Designing Compute Solutions in AWS – ECS, ECR, EKS

Elastic Container Service (ECS)

This service allows you to run Docker-enabled applications packaged as containers across a cluster of EC2 instances without requiring you to manage a complex and administratively heavy cluster management system. The burden of managing your own cluster management system is abstracted with the ECS service by passing that responsibility over to AWS, specifically through the use of AWS Fargate. AWS Fargate is an engine used to enable ECS to run containers without having to manage and provision instances and clusters for containers. With ECS, there is no need to install any management or monitoring software for your cluster.

An ECS cluster is comprised of a collection of EC2 instances. Features such as Security Groups, Elastic Load Balancing and Auto Scaling can be used with these instances. These instances still operate in much the same way as a single EC2 instance. Here are the key features of AWS ECS:

  • Clusters act as a resource pool, aggregating resources such as CPU and memory.
  • Clusters are dynamically scalable and multiple instances can be used.
  • Clusters can only scale in a single region. Amazon ECS automatically scales your containers using Amazon EC2 Auto Scaling to scale your EC2 instances and Docker container workloads.
  • Containers can be scheduled to be deployed across your cluster.
  • Instances within the cluster also have a Docker daemon and an ECS agent.

You can launch an ECS Cluster using Fargate and EC2. Fargate launch requires you to specify the CPU and memory required and define networking and IAM policies, in addition to you having to package your application into containers. In EC2 launch, you are responsible for patching and scaling your instances and you can specify instance type and how many containers should be in a cluster. Self-managed ECS on-premises deployments on an organization’s own hardware resources are named as external launch type.

AWS Fargate with ECS can also be used to run containers without having to manage (provision, configure, or scale) your clusters of EC2 instances. Applications launched by Fargate are packaged in containers with the defined CPU, memory at the task level, networking, and security policies.

Each ECS task definition must define the following criteria:

  • The container image to be pulled from the private registry to create the containerized application.
  • Container definitions, each of which includes the container image, the command to run when the container starts, the CPU and memory requirements, and other settings.
  • The launch type to use for your task: AWS Fargate, EC2, or ECS Anywhere deployments on-premises.
  • The task execution role, which is the IAM role the ECS agent uses to perform tasks on your behalf.
  • Links that need to be established between containers.
  • Volumes, which can be used to store data that is persisted across container restarts or to share data between containers.
  • Network and port settings. ECS supports several networking modes, including bridge mode, host mode, and awsvpc mode.

Elastic Container Registry (ECR)

ECR provides a secure location to store and manage your docker images. This is a fully managed service, so you don’t need to provision any infrastructure to allow you to create this registry of docker images. This service allows developers to push, pull and manage their library of docker images in a central and secure location.

The ECR registry allows you to host and store your docker images and create image repositories.

Your account will have both read and write access by default to any images you create within the registry and any repositories. Access to your registry and images can be controlled via IAM policies in addition to repository policies. Before your docker client can access your registry, it needs to be authenticated as an AWS user via an Authorization token.

Elastic Kubernetes Service (EKS)

AWS provides a managed service that allows you to run Kubernetes across your AWS infrastructure without having to take care of provisioning and running the Kubernetes management infrastructure in what’s referred to as the control plane. In EKS, AWS is responsible for provisioning, scaling and managing the control plane, and they do this by utilizing multiple availability zones for additional resilience. Amazon EKS is integrated with AWS services such as Amazon CloudWatch, EC2 Auto Scaling groups, IAM, and ELB Application Load Balancers:

  • Amazon CloudWatch logs are directly updated from the EKS control plane audit and diagnostic logs.
  • EC2 Auto Scaling communicates with the Kubernetes Cluster Autoscaler with Auto Scaling groups and Launch templates.
  • The AWS Load Balancer Controller manages AWS ELB Load Balancers for each Kubernetes cluster.
  • AWS IAM security creates IAM roles for role-based access control (RBAC). Access to an EKS cluster using IAM entities is enabled by the AWS Authenticator for Kubernetes, which allows authentication to a Kubernetes cluster.

Resources:
CloudAcademy – Designing Compute solutions in AWS
Mark Wilkins – AWS Certified Solutions Architect – Associate (SAA-C03) Cert Guide (Certification Guide)
Jon Bonso – AWS Certified Solutions Architect Associate SAA-C03-Tutorials Dojo