Amazon Elastic Container Service (ECS)

The Core Components of ECS

ECS is built around four fundamental components that work together to run your containerized applications.

1. Task Definition

A Task Definition is a text file, in JSON format, that serves as the blueprint for your application. It describes one or more containers that form your application, including settings like:

• The Docker image(s) to use.
• The CPU and memory to allocate to each container and the task as a whole.
• The launch type compatibility (EC2, Fargate, or both).
• The networking mode to use.
• The IAM roles for permissions.
• The data volumes for persistent storage.

Task Definitions are versioned, allowing you to track changes and roll back to previous configurations easily.

2. Task

A Task is a running instance of a Task Definition within a cluster. After you create a Task Definition, you can run it as a Task. This is the actual execution of your container(s) as specified in the blueprint.

3. Service

An ECS Service is responsible for maintaining a specified number of simultaneous instances of a Task Definition in your cluster.

• Desired Count: If a task fails or stops for any reason, the ECS Service scheduler launches another instance of your Task Definition to replace it, ensuring the "desired count" is maintained.
• Load Balancing: A Service can be configured to integrate with an Elastic Load Balancer (ALB or NLB) to distribute traffic evenly across the tasks.
• Auto Scaling: You can configure a Service to automatically scale the number of tasks up or down based on demand, using metrics like CPU utilization or request counts.

4. Cluster

A Cluster is a logical grouping of resources where your tasks are run. The resources within a cluster are determined by the launch type you choose.

ECS Launch Types: EC2 vs. Fargate

ECS offers two distinct models for running your tasks, known as launch types.

1. EC2 Launch Type

• Model: You retain control over the underlying infrastructure. A cluster is a group of EC2 instances that you manage.
• Responsibility: You are responsible for provisioning, patching, scaling, and securing the EC2 instances that act as your container hosts.
• Use Case: Best for workloads that require maximum control, specific EC2 instance configurations (e.g., GPU-enabled instances), or have specialized security and compliance needs that necessitate direct management of the host environment.

2. AWS Fargate Launch Type

• Model: A serverless compute engine for containers. You run your containers without managing any underlying EC2 instances.
• Responsibility: AWS handles all the infrastructure management, including provisioning, patching, and scaling the underlying compute. You simply define your application in a Task Definition and specify the resources it needs.
• Use Case: The default choice for most workloads. It is ideal for applications where you want to focus on development rather than infrastructure management. It's perfect for microservices, batch jobs, and general-purpose applications.

IAM Roles for ECS Tasks

ECS uses two critical IAM roles to grant permissions securely.

1. Task Role

• Purpose: Grants permissions to the containers within the task.
• Use Case: If your application code needs to call other AWS APIs (e.g., read an object from an S3 bucket or write to a DynamoDB table), you would grant those permissions to the Task Role. This is the recommended, secure way to provide credentials to your application.

2. Task Execution Role

• Purpose: Grants permissions to the ECS container agent to perform actions on your behalf.
• Use Case: This role is required for the ECS agent to pull container images from Amazon ECR and to publish container logs to Amazon CloudWatch. It is a mandatory role for tasks using the Fargate launch type.

ECS Networking Modes

ECS provides several networking modes for your tasks.

• awsvpc (Recommended): This mode assigns each task its own Elastic Network Interface (ENI) and a primary private IP address from your VPC. This provides the highest level of integration with AWS networking, allowing you to treat tasks as first-class citizens in your VPC. Security Groups can be applied directly to the task's ENI. This is the only mode available for Fargate tasks.
• bridge: Creates a virtual network bridge on the host EC2 instance. Traffic is routed to the containers through port mappings.
• host: Bypasses the Docker network bridge and maps container ports directly to the host EC2 instance's network interface.
• none: The containers have no external network connectivity.

Storage for ECS Tasks

Since containers are ephemeral, you often need a way to manage persistent data.

• Amazon EFS (Elastic File System): Provides a simple, scalable, shared file system that can be mounted by multiple tasks simultaneously. It is the recommended solution for persistent storage for both EC2 and Fargate launch types.
• Amazon EBS (Elastic Block Store): Provides persistent block storage for a single EC2 instance. It can be used with tasks running on the EC2 launch type but cannot be attached directly to Fargate tasks.
• Bind Mounts: Mounts a file or directory from the host EC2 instance into a container. This is only available for the EC2 launch type.

Managing Capacity and Scaling

• Service Auto Scaling: Automatically adjusts the desired count of tasks in your service in response to CloudWatch alarms. You can scale based on metrics like average CPU/memory utilization or the number of requests handled by a load balancer.
• Capacity Providers: Used with the EC2 launch type, Capacity Providers give you more control over how tasks scale on the EC2 instances in your cluster. You can define rules to manage the scaling of the EC2 Auto Scaling group itself in response to the needs of your ECS tasks.