Ridge Xu, Solutions Architect, AWS AWS is an elastic secure flexible and developer-centric ecosystem that serves as an ideal platform for Docker deployments. AWS offers the scalable infrastructure APIs and SDKs that integrate tightly into a development lifecycle and accentuate the benefits of the lightweight and portable containers that Docker offers. In this session you learn the benefits of containers learn about the Amazon EC2 Container Service and understand how to use Amazon ECS to run containerized applications at scale in production.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting started with Docker on AWS
Ridge XU
Solutions Architect, Amazon Web Services

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Docker 101
Docker is an open source platform for running distributed applications. Applications built in Docker run
in containers that you can build, ship, and run on your platform of choice.
Docker containers are build from a series of instructions called a Dockerfile. To run a Docker container
locally, you’d do something like this:
$ docker build -t app .
$ docker run app

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The
EXPOSE instruction
exposes port 80 on
the container, and
the CMD instruction
starts the web server.
Dockerfile
This Dockerfile uses
the Ubuntu 12.04
image.
The RUN instructions update
the package caches, install
some software packages for the
web server, and then write the
"Hello World!" content to the
web server's document root.

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Elastic Container Service
Highly scalable, high performance container management system
Eliminates the need to install, operate, and scale your own
container management system

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECS
ECS provides a managed platform for:
Cluster management Container orchestration Deep AWS integration

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deep AWS integration
Autoscaling Load balancing IAM MonitoringNetworking Logging

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECS
No software to:
Deploy Manage Scale

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instances: standard EC2 boxes; once registered to a
cluster, your tasks run here
Service: layer that manages and places your tasks
Task: container wrapper and configuration around a
process running on the instance
How does ECS map to traditional
workloads?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does ECS work?
Staging cluster Production cluster
Container instance Container instance
Container instance
Container instance Container instance
Container instance

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A closer look
Load balancer (ALB, NLB, or ELB Classic)
routes traffic to the cluster instances
Cluster is made up of one or more EC2
instances
Each container instance runs one or more
services

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A closer look
A service controls things like the number of copies
of a task you want running (desired count), and
registers your service with a load balancer
A task definition controls things like container image,
environment variables, resource allocation, logger,
and other parameters

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting started with Amazon ECS

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building your cluster
Either navigate to the ECS service in your AWS console or:
$ aws ecs create-cluster --cluster-name ”your-cluster-name"
{
"cluster": {
"status": "ACTIVE",
"clusterName": ”hksummit",
"statistics": [],
"registeredContainerInstancesCount": 0,
"pendingTasksCount": 0,
"runningTasksCount": 0,
"activeServicesCount": 0,
"clusterArn": "arn:aws:ecs:us-east-1:123456789012:cluster/hksummit"
}
}

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Task definitions in ECS
After creating your cluster, you need to create your first task definition. Task definitions control almost
everything about your service, from the container image used to your resource allocation.
$ aws ecs register-task-definition [ --family <value>
[--task-role-arn <value>]
[--network-mode <value>]
--container-definitions <value>
[--volumes <value>]
[--placement-constraints <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating a task
$ aws ecs register-task-definition --cli-input-json file://path/hksummit.json
You can also use a JSON string:
$ aws ecs register-task-definition --family hksummit --container-definitions
"[{"name":”meetup","image":”alpine","cpu":10,"command":["sleep","360"],"memory":1
0,"essential":true}]”
This same call is used to register a different version of the task definition as well. For example,
hksummit:5  hksummit:6

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use your task to create a service
$ aws ecs create-service --service-name meetup -task-definition meetup
--desired-count 2
You can add more parameters here, such as placement strategy. You can also register your new service
with an ELB/ALB/NLB.
Something to note: once a service is registered to a specific load balancer,
that value cannot be changed. This holds true for --family when you’re
registering tasks, as well.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Task placement policies
When you call create-service, you have the opportunity to set task placement constraints and strategies:
$ aws ecs create-service
[--placement-constraints <value>]
[--placement-strategy <value>]
By default, the ECS scheduler will place tasks like this: first check for constraints like port, memory, and
CPU, then place tasks on the instances with the fewest number of running tasks, balanced by Availability
Zone. You have custom options, though.

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom task placement strategies
If you’re so inclined, you can customize the strategy that ECS uses to place tasks:
Binpacking Spread Affinity Distinct instance

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom task placement constraints
Name Example
AMI ID attribute:ecs.ami-id == ami-eca289fb
Availability Zone attribute:ecs.availability-zone == us-east-1a
Instance Type attribute:ecs.instance-type == t2.small
Distinct Instances type=“distinctInstances”
Custom attribute:stack == prod

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s take a second to talk about load
balancers
Three different kinds: Application Load Balancer, Network Load Balancer, ELB Classic:
• ELB Classic: the original; distributes traffic between instances
• Application Load Balancer: path based routing; great for microservices; functions at
Application Layer (7)
• Network Load Balancer: extremely high performance/low latency; also good for
unusual/spiky traffic patterns; functions at Connection Layer (4)
Strongly recommend Application Load Balancer (ALB) for microservices and ECS. Why? Path-based
routing lets you route traffic to multiple services (/web, /messages, /api) with a single ALB. It also
supports dynamic port allocation. This is magical.

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Editing a service can deploy or scale
$ aws ecs update-service --service hksummit --desired-count 4 --task-definition hksummit:6
This update-service call serves many functions:
Changing the --desired-count will scale the service up or down.
Changing the --task-definition will change the revision. This is effectively a deploy.

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scaling up and down
This is possible in the console and the CLI:
$ aws ecs update-service --service hksummit --desired-count 2
However, in a production environment, this is something we probably want to handle with autoscaling.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Query cluster state
$ aws ecs describe-services --service hksummit
This returns A TON of information about our service: most importantly, it shows us our current
deployment, and what events are happening in our cluster:
"events": [
{
"message": "(service hksummit) has reached a steady state.”
Cluster events can also be streamed to Amazon CloudWatch.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECS event stream for
CloudWatch logs
Receive near real-time updates about both the current state of both the container instances within the
ECS Cluster, and the current state of all tasks running on those container instances
Can be used to build custom schedulers, or to monitor cluster state and handle those state changes by
consuming events with other AWS services, such as AWS Lambda

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You’ve set up your cluster, now what?

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring with CloudWatch Metrics
Get Task-, Service-, and Cluster-level metrics via CloudWatch:

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring with CloudWatch Metrics

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized logging with CloudWatch Logs
{
"image": ”nginx:latest",
...
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": ”nginx",
"awslogs-region": "us-east-1"
}
}
{
• Defined within the task definition
• Available log drivers
• awslogs
• fluentd
• gelf
• journald
• json-file
• splunk
• Syslog
• Open a PR on ecs-agent GitHub repo if you want
to add others.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized logging with CloudWatch
Logs

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use metric filters with CloudWatch
Logs
Helps reduce noise, and makes for faster debugging!

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service discovery with ALB
There are lots of ways to do this. One way is with your load balancer. This is particularly straightforward
with an ALB, since we can route to content based on path (like /web vs /messaging).
This might look something like:
https://<load-balancer-name>/  goes to main website service
https://<load-balancer-name>/signin  goes to login service
https://<load-balancer-name>/api  goes to backend API service
As new tasks are added to the service, they can be “discovered” through the ALB, since the ALB handles
routing requests to all available services.

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service discovery with DNS
As new tasks stop and start, CloudWatch events trigger a Lambda handler, which adds or removes a DNS
record in Amazon Route53.

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about secrets?
Couple of different ways. You can pass environments variables as part of the task definition:
"environment" : [ { "name" : "string", "value" : "string" }, { "name" : "string", "value" : "string" } ]
This maps to:
--env
In Docker run. While this is OK for non-sensitive variables, it’s not great for sensitive secrets, since the
value can be seen in the task definition.

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2 Systems Manager Parameter
Store
Sensitive variables can be stored with EC2 Systems Manager Parameter Store, and encrypted via AWS
KMS.
This allows tasks only to access the parameters that they have permission to access. Since IAM Roles can
be set at the task level, this allows for granular control over which resources and variables each service
can access.
prod.app1.db-pass
general.license-code
prod.app2.user-name
Service A
Service B
IAM Role
IAM Role
EC2 Systems Manager
Parameter Store

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance monitoring with AWS X-Ray

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance monitoring with X-Ray

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance monitoring with X-Ray

38. Amazon EC2 Pricing Options

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 On-Demand Pricing
Short term, spiky, or
unpredictable
Low cost and
flexible
Develop and test

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Low cost Faster results Easy access Resource
flexibility
Spare compute capacity at scale. Spend less. Scale more. Faster results.
Amazon EC2 Spot Instances

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Reserved Pricing
Discount up to 75% off
the On-Demand price
Steady state and
committed usage
1- and 3-year terms

42. Customer References

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ubisoft Provides Seamless, Scalable
Multiplayer Gaming Experience Using AWS
“Using AWS, we can automatically scale to support large traffic spikes. Over
the last Christmas holiday, we met traffic demands for Watch Dogs 2 by
scaling up to 120 relay servers, routing 70 terabytes of data in 20 days.”
Eric Fortin
Technical Architect

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!