re using Fargate) from your subnet.
• This allows for simplified container networking: containers that are part of the
same task (and thus on the same host) can use the local loopback interface.
Containers not on the same host use the ENI/hostname/IP

25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Need some more info on working with awsvpc?
https://aws.amazon.com/blogs/compute/task-
networking-in-aws-fargate/
https://aws.amazon.com/blogs/compute/introdu
cing-cloud-native-networking-for-ecs-
containers/

26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Need help migrating between Fargate and EC2?
https://aws.amazon.com/blogs/compute/migr
ating-your-amazon-ecs-containers-to-aws-
fargate/

27. ECS: can be totally managed, or can customize resource usage, networking, task placement
etc. to fit your application needs. Shared responsibility with AWS (because managed service).
ecs-agent is open source. Easy integration with other AWS services.
EKS: managed, upstream Kubernetes. Can connect to clusters through kubectl and use
existing tooling. Can opt in to managed version upgrades. Add resources to your cluster
through EC2 (now), or with Fargate mode (2018).
Fargate: underlying technology for containers on demand. Pass a Task Definition or
Kubernetes Pod, set resource limits, and Fargate manages everything else. NO access to
underlying host, no managing of resources. Great if you don’t want to handle scaling,
orchestration, deployments, upgrades yourself. Not for those of you that are making changes
to your infrastructure (i.e., bringing custom AMIs, or installing things through EC2 user-data)
tl;dr

28. https://medium.com/containers-on-
aws/choosing-your-container-environment-on-
aws-with-ecs-eks-and-fargate-cfbe416ab1a
Need more info on how to choose?

29. Let’s look at that in practice

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running ECS containers (aka EC2 mode)

31. How does ECS map to traditional workloads?
Instances: standard EC2 boxes. Once registered to a Cluster, your
Tasks run here
Services: layer that manages and places tasks
Tasks: container wrapper and configuration around processes
running on the instance

32. What does that mean?
• In EC2 mode, you’re responsible for configuring all three of those pieces:
instances, services, and tasks.
• Instances are configured through the ecs-optimized AMI (or your own
AMI), and/or you can configure with EC2 user-data
• Services and Tasks (and containers) are all configured through the ECS
API, which you can either access directly, or go through the CLI. Tasks are
defined through Task Definitions, and Containers are defined through
Container Definitions.

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OK, so what’s a Task Definition?
{
"family": “scorekeep",
"containerDefinitions": [
{
"name":“scorekeep-frontend",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/fe"
},
{
"name":“scorekeep-api",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/api"
}
]
}
• Immutable, versioned document
• Identified by family:version
• Contains a list of up to 10 container definitions
• All containers are co-located on the same host
• Each container definition has:
• A name
• Image URL (ECR or Public Images)
• And more…stay tuned!
Task Definition Snippet

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running Fargate containers

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running Fargate containers in ECS
Use ECS APIs to launch Fargate Containers
Easy migration – Run Fargate and EC2 launch
type tasks in the same cluster
Same Task Definition schema

36. Primitives are shared with ECS
• Use the same primitives, and integrations as EC2 launch-type ECS tasks:
• VPC
• IAM
• CloudWatch

37. How do I know when to use Fargate vs EC2
mode?
• Depends on your workload.
• For Fargate: if you have a Task Definition, and you’re ok with awsvpc
networking mode, try Fargate. Some caveats: can’t exec into the
container, or access the underlying host (this is also a good thing)
• For EC2 mode: good if you need to customize!

38. Compute resources

39. Resource configuration with ECS
• Choose your own instance type, with any combination of resources
• Controlled through the Service ASG launch configuration, like with any
other EC2 cluster.
• Supports GPUs

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resource configuration with Fargate
Flexible configuration options –
50 CPU/memory configurations
CPU Memory
256 (.25 vCPU) 512MB, 1GB, 2GB
512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB
1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
2048 (2 vCPU) Between 4GB and 16GB in 1GB increments
4096 (4 vCPU) Between 8GB and 30GB in 1GB increments

41. Let’s talk about networking (baby)

42. Traditional Docker networking
Bridge: docker0. This is the default behavior. Containers on the same
network can communicate via IP address. No automatic service discovery.
Connect containers with ---link
None: no network interface, only local loopback (which I’ll explain shortly)
Host: connect to host network (container maps to host)

43. awsvpc (the longer version)
• With awsvpc, each task is allocated an ENI (Elastic Network Interface)
• Containers launched as part of the same task can use the local loopback
interface (remember that one?), since containers part of the same task
share an ENI
• With the ENI allocation comes a private IP. Public IPs can also be
allocated.

44. VPC integration in Fargate
• Launch your Fargate Tasks into subnets
• Beneath the hood :
• We create an Elastic Network Interface (ENI)
• The ENI is allocated a private IP from your subnet
• The ENI is attached to your task
• Your task now has a private IP from your subnet!
• You can also assign public IPs to your tasks
• Configure security groups to control inbound & outbound traffic

45. Looking for more networking details?
https://aws.amazon.com/blogs/compute/task-
networking-in-aws-fargate/
https://aws.amazon.com/blogs/compute/introducing-
cloud-native-networking-for-ecs-containers/

46. If you don’t know now you know

47. Hybrid clusters are possible
The same cluster can run tasks of type Fargate, and of type EC2
FAQ: how do I exec into a Fargate container?
Short Answer: you don’t
Longer answer: if it were me, I’d stop the Fargate container and restart as
type EC2 for debugging, then switch back over. Long term, something we’re
looking at building.

48. The Fargate wizard doesn’t let me use my own
VPC
The wizard is just for learning Fargate concepts and how it works. You
can absolutely use (and should use) your own VPC.
Wait what?
The wizard/getting started flow in Fargate will create a VPC and subnets for
you. You can both a) edit the resources created through the wizard, or
launch Fargate tasks into a previously created VPC through the regular
console flow/the CLI.

49. I get by with a little help from my
friends (CLIs).

50. CLIs (that I know of) for Fargate/ECS:
• aws-cli: the official OG. Open source, includes most AWS services.
• More info here: https://aws.amazon.com/cli/
• Github here: https://github.com/aws/aws-cli
• ecs-cli: also official, but just for ECS. Supports docker compose files.
• More info here: https://github.com/aws/amazon-ecs-cli
Some good unofficial options:
• Fargate cli: https://github.com/jpignata/fargate
• Coldbrew cli: https://github.com/coldbrewcloud/coldbrew-cli

51. What’s next?

52. We want to hear from all of you!
• More focus on supporting Tasks as compute primitive, more focus on
removing undifferentiated heavy lifting.
• Our roadmap is driven by feedback:

53. How can I get started?
• To join the EKS preview: https://aws.amazon.com/eks/
• To get started with Fargate: https://aws.amazon.com/fargate/
• Blogs: https://aws.amazon.com/blogs/aws/aws-fargate/
• https://aws.amazon.com/blogs/aws/amazon-elastic-container-service-for-kubernetes/
• Liz Rice from Aquasec on Fargate: https://blog.aquasec.com/securing-struts-in-aws-fargate
• Nathan Peck from AWS: https://medium.com/containers-on-aws/choosing-your-container-environment-on-
aws-with-ecs-eks-and-fargate-cfbe416ab1a
• Deepak Singh (containers GM at AWS): https://www.slideshare.net/AmazonWebServices/containers-on-aws-
state-of-the-union-con201-reinvent-2017

54. The awesome-ecs project:
https://github.com/nathanpeck/awesome-ecs

55. Workshops!
• From @brentcontained
• https://t.co/ba0usbZqHN

56. Need a little help?
Community Slack channels:
awsdevelopers.slack.com
amazon-ecs.slack.com
Or reach out to one of us directly:
@abbyfuller or abbyfull@amazon.com
@nathankpeck
@brentcontained
@paulmaddox
@ric_harvey

57. Go build (and tell us about it)!

58. Questions?
@abbyfuller