This document provides an overview of Amazon EC2 Container Service (ECS) including benefits of containers and ECS, ECS clusters, tasks, services, monitoring, logging, auto-scaling, provisioning with CloudFormation, container image management with ECR, and example solutions built on ECS like Elastic Beanstalk and Convox. Key aspects covered include using ECS clusters to dynamically run and scale containerized applications, defining reusable tasks and long-running services, integrating with other AWS services for monitoring, auto-scaling and service discovery, and deploying containerized applications on ECS.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pierre Steckmeyer, Solutions Architect
Feb.23, 2016
Amazon EC2 Container
Service Deep Dive

2. Agenda
 Containers and Amazon ECS Benefits
 ECS Clusters
 ECS Tasks
 ECS Services
 Solutions Built on Amazon ECS

3. Why Containers?

4. Container Benefits
 Portable
 Flexible
 Fast
 Efficient
Server
Guest OS
Bins/Libs Bins/Libs
App2App1

5. Why Amazon ECS?

6. Amazon ECS Benefits
 Easily Manage Clusters for Any Scale
 Flexible Container Placement
 Designed for Use with Other AWS Services
 Extensible

7. Clusters
 Regional
 Resource Pool
 Grouping of Container Instances
 Start Empty, Dynamically Scalable

8. Tasks
 Unit of Work
 Grouping of Related Containers
 Run on Container Instances

9. Services
 Good for Long-Running Applications
 Load Balance Traffic across Containers
 Automatically Recover Unhealthy Containers
 Discover Services

10. ECS Clusters

11. ECS Clusters
 Setup
 IAM Roles
 Monitoring
 Logging
 Autoscaling
 Amazon EC2 Simple Systems Manager (SSM)
 Provisioning with CloudFormation

12. Setup ECS Cluster with AutoScaling
Create LaunchConfiguration
 Pick instance type depending on resource requirements, e.g.
memory or CPU
 Use latest Amazon Linux ECS-optimized AMI, other distros
available
Create AutoScaling Group and Set to Cluster Initial
Size

13. ECS IAM Policies and Roles
 The ECS agent calls the ECS APIs on your behalf, so
container instances require an IAM policy and role that
allows these calls.
 The ECS service scheduler calls the EC2 and ELB APIs
on your behalf to register and deregister container
instances with your load balancers.
 Use AmazonEC2ContainerServiceforEC2Role and
AmazonEC2ContainerServiceRole managed policies
(respectively)

14. Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and
recorded for a period of two weeks
Available metrics:
CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization

15. Monitoring with Amazon CloudWatch

16. Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor
additional metrics, e.g. disk space:
# Edit crontab
> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes
*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --disk-
space-avail --disk-path=/ --from-cron

17. Logging with Amazon CloudWatch Logs
 Logging container with
syslogd and CloudWatch
Logs Agent
 Attach /var/log Volume
to Logging container
 Link Other Containers
syslogd
CloudWatch
Logs Agent
CloudWatch
Logs
Container instance
ECS Cluster
ECS Agent
Logs
Docker
Logs

18. AutoScaling your Amazon ECS Cluster
 Create CloudWatch alarm on a
metric, e.g. MemoryReservation
 Configure scaling policies to
increase and decrease the size
of your cluster

19. Amazon EC2 Simple Systems Manager (SSM)
Use Amazon EC2 SSM to execute commands on container
instances, e.g. yum update
 Add AmazonEC2RoleForSSM to instances IAM role to
process Run Commands
 Install SSM Agent
 Create SSM document

20. Cluster Setup with AWS CloudFormation
 CloudFormation supports ECS cluster, service and task
definition resources
 Use AWS::IAM::Role to create ECS service role and
container instances role
 Launch container instances using
AWS:AutoScaling::LaunchConfiguation and
AWS:AutoScaling::AutoScalingGroup

21. Provision Clusters with AWS CloudFormation
"Resources" : {
"ECSCluster": {
"Type": "AWS::ECS::Cluster"
},
"ECSAutoScalingGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"VPCZoneIdentifier" : { "Ref" : "SubnetID" },
"LaunchConfigurationName" : { "Ref" : "ContainerInstances" },
"MinSize" : "1",
"MaxSize" : { "Ref" : "MaxSize" },
"DesiredCapacity" : { "Ref" : "DesiredCapacity" }
},
[…]
},

22. Provision Clusters with AWS CloudFormation
"ContainerInstances": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"commands" : {
"01_add_instance_to_cluster" : {
"command" : { "Fn::Join": [ "", [ "#!/bin/bashn", "echo
ECS_CLUSTER=", { "Ref": "ECSCluster" }, " >> /etc/ecs/ecs.config" ] ] }
}
},
[…]
}
}
}

23. ECS Tasks

24. ECS Tasks
 Task Definition
 Amazon EC2 Container Registry

25. ECS Tasks
 Group containers used for a common purpose in
a single task definition
 Separate different components into multiple task
definitions
 Create services from Task Definition to maintain
availability

26. Task Definitions
Volume Definitions
Container Definitions

27. Task Definition
{
"containerDefinitions": [
{
"name": "wordpress",
"links": [
"mysql"
],
"image": "wordpress",
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
],
"memory": 500,
"cpu": 10
},

28. Task Definition
{
"environment": [
{
"name": "MYSQL_ROOT_PASSWORD",
"value": "password"
}
],
"name": "mysql",
"image": "mysql",
"cpu": 10,
"memory": 500,
"essential": true
}
],
"family": "hello_world"
}

29. Tasks
Shared Data Volume
Containers
schedule
Container
Instance
Volume Definitions
Container Definitions

30. Amazon ECR Setup
 You have read and write access to the repositories
you create in your default registry, i.e.
<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
 Repository names can support namespaces, e.g.
team-a/web-app.
 Repositories can be controlled with both IAM user
access policies and repository policies.

31. Amazon ECR Setup
# Authenticate Docker to your Amazon ECR registry
> aws ecr get-login
docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-
1.amazonaws.com
> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-east-
1.amazonaws.com
# Create a repository called ecr-demo
> aws ecr create-repository --repository-name ecr-demo
# Build or tag an image
# Push an image to your repository
> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1

32. ECR IAM Policies and Roles
 ECR uses resource-based permissions to control access.
 By default, only the repository owner has access to a
repository.
 You can apply a policy document that allows others to access
your repository.
 Use managed policies for IAM users or roles that allow
differing levels of control:
AmazonEC2ContainerRegistryFullAccess,
AmazonEC2ContainerRegistryPowerUser or
AmazonEC2ContainerRegistryReadOnly

33. ECS Services

34. ECS Services
 Monitoring
 Logging
 Scaling
 Service discovery
 Deployment

35. Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and
recorded for a period of two weeks
Available metrics:
CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization

36. Monitoring ECS Services with CloudWatch

37. Configuring Logging in Task Definition
 logConfiguration task definition parameter
 Requires version 1.18 or greater of the Docker Remote
API Maps to docker run --log-driver option
 Log drivers: json-file, syslog, journald, gelf, fluentd

38. Scaling ECS Services with AWS Lambda

39. Service Discovery with Services & Route 53
Task
Task TaskTask
ECS
Service
Application
router, e.g.
nginx
Internal ELB with
CNAME, e.g.
api.example.com
Route 53 private
zone, e.g.
example.com

40. Deploying ECS Services
 Optionally run your service behind a load balancer.
 One load balancer per service.
 ELB currently supports a fixed relationship between the
load balancer port and the container instance port.
 If a task fails the ELB health check, the task is killed and
restarted (until service reaches desired capacity).

41. Deploying ECS Services
Update service’s task definition (rolling update)
Specify a deployment configuration for your service:
 minimumHealthyPercent: lower limit (as a percentage of the
service's desiredCount) of the number of running tasks that
must remain running in a service during a deployment.
 maximumPercent: upper limit (as a percentage of the
service's desiredCount) of the number of running tasks that
can be running in a service during a deployment.

42. Deploying ECS Services
Deploy using the least space: minimumHealthyPercent =
50%, maximumPercent = 100%

43. Deploying ECS Services
Deploy quickly without reducing service capacity:
minimumHealthyPercent = 100%, maximumPercent = 200%

44. Deploying ECS Services
Blue-Green deployments:
 Define two ECS services (Blue and Green)
 Each service is associated with an ELB
 Both ELBs in Route 53 record set with weighted routing
policy, 100% Primary, 0% Secondary
 Deploy to Blue or Green service and switch weights

45. Deploying ECS Services
Route 53 record set
with weighted
routing policy
TaskTask
0%
100%

46. Deploying ECS Services with Jenkins
Build image
Push image
Update service

47. ECS CI/CD Partners

48. Solutions Built on ECS

49. Solutions Built on ECS
 AWS Elastic Beanstalk
 Convox
 Remind Empire

50. AWS Elastic Beanstalk
 Uses Amazon ECS to coordinate deployments to
multicontainer Docker environments
 Takes care of tasks including cluster creation, task definition
and execution

51. AWS Elastic Beanstalk
Elastic Beanstalk uses a Dockerrun.aws.json file that
describes how to deploy containers.
The Dockerrun.aws.json file includes three sections:
 AWSEBDockerrunVersion: Set to "2" for multicontainer
Docker environments.
 containerDefinitions: An array of container definitions.
 volumes: Creates mount points in the container instance that
a container can use.

52. Convox

53. Convox
# Initialize your app and create default manifest
> convox init
# Locally build and run your app as declared in the manifest
> convox start
# Create app
> convox apps create my_app
# Deploy app, output ELB DNS name
> convox deploy
[...]
web: http://my_app-1234567890.us-east-1.elb.amazonaws.com

54. Remind Empire
Control layer on top of Amazon ECS that provides a
familiar PaaS workflow
Any tagged Docker image can be deployed to Empire as
an app
 When you deploy a Docker image to Empire, it will extract a
Procfile from the WORKDIR
 Each process type in the Procfile maps directly to an ECS
Service

55. Remind Empire
Routing Layer Backed by Internal ELBs
 An application that specifies a web process will get an
internal ELB attached to its ECS Service
 When a new internal ELB is created, an associated CNAME
record is created in Route53 under the internal TLD,
enabling service discovery via DNS

56. Thank you!

57. Additional Resources
 ECS CloudFormation Template - http://amzn.to/1KH51m5
 ECS CloudWatch Metrics - http://amzn.to/1PUR7OU
 Scaling Container Instances with CloudWatch Alarms -
http://amzn.to/1ORt06b
 Service Discovery with Consul - http://amzn.to/1JZL5gz
 Continuous Delivery to ECS with Jenkins -
http://amzn.to/1GbheTp
 Elastic Beanstalk Multicontainer Docker Environment -
http://amzn.to/1bAkjxG

58. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details
• April 18-19, 2016
• Chicago, Illinois
• @ McCormick Place
Featuring
• New product launches
• 50+ sessions, labs, and bootcamps
• Executive and partner networking
Register Now
• Go to aws.amazon.com/summits
• Click on The AWS Summit - Chicago … then register.
• Come and see what AWS and the cloud can do for you.
Chicago – April 18-19