Deep dive into AWS fargate

Deep Dive: AWS Fargate
Abby Fuller
@abbyfuller

AWS Fargate
No cluster or
infrastructure to
manage or scale
Everything is
handled at the
container level
Scale
seamlessly on
demand
Underlying technology for
container management

What does Fargate mean?
No worrying about scaling, service mesh, underlying
infrastructure, cluster resources, capacity, setup.
Just give it a task definition or pod (in 2018), set some resource
limits, and away you go.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Running a container locally is easy

EC2 Instance
TaskTask
Task Task
EC2 Instance
TaskTask
Task Task
EC2 Instance
TaskTask
Task Task
EC2 Instance
TaskTask
Task Task
EC2 Instance
TaskTask
Task Task
Running a few containers is OK

Managing production infrastructure is a
ton of work

Scheduling and Orchestration
Cluster Manager Placement Engine
Using ECS made it easier
Availability Zone #1 Availability Zone #2 Availability Zone #3

ECS
AMI
Docker
agent
ECS
agent
ECSTaskECSTask
ECSTaskECSTask
EC2 Instance
But it’s not totally hands-off

Scheduling and Orchestration
Cluster Manager Placement Engine

Fargate enables you to focus on your
application- hands off!

Let’s look at that in practice

Running Fargate containers in ECS

Running Fargate containers in ECS
Use ECS APIs to launch Fargate Containers
Easy migration – Run Fargate and EC2 launch
type tasks in the same cluster
Same Task Definition schema

• Define application containers:
Image URL, CPU & Memory
requirements, etc.
register
Task Definition
create
Cluster
• Infrastructure Isolation boundary
• IAM Permissions boundary
run
Task
• A running instantiation of a
task definition
• Use FARGATE launch type
create
Service
Elastic Load
Balancer
• Maintain n healthy copies
• Integrated with ELB
• Unhealthy tasks automatically
replaced
Constructs

Task Definition
{
"family": “scorekeep",
"containerDefinitions": [
{
"name":“scorekeep-frontend",
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe"
},
{
"name":“scorekeep-api",
"image":"xxx.dkr.ecr.us-east-
1.amazonaws.com/api"
}
]
}
• Immutable, versioned document
• Identified by family:version
• Contains a list of up to 10 container definitions
• All containers are co-located on the same host
• Each container definition has:
• A name
• Image URL (ECR or Public Images)
• And more…stay tuned!
Task Definition Snippet

Registry support
3rd Party Private Repositories (coming soon!)
Public Repositories supported
Amazon Elastic Container Registry (ECR)

Cluster-level isolation
PROD Cluster Infrastructure
DEV Cluster Infrastructure
BETA Cluster Infrastructure
QA Cluster Infrastructure
Web Web
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb
Shopping
Cart NotificationsWeb
Shopping
Cart
Shopping
Cart
Notifications NotificationsWeb Web
PROD CLUSTER BETA CLUSTER
DEV CLUSTER QA CLUSTER

CPU and memory specification
{
"family": "scorekeep",
"cpu": "1 vCpu",
"memory": "2 gb",
{
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe“,
"cpu": 256,
"memoryReservation": 512
},
{
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api",
"cpu": 768,
}
]
}
Units
• CPU : cpu-units. 1 vCPU = 1024 cpu-units
• Memory : MiB
Task Level Resources:
• Total CPU/Memory across all containers
• Required fields
• Billing axis
Container Level Resources:
• Defines sharing of task resources among
containers
• Optional fields
Task Level
Resources
Container
Level
Resources
Task Definition Snippet

Resource configuration with Fargate
Flexible configuration options –
50 CPU/memory configurations
CPU Memory
256 (.25 vCPU) 512MB, 1GB, 2GB
512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB
1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
2048 (2 vCPU) Between 4GB and 16GB in 1GB increments
4096 (4 vCPU) Between 8GB and 30GB in 1GB increments

Container CPU sharing
• Task CPU is a hard upper bound
• Container CPU is optional. By default all containers get an equal share of task CPU time
• Specify container CPU to control relative sharing among containers
• In our example: task cpu = 1024; scorekeep-frontend = 256; scorekeep-api = 768;
scorekeep-api
container
scorekeep-frontend
container
Container 1 Container 2

Container memory sharing
• Task memory is a hard upper bound across all containers
• Container level memory settings are optional. By default all task memory is available to all containers
• Two settings to control sharing at the container level: memory reservation & memory
• Memory reservation is a soft lower bound. Can kick in when task memory is under contention
In our example: task memory = 2 gb; scorekeep-frontend = 512 mb; scorekeep-api = 512 mb;
• Memory is a hard upper bound. Container will not be allowed to grow beyond this value
Task Memory
scorekeep-api
container
scorekeep-frontend
container
Available for all
Container 1 Container 2Available for all
Task Memory
non-critical
container
critical
container
Task Memory
Memory Reservation Memory Reservation
Memory Reservation Hard Memory
Limit

Platform version
What is it?
• It refers to a specific runtime environment around your task
• Version available today: 1.0.0
• New versions will be released as the runtime environment evolves: Kernel/OS updates, new features, bug
fixes, and security updates
Why should I care?
• It gives you explicit control over
• Migration to new platform versions
• Rollback to previous platform versions
• Leave it blank and we will automatically place your tasks on the latest version
How do I use it?
$ aws ecs run-task ... --platform-version 1.0.0
$ aws ecs run-task ... --platform-version LATEST #or just leave it blank

Fargate networking
Internet
Gateway
172.31.0.0/16
Subnet 3
Fargate
Task
Public IP
54.191.135.69
172.31.3.0/24
ENI
Subnet 1
Fargate
Task
Public IP
54.191.135.66
172.31.1.0/24
ENI
Subnet 2
Fargate
Task
172.31.2.0/24
ENI
• AWS VPC Networking Mode – each task gets its own interface (ENI)
• This Task networking mode is default for Fargate
• Full control of network access via Security Groups and Network ACLs
• Public IP support

VPC integration
Launch your Fargate Tasks into subnets
Beneath the hood :
• We create an Elastic Network Interface (ENI)
• The ENI is allocated a private IP from your subnet
• The ENI is attached to your task
• Your task now has a private IP from your subnet!
You can also assign public IPs to your tasks
Configure security groups to control inbound & outbound traffic
Spread your tasks across subnets in multiple Availability Zones
(AZs) for high redundancy
172.31.0.0/16
Subnet
172.31.1.0/24
Internet
Other Entities in VPC
EC2 LB DB etc.
Private IP
172.31.1.164
us-east-1a
us-east-1b
us-east-1c
ENI Fargate
TaskPublic /
208.57.73.13 /

VPC configuration
{
"cpu": "1 vCpu",
"memory": "2 gb",
"networkMode": "awsvpc",
{
"image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe",
"cpu": 256,
},
{
"cpu": 768,
}
]
}
$ aws ecs run-task ...
-- platform-version LATEST
-- network-configuration
“awsvpcConfiguration = {
subnets=[subnet1-id, subnet2-id],
securityGroups=[sg-id]
}”
Other network
modes not
supported on
Fargate
Run Task
Task Definition

Internet access
The Task ENI is used for:
• All network traffic to and from your task
• Image Pull (from ECR or a public repository)
• Log Pushing to CloudWatch (if configured)
Outbound Internet Access is required for Image Pull & Log Pushing.
Even if the application itself doesn’t require it
There are two ways to set this up:
• Private task with outbound internet access. Does not allow inbound internet traffic.
• Public task with both inbound and outbound internet access

Load Balancer setup
• ELB integration supported on services
• ALB & NLB supported. Classic ELB not supported
• ALB requires that you pick at least two subnets in two different AZs
• Ensure that the ALB subnet AZs are a superset of your task subnet AZs
• Select ALB Target type: IP (not Instance)

Working with permissions and access in
Fargate

Types of permissions
Cluster level permissions:
• Control who can launch/describe tasks in your cluster
Application level permissions:
• Allows your application containers to access AWS
resources securely
Housekeeping permissions:
• Allows us to perform housekeeping activities around
your task:
• ECR Image Pull
• CloudWatch logs pushing
• ENI creation
• Register/Deregister targets into ELB
Cluster
Permissions
Application
Permissions
Task
Housekeeping
Permissions
Cluster
Fargate Task

Cluster level permissions
{
"Effect": "Allow",
"Action": [ "ecs:RunTask" ],
"Condition": {
"ArnEquals": {"ecs:cluster":"<cluster-arn>"}
},
"Resource": [ “<task_def_family>:*" ]
}
You can tailor IAM policies for fine grained access control to your clusters
Attach these policies to IAM Users and/or Roles as necessary
Some example policies:
Example 1: Allow RunTask in a specific cluster
with a specific task definition only
{
"Effect": "Allow",
"Action": [ "ecs:ListTasks“,
“ecs:DescribeTasks” ],
"Condition": {
"ArnEquals": {"ecs:cluster":"<cluster-arn>"}
},
"Resource": “*”
}
Example 2: Read-only access to tasks in a
specific cluster
and many more!

Application level permissions
Do your application containers access other AWS resources?
Need to get credentials down to the task?
Create an IAM Role with the requisite permissions that your
application needs. In our Scorekeep example, DDB & SNS
permissions.
Establish a trust relationship with ecs-tasks.amazonaws.com on
that role. This lets us assume the role and wire the credentials
down to your task.
Add the role arn to your task definition and you’re done!
AWS CLI/SDK calls from within your application will automatically
use the Task Role credentials
Credentials are rotated in a timely manner
{
"cpu": "1 vCpu",
"memory": "2 gb",
"networkMode": “awsvpc“,
“taskRoleArn": “arn:aws...role/scorekeepRole“,
{
"cpu": 256,
"memoryReservation": 512,
"portMappings": [
{ "containerPort": 8080 }
]
},
{
"cpu": 768,
"portMappings": [
]
}
]
}
Task Definition

Housekeeping permissions
• Fargate needs certain permissions in your account to bootstrap your task and keep it
running.
• Execution Role gives permissions for:
• ECR Image Pull
• Pushing Cloudwatch logs
• ECS Service Linked Role gives permissions for:
• ENI Management
• ELB Target Registration/Deregistration

Execution role
• Using an ECR Image or Cloudwatch Logs?
• Create an IAM Role and add Read Permissions to ECR
• ecr:GetAuthorizationToken & ecr:BatchGetImage
• Or use AmazonEC2ContainerRegistryReadOnly
managed policy
• Add Write Permissions to CloudWatchLogs
• logs:CreateLogStream & logs:PutLogEvents
• Or use CloudWatchLogsFullAccess managed policy
• Establish trust relationship with ecs-tasks.amazonaws.com.
This lets us assume the role
• Add the execution role arn into your task definition
Give Fargate permissions via an Execution Role {
"cpu": "1 vCpu",
"memory": "2 gb",
"networkMode": “awsvpc“,
“taskRoleArn": “arn:aws...role/scorekeepRole“,
“executionRoleArn":
“arn:aws...role/scorekeepExecutionRole“,
{
"cpu": 256,
"portMappings": [
]
},
{
"cpu": 768,
"portMappings": [
]
}
]
}
Task Definition

ECS service-linked role
• A service-linked role is a unique type of IAM role that is linked directly to an AWS service, in this
case ECS
• It has a predefined policy, that is immutable. In this case, ENI & ELB permissions.
• It has a trust relationship with ecs.amazonaws.com. Allows us to assume the role and perform
ENI & ELB management on your behalf
• It is automatically created in your account at cluster creation time
• You don’t have to explicitly pass this role in the task definition or any API call.
• Just know about it in case you stumble upon it in the IAM console

Permissions summary
Cluster Permissions
Control who can launch/describe tasks in your cluster.
via IAM Policies
Application Permissions
Allows your application containers to access AWS
resources securely.
via Task Role
Housekeeping Permissions
Allows us to perform housekeeping activities around your task.
via Task Execution Role and Service Linked Role
Cluster
Permissions
Application
Permissions
Task
Housekeeping
Permissions
Cluster
Fargate Task
via IAM
Policies
via Task Execution Role
& Service Linked Role
via Task Role

If you don’t know now you know

Storage
Container Filesystem space – 10GB
Ephemeral storage backed by EBS

Hybrid clusters are possible
The same cluster can run tasks of type Fargate, and of type EC2
FAQ: how do I exec into a Fargate container?
Short Answer: you don’t
Longer answer: if it were me, I’d stop the Fargate container and restart
as type EC2 for debugging, then switch back over. Long term,
something we’re looking at building.

Enough talking: show me cool stuff

We love feedback/questions/comments!

Deep dive into AWS fargate

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Deep dive into AWS fargate

Similar to Deep dive into AWS fargate (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Deep dive into AWS fargate