This document discusses operations for containerized applications on AWS. It covers topics like automation of deployments and scaling, security, observability, and minimizing operational overhead. The session will take place on November 26th and 27th. It promotes automating operations using the native AWS container stack with services like ECS, ECR, and Fargate or an open source stack with tools like Kubernetes, Terraform and Jenkins. It provides examples of configuring networking, IAM, logging, monitoring and automated scaling of containerized applications on AWS.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operations for Containerized
Applications
Tiffany Jernigan
@tiffanyfayj
Developer Advocate
Amazon Web Services
C O N 3 3 4
Nathan Peck
@nathankpeck
Developer Advocate
Amazon Web Services

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Times
Monday, November 26
Operations for Containerized Applications
1:00 PM | Bellagio, Level 1, Grand Ballroom 1
Tuesday, November 27
Operations for Containerized Applications
3:15 PM | Mirage, St. Thomas B

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Automation: Deployments
Security
Observability
Automation: Scaling
Minimizing operational overhead
Example architecture

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS native container stack
MANAGEMENT
The API interface you use to launch applications
Tracks application state and connects application to
other resources like load balancers
HOSTING
Containers run on demand
No capacity planning needed
Automatically updated and patched infrastructure
IMAGE REGISTRY
Stores your docker container right there in
the datacenter where you will run it

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where are you on path of container adoption?
One app on a couple instances
A couple apps on a few instances
Many apps in a large cluster

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two paths… two results
Manual setup, hand rolled deploys
Ever growing burden of overhead
That engineer who knew how
everything worked just left the
company and we don’t know how to
do a deploy
Automate all the things
Each piece automated increases
velocity
All operation processes clearly
defined by automation code and
infrastructure as code templates

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Effective engineering teams use deployment
automation tooling

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Components of effective container operations
Developers
Version Control
Repository
Test & Deployment
Manager
Image Build Service
Infrastructure
Provisioning
Container Scheduling &
Orchestration
Container Image
Repository

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS native stack
Developers
AWS CodeCommit AWS CodePipeline
AWS CodeBuild
AWS CloudFormation Amazon Elastic
Container Service
Amazon Elastic
Container Registry
AWS Fargate

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
An open source stack
Developers
Github
Jenkins
Terraform Kubernetes (Amazon EKS)
Container Image
Repository

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Networking
VPC
Subnets
Networking mode
Amazon Virtual Private Cloud (Amazon
VPC): Each task gets its own interface
Security groups
Control inbound & outbound traffic
Cluster
EC2 Instance
Subnet
Task
ENIInternet

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Instance (Amazon Elastic Compute Cloud (Amazon EC2 launch type)
Cluster
Control who can launch/describe tasks in your cluster
Application: Task Role
Allows your application containers to access AWS resources securely
Housekeeping: Task Execution Role
Allows ECS to perform housekeeping activities around your task:
•Private registry image pull
•Amazon CloudWatch Logs pushing (Fargate launch type)
•ENI creation (AWSVPC mode)
•Register/Deregister targets into Elastic Load Balancing (Fargate launch type)
Cluster
Permissions
Task Role
Task
Execution
Role
Cluster
Task
Instance (EC2)
Instance
Permissions

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private Registry Authentication
• Used for 3rd party private registries
• Takes a secret in AWS Secrets Manager with registry username and
password
• Task needs a task execution AWS Identity and Access Management (IAM)
role with permissions to get the secret value

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Metrics
Aggregate service stats in
Amazon CloudWatch

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logs
Log streams in
CloudWatch logs
stdout / stderr Amazon CloudWatch
Log integration is
built in via the
awslogs Docker log
driver.
Logs automatically
visible in the ECS
console, and in
Amazon CloudWatch
logs

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit Trail
Log events
AWS CloudTrail
Audit capability is
built in with AWS
CloudTrail
CloudTrail Events
show who made
what API calls,
when.
Developers

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Endpoints
Instance metadata endpoint
gives your containers
information about what's
running on the instance.
Task metadata endpoint gives a
container visibility into its own
settings
Instance
metadata
Task
metadata

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate service scaling
Greater than 95%
Increase container
desired count by 3
Greater than 85%
Increase container
desired count by 2
Less than 20%
Decrease container
desired count by 1
Service CPU Utilization
AWS CloudWatch
Aggregate stats in
Scaling alarms back to ECS
You can define your own
custom rules and thresholds
for how to automatically scale
your service based on its
metrics. Custom metric
dimensions also supported.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate cluster scaling
Cluster CPU
Scales according to metric
Custom metric
Service events to
CloudWatch event bus
AWS Lambda executes in
response to events,
publishes custom metric
Autoscaling group of EC2
instances

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource
based pricingTask native API
No instances
to manage
Simple, easy to use,
powerful – and new
consumption model

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud services "on tap" minimize overhead
Amazon RDS
Amazon Aurora
Amazon DynamoDB
Amazon Simple Queue
Service (Amazon SQS)
Amazon Simple
Notification Service
(Amazon SNS)
Database Messaging Storage
Amazon Simple
Storage Service
(Amazon S3)

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless containerized cron job
CloudWatch
Events
Rate (1 day)
Amazon Elastic
Container Registry
AWS Fargate Cron job container
stdout and stderr
log output and metrics

30. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
@nathankpeck
@tiffanyfayj

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.