2. Cloud Architect - Chmurowisko
Przemek Malak
Head of AWS Architecture/
Cloud Architect - Chmurowisko
Łukasz Dorosz
About us
3. Cloud Adoption
Strategy
WHAT WE DO
Cloud Implementation
Guide
Executive
Consulting
Cloud Security
Cloud Migration Plan AI/ML BIG DATA Trainings
4. Agenda
1. Docker
2. ECS
3. DEMO
4. EKS
5. DEMO
6. Q&A https://sli.do PIN: #8365
7. Contest
What you can expect
Have a question? Just ask us in SLI.DO #8365
5. Questions: sli.do #8365
What is Docker?
Chmurowisko Sp. z o.o.
Docker is an open
platform that allows you
to build, ship, and run
distributed applications,
whether on laptop, data
center VMs or the Cloud.
Docker packages
software into
standardised units called
Containers.
Containers allow you to easily
package an application’s code,
dependencies and configuration
into easy to use building blocks.
It’s provide environmental
consistency, operational
efficiency and version control.
10.09.2019
7. Questions: sli.do #8365
Advantages of Containerisation
Forget about dependencynightmares
Consistent progression from DEV -> TEST -> QA -> PROD
Isolation- performance or stabilityissues of App A in containerA, wont impact App B in containerB.
Better resource management.
Extreme code portability
Microservices
Chmurowisko Sp. z o.o.10.09.2019
8. Questions: sli.do #8365
Docker components
Chmurowisko Sp. z o.o.
Docker images
Docker container
Layers / Union file system
DockerFile
Docker Engine
Docker Client
Docker registries / Docker hub
10.09.2019
11. Questions: sli.do #8365
Amazon Elastic Container Service
Amazon Elastic Container Service (AmazonECS) is a highly scalable, high-performance container
orchestration service that supports Docker containers and allows you to easily run and scale
containerized applications on AWS.
With simple API calls, you can launch and stop Docker-enabled applications, query the complete
state of your application, and access many familiar features such as IAM roles, security groups, load
balancers, AmazonCloudWatch Events, AWS CloudFormation templates, and AWS CloudTrail logs.
Chmurowisko Sp. z o.o.10.09.2019
12. Questions: sli.do #8365
Features of Amazon ECS
Chmurowisko Sp. z o.o.
Amazon ECS is a regional service that simplifies running application containers in a highly available manner across multiple
Availability Zones within a region. You can create Amazon ECS clusters within a new or existing VPC.
To deploy applications on Amazon ECS, your application components must be architected to run in containers.
A Docker container is a standardized unit of software development, containing everything that your software application
needs to run: code, runtime, system tools, system libraries, etc. Containers are created from a read-only template called an
image.
Images are typically built from a Dockerfile, a plain text file that specifies all of the components that are included in the
container.
These images are then stored in a registry from which they can be downloaded and run on your cluster.
10.09.2019
14. Questions: sli.do #8365
Task definition
To prepare your application to run on Amazon ECS, you create a task definition.
The task definition is a text file, in JSON format, that describes one or more containers, up to a
maximum of ten, that form your application. Task definitions specify various parameters for your
application like:
• Imagefor containers in your task
• CPU and RAM for each container
• Networking mode
• IAM Role for task
• Environment Variables passed into containers
Chmurowisko Sp. z o.o.10.09.2019
15. Questions: sli.do #8365
Task scheduler
The Amazon ECS task scheduler is responsible for placing tasks
within your cluster.
There are several different scheduling options available.
For example, you can define a service that runs and maintains a
specified number of tasks simultaneously.
Chmurowisko Sp. z o.o.10.09.2019
16. Questions: sli.do #8365
Scheduled Tasks
• Fixed interval:
• Minutes
• Hours
• Days
• cron expression
• cron(0 1 * * ? *) – run daily at 1AM (UTC)
• cron(0 19 ? * 2L *) – run 19 last Monday of the month
• cron(0/15 * * * ? *) – run every 15 minutes
Chmurowisko Sp. z o.o.10.09.2019
17. Questions: sli.do #8365
Task Placement Strategies
Algorithm that spreads tasks across instances in ECS cluster.
• CPU requirements
• Memory requirements
• Available resources
Chmurowisko Sp. z o.o.10.09.2019
18. Questions: sli.do #8365
Task Placement Strategies
Available strategies
• Binpack – places tasks n the least available CPU or memory. Used to minimize stances in use.
• Spread – places tasks evenly based on an attriguite of an instance i.e. AZ
• Random – places task on any random instance
TASK DEFINITION TASK DEFINITION
Binpack Spread
Chmurowisko Sp. z o.o.10.09.2019
19. Questions: sli.do #8365
Clusters
When you run tasks using AmazonECS, you place them on a cluster, which is a logical grouping of
resources.
If you use the Fargate launch type with tasks within your cluster, AmazonECS manages your cluster
resources.
If you use the EC2 launch type, then your clusters will be a group of container instances you
manage.
Amazon ECS downloads your container images from a registry that you specify, and runs those
images within your cluster.
Chmurowisko Sp. z o.o.10.09.2019
20. Questions: sli.do #8365
Container Agent
The container agent runs on each infrastructure resource within an AmazonECS cluster. It sends
information about the resource's current running tasks and resource utilization to Amazon ECS, and
starts and stops tasks whenever it receives a request from Amazon ECS.
Chmurowisko Sp. z o.o.10.09.2019
22. Questions: sli.do #8365
Task Lifecycle
PENDING RUNNING STOPPED
Start End
Failed on startup
Pull container image
and start
Run task or
exits with error
Chmurowisko Sp. z o.o.10.09.2019
23. Questions: sli.do #8365
Service
Service supervises task.
It keeps tasks running.
Exposes tasks to outside world.
Tracks where in the cluster task is running.
Directs traffic to the correct instsance and port.
Chmurowisko Sp. z o.o.10.09.2019
25. OK AZ Outage
High Availability
VPC
Availability Zone
Subnet
ECS Host
ECS Host
Availability Zone
Subnet
ECS Host
ECS Host
VPC
Availability Zone
Subnet
ECS Host
ECS Host
Availability Zone
Subnet
ECS Host
ECS Host
Chmurowisko Sp. z o.o.10.09.2019
26. Questions: sli.do #8365
Service Discovery
AWS Cloud
Amazon Route 53
Multivalue Answer Routing
Namespace: local
service1server.local
10.0.0.6
10.0.0.8
VPC
Availability Zone
Subnet
Availability Zone
SubnetECS Cluster
IP/port
Task Registrations
Health Checks
Chmurowisko Sp. z o.o.10.09.2019
27. Questions: sli.do #8365
Path Based Routing
Instance 1 Instance 2 Instance 3
web auth web serviceservice service
/web*
/auth*
/service*
Chmurowisko Sp. z o.o.10.09.2019
28. Questions: sli.do #8365
Autoscaling
VPC
Availability Zone
Subnet
ECS Host
ECS Host
Availability Zone
Subnet
ECS Host
ECS Host
ECS Cluster
CloudWatch
ECS
Metrics
Scale in/out
policies
Add or
Remove
tasks
Chmurowisko Sp. z o.o.10.09.2019
29. Questions: sli.do #8365
AWS Fargate
AWS Fargate is a technology for AmazonECS and EKS* that allows you to run containers without
having to manageservers or clusters.
*maybe in future
Chmurowisko Sp. z o.o.10.09.2019
30. Questions: sli.do #8365
Cost Optimization
Right-sizing instances
• Measure utilization in CloudWatch
• Select the cheapest instance that satisfies requirements
• Look at memory, CPU, network and storage
Do not use reserved instances at the beginning. Only after right sizing.
Chmurowisko Sp. z o.o.10.09.2019
32. Questions: sli.do #8365
Cost Optimization
Turn off non production instances
• Dev or test environments
• Automate– AWS Instance Scheduler
Enable autoscaling in production
• Combine on-demand instances with reserved instances
• Scale up and down based on demand
Chmurowisko Sp. z o.o.10.09.2019
42. Questions: sli.do #8365
What is Kubernetes?
Open source conatiner orchestration system written i GoLang
Automatic deployment, scaling and management
Developed by Google based on Borg
Young: Released on July 2015
Chmurowisko Sp. z o.o.10.09.2019
44. Questions: sli.do #8365
What Is Amazon EKS?
Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managedservice that makes it
easy for you to run Kubernetes on AWS without needing to stand up or maintain your own
Kubernetes control plane.
Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure
high availability.
Amazon EKS automaticallydetects and replaces unhealthy control plane instances, and it provides
automated version upgrades and patching for them.
Chmurowisko Sp. z o.o.10.09.2019
45. Questions: sli.do #8365
Introducing Amazon EKS
Chmurowisko Sp. z o.o.
Availability Zone 1 Availability Zone 2 Availability Zone 3
10.09.2019
46. Questions: sli.do #8365
Introducing Amazon EKS
Chmurowisko Sp. z o.o.
Availability Zone 1 Availability Zone 2 Availability Zone 3
democluster.eks.amazonaws.com
Masters (AWS Managed)
10.09.2019
47. Questions: sli.do #8365
Introducing Amazon EKS
Chmurowisko Sp. z o.o.
Availability Zone 1 Availability Zone 2 Availability Zone 3
democluster.eks.amazonaws.com
Masters (AWS Managed)
Workers (Customer Managed)
10.09.2019
48. Questions: sli.do #8365
Introducing Amazon EKS
Chmurowisko Sp. z o.o.
Availability Zone 1 Availability Zone 2 Availability Zone 3
democluster.eks.amazonaws.com
Masters (AWS Managed)
Workers (Customer Managed)
kubectl
10.09.2019
49. Questions: sli.do #8365
Introducing Amazon EKS
• Applications running on Amazon EKS are fully compatible with applications running on any
standard Kubernetes environment.
• Amazon EKS automaticallyruns K8s with three masters across three AZs to protect againsta
single point of failure.
• Amazon EKS also automatically detects and replaces unhealthy masters, and it provides
automated version upgrades and patching for the masters.
• Amazon EKS is integrated with a number of key AWS features such as Elastic Load Balancing for
load distribution, IAM for authentication, Amazon VPC for isolation, AWS PrivateLink for private
network access, and AWS CloudTrail for logging.
Chmurowisko Sp. z o.o.10.09.2019
52. AWS-CSI-DRIVER for:
CSI driver for Amazon EBS
CSI Driver for Amazon EFS
CSI Driver of AmazonFSx
Automatically mounts volumes
Attach storage directly to containers
Container Storage Interface
Chmurowisko Sp. z o.o.10.09.2019
53. Questions: sli.do #8365
aws-iam-authenticator
It provides IAM based authentication for Kubernetes cluster
Allow users to services access to resources
Ex. Connect to cluster and get a list of deployed pods
For permission control Kubernetes RBAC is used
Chmurowisko Sp. z o.o.10.09.2019
54. Questions: sli.do #8365
VPC with Kubernetes pods
The CNI plugin is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring
the necessary networking for pods on each node.
• Bridge between the K8s land – AmazonVPC
• Thin layer – no performance impact
• Pod IP ENI Secondary IP
• Security Group is attached to the ENI
Chmurowisko Sp. z o.o.10.09.2019
56. Questions: sli.do #8365
Calico Policy
Chmurowisko Sp. z o.o.
Project Calico is a network policy engine for Kubernetes.
Implement network segmentation and tenant isolation.
You can assignnetwork policies to pods using pod selectors and labels.
10.09.2019