11.12 ECS - Part 2 - What is ECS

What is ECS

• ECS - Amazon's managed EC2 container service. Allows you to manage Docker containers on a cluster of EC2 instances.

• ECS is a Regional service that you can use in one or more AZs across a new or existing, VPC to schedule the placement of containers across your cluster based on your resource needs, isolation policies, and availability requirements.

• Amazon ECS eliminates the need for you to operate your own cluster management and configuration management systems, or to worry about scaling your management infrastructure.

• ECS can also be used to create a consistent deployment and build experience, manage and scale batch and ETL workloads (Extract, Transform, Load. These are basically three different types of database functions. ETL workload pulls data from one database and converts it into a form that can be loaded into another database), and build sophisticated application architectures on a micro-services model (different functions of your application wrapped up in different docker containers).

• Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.

What is ECR

• It is Amazon EC2 Container Registry. Amazon EC2 Container Registry (Amazon ECR) is a managed AWS Docker registry service. It is a managed AWS Docker registry service that is secure, scalable, and reliable. Amazon ECR supports private Docker repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images. Developers can use the Docker CLI to push, pull, and manage images.

ECS Task Definitions

• A Task Definition is required to run Docker containers in Amazon ECS.

• Task Definitions are text files in JSON format that describe one or more containers that form your application.

• Think of a Task Definition as a CloudFormation Template but for Docker. Configure things such as the amount of CPU, RAM, etc.

• Some of the parameters you can specify in a task definition include:

  • Which Docker images to use with the containers in your task.

  • How much CPU and memory to use with each container.

  • Whether containers are linked together in a task.

  • The Docker networking mode to use for the containers in your task.

  • What (if any) ports from the container are mapped to the host container instance.

  • Whether the task should continue to run if the container finished or fails.

  • The command the container should run when it is started.

  • What (if any) environment variables should be passed to the container when it starts.

  • Any data volumes that should be used with the containers in the task.

  • What (if any) IAM role your tasks should use for permissions.

ECS Services

• An Amazon ECS Service allows you to run and maintain a specified number (or, the "desire count") of instances of a Task Definition simultaneously in an ECS cluster.

• Think of Services like Auto-Scaling groups for ECS.

• If a task should fail or stop, the Amazon ECS service scheduler launches another instance of your Task Definition to replace it and maintain the desired count of tasks in the service.

ECS Clusters

• An Amazon ECS cluster is a logical grouping of container instances that you can place tasks on. When you first use the Amazon ECS service, a default cluster is created for you, but you can create multiple clusters in an account to keep your resources separate.

• Concepts:

  • Clusters can contain multiple different container instance types.

  • Clusters are Region-specific.

  • Container instances can only be part of 1 cluster at a time.

  • You can create IAM policies for your clusters to allow or restrict users' access to specific clusters.

ECS Scheduling

• Service Scheduler:

  • Ensure that the specified number of tasks are constantly running and reschedules tasks when a task fails. (For example, if the underlying container instance fails for some reason).

  • Can ensure tasks are registered against an ELB.

• Customer Scheduler:

  • You can create your own schedulers that meet your business needs.

  • Leverage third-party schedulers, such as Blox.

• The ECS Schedulers leverage the same cluster state information provided by the ECS API to make appropriate placement decisions.

ECS Container Agent

• The Amazon ECS Container Agent allows container instances to connect to your cluster. The ECS Container Agent is included in the Amazon ECS-optimized AMI, but you can also install it on any EC2 instance that supports the Amazon ECS specification. The Amazon ECS Container Agent is only supported on EC2 instances.

• When you need to connect your ECS Service to your registries hosted on DockerHub, you will need ECS Container Agent. The Amazon ECS container agent can authenticate with private registries, including Docker Hub, using basic authentication. When you enable private registry authentication, you can use private Docker images in your task definitions.

• Pre-installed on special ECS AMIs.

• Linux-based:

  • Work with Amazon Linux, Ubuntu, RedHat, CentOS, etc.

  • Will NOT work with windows.

ECS Security

• You can use IAM with ECS to restrict access.

• IAM Roles:

  • EC2 instances use an IAM role to access ECS.

  • ECS tasks use an IAM role to access services and resources.

• Security Groups attach at the instance-level (i.e. the host level ... not the task or container level.)

• You can access and configure the OS of the EC2 instances in your ECS cluster.

ECS Limits

• Soft Limits:

  • Clusters per Region: default = 1000.

  • Instances per Cluster: default = 1000.

  • Services per Cluster: default = 500.

• Hard Limits:

  • one-to-one mapping between ECS services and ELBs (Note: now we have dynamic host port mapping, so an ELB can be shared amongst multiple services using path-based routing)

  • 1000 Tasks per Service (the "desired count")

  • MAX 10 Containers per Task Definition

  • MAX 10 Tasks per instance (host)