Deep Dive into Amazon Fargate

© 2018 Amazon Web Services, Inc. or its Aﬃliates. All rights reserved.
Amazon Container
Services
Coming 2018!

Technical Developer Evangelist
•Linux Engineer
•Containers
•ECS
•Kubernetes
•Serverless
•CI/CD
•Cloudformation / Terraform
•Python scripter
•Vim user
@ric__harvey
@awscloud
@AWS_UKI
https://github.com/richarvey

What are containers and
why use them?
• Standard way of packaging and shipping:
• Conﬁguration
• Data
• Content
• Binarys
???• Portability
• Consistency
• Better isolation
• Better use of compute resource

Running a container locally
is easy

First there was EC2

Then Docker
EC2 Instance
Containers
Customers started containerising workloads within EC2

Managing containers is a
ton of work

Containers made it easy to build and scale
cloud-native applications
Customers needed an easier way to manage large clusters of
instances and containers
Amazon Elastic Container Service
Cluster Management as hosted service

Amazon ECS users
Plus many more!

This is great but….
• Managing a ﬂeet is hard work!
• Patching and upgrading the OS, packages and agents
• Scaling the ﬂeet for optimal use

Cluster management
ECS
Agent
Docker
Agent
OS
EC2 Instance

Customers wanted to run containers without having to manage EC2 instances
ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
Elastic 
Container 
Service

AWS Fargate
MANAGED BY AWS
No EC2 Instances to provision, scale or manage
ELASTIC
Scale up & down seamlessly. Pay only for what you use
INTEGRATED
with the AWS ecosystem: VPC Networking,
Elastic Load Balancing, IAM Permissions, Cloudwatch and more

Early adopters
To name a few…

Running Fargate containers
in ECS

Running Fargate containers
in ECS
Use ECS APIs to launch Fargate Containers
Easy migration – Run Fargate and EC2 launch
type tasks in the same cluster
Same Task Definition schema

Task definition
• Immutable, versioned document
• Identified by family:version
• Contains a list of up to 10 container definitions
• All containers are co-located on the same host
• Each container definition has:
• A name
• Image URL (ECR or Public Images)
• And more…stay tuned!
{
"family": “scorekeep",
"containerDefinitions": [
    {
     "name":“scorekeep-frontend",
     "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe"
    },
    {
     "name":“scorekeep-api",
     "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api"
    }
]
}

Primitives are shared with
ECS
Use the same primitives, and integrations as EC2
launch-type ECS tasks:
• VPC
• IAM
• CloudWatch

Constructs
Define application containers:
Image URL, CPU & Memory requirements, etc.
register: Task definition run: Task
• A running instantiation of  
a task definition
• Use FARGATE launch type
ALB or NLB
create: Service
• Maintain n running copies
• Integrated with ELB
• Unhealthy tasks automatically replaced
create: Cluster
• Infrastructure Isolation Boundary
• IAM Permissions Boundary

Fargate workﬂow

Compute Resources in Fargate

Cpu and memory spec
{
"family": "scorekeep",
"cpu": "1 vCpu",
"memory": "2 gb",
"containerDefinitions": [
{
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/fe“,
"cpu": 256,
"memoryReservation": 512
},
{
1.amazonaws.com/api",
"cpu": 768,
}
]
}
Units
• CPU : cpu-units. 1 vCPU = 1024 cpu-units
• Memory : MiB
Task Level Resources:
• Total CPU/Memory across all containers
• Required fields
Container Level Resources:
• Defines sharing of task resources among containers
• Optional fields
Task Level
Resources

Resource Conﬁg with Fargate
Flexible configuration options –
50 CPU/memory configurations
CPU Memory
256 (.25 vCPU) 512MB, 1GB, 2GB
512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB
1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
2048 (2 vCPU) Between 4GB and 16GB in 1GB increments
4096 (4 vCPU) Between 8GB and 30GB in 1GB increments

Networking

Networking (awsvpc)
• With awsvpc, each task is allocated an ENI
(Elastic Network Interface)
• Containers launched as part of the same task
can use the local loopback interface (remember
that one?), since containers part of the same
task share an ENI
• With the ENI allocation comes a private IP.
Public IPs can also be allocated.
• ENIs are at the task level, though, so how to
containers that are part of diﬀerent tasks
communicate?

VPC integration
172.31.0.0/16
Subnet
172.31.1.0/24
Internet
Other Entities in VPC
EC2 LB DB etc.
Private IP
172.31.1.164
us-east-1a
us-east-1b
us-east-1c
ENI Fargate
TaskPublic /
208.57.73.13 /
Launch your Fargate Tasks into subnets
Beneath the hood :
• We create an Elastic Network Interface (ENI)
• The ENI is allocated a private IP from your subnet
• The ENI is attached to your task
• Your task now has a private IP from your subnet!
You can also assign public IPs to your tasks
Conﬁgure security groups to control inbound & outbound traﬃc

VPC conﬁguration
{
"family": "scorekeep",
"cpu": "1 vCpu",
"memory": "2 gb",
"networkMode": "awsvpc",
"containerDefinitions": [
{
1.amazonaws.com/fe",
"cpu": 256,
},
{
1.amazonaws.com/api",
"cpu": 768,
}
]
}
$ aws ecs run-task ...
-- platform-version LATEST
-- network-configuration
“awsvpcConfiguration = {
subnets=[subnet1-id, subnet2-
id],
securityGroups=[sg-id]
}”
Run Task
Task Definition
Other network
modes not
supported on
Fargate

Internet Access
The Task ENI is used for:
• All network traffic to and from your task
• Image Pull (from ECR or a public repository)
• Log Pushing to CloudWatch (if configured)
Outbound Internet Access is required for Image Pull & Log Pushing (even if the
application itself doesn’t require it)
•
There are two ways to set this up:
• Private task with outbound internet access. Does not allow inbound internet traffic.
• Public task with both inbound and outbound internet access

Local networking

awsvpc pub + priv networks

Load Balancing

More info
https://aws.amazon.com/blogs/
compute/introducing-cloud-native-
networking-for-ecs-containers/
https://aws.amazon.com/blogs/
compute/task-networking-in-aws-
fargate/

Permissions

Types of permissions
Cluster level permissions:
• Control who can launch/describe tasks in your cluster
Application level permissions:
• Allows your application containers to access AWS resources
securely
Housekeeping permissions:
• Allows us to perform housekeeping activities around your task:
• ECR Image Pull
• CloudWatch logs pushing
• ENI creation
• Register/Deregister targets into ELB
Cluster
Permissions
Application
Permissions
Task Housekeeping
Permissions
Cluster
Fargate Task

Isolation at the cluster level
PROD Cluster Infrastructure
DEV Cluster Infrastructure
BETA Cluster Infrastructure
QA Cluster Infrastructure
Web Web
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb
Shopping
Cart NotificationsWeb
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb Web
PROD CLUSTER BETA CLUSTER
DEV CLUSTER QA CLUSTER

And more!

Registry support
Amazon Elastic Container Repository (ECR)
Public repositories (docker hub, etc)
3rd party private repository support (comming soon)

FAQ
FAQ: how do I exec into a Fargate container?
Short Answer: you don’t
Longer answer: if it were me, I’d stop the Fargate container
and restart as type EC2 for debugging, then switch back over.
Long term, something we’re looking at building.

CLI Support
• aws-cli: the official OG. Open source, includes most AWS services.
• More info here: https://aws.amazon.com/cli/
• Github here: https://github.com/aws/aws-cli
• ecs-cli: also official, but just for ECS. Supports docker compose files.
• More info here: https://github.com/aws/amazon-ecs-cli
Some good unofficial options:
• Fargate cli: https://github.com/jpignata/fargate
• Coldbrew cli: https://github.com/coldbrewcloud/coldbrew-cli

Resources
https://github.com/nathanpeck/awesome-ecs

One more thing!
Fargate mode for EKS
(available 2018)

Thank you
@ric__harvey

Deep Dive into Amazon Fargate

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Deep Dive into Amazon Fargate

Similar to Deep Dive into Amazon Fargate (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Deep Dive into Amazon Fargate