Deep dive on Fargate (Builder's Days 2018)

Transcript

1. Deep Dive: AWS Fargate Abby Fuller @abbyfuller

2. AWS Fargate No cluster or infrastructure to manage or scale

   Everything is handled at the container level Scale seamlessly on demand Underlying technology for container management

3. What does Fargate mean? No worrying about scaling, service mesh,

   underlying infrastructure, cluster resources, capacity, setup. Just give it a task definition or pod (in 2018), set some resource limits, and away you go.

4. Why Fargate?

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Running a container locally is easy

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task Running a few containers is OK

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Managing production infrastructure is a ton of work

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine Using ECS made it easier Availability Zone #1 Availability Zone #2 Availability Zone #3

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ECS AMI Docker agent ECS agent ECSTask ECSTask ECSTask ECSTask EC2 Instance But it’s not totally hands-off

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Fargate enables you to focus on your application

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. “When someone asks you for a sandwich, they aren’t asking you to put them in charge of a global sandwich logistic chain. They just want a sandwich”
12. None

13. Let’s look at that in practice

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Running Fargate containers in ECS

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Running Fargate containers in ECS Use ECS APIs to launch Fargate Containers Easy migration – Run Fargate and EC2 launch type tasks in the same cluster Same Task Definition schema

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. OK, so what’s a Task Definition? { "family": “scorekeep", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/fe" }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/api" } ] } • Immutable, versioned document • Identified by family:version • Contains a list of up to 10 container definitions • All containers are co-located on the same host • Each container definition has: • A name • Image URL (ECR or Public Images) • And more…stay tuned! Task Definition Snippet

17. Primitives are shared with ECS • Use the same primitives,

    and integrations as EC2 launch-type ECS tasks: • VPC • IAM • CloudWatch

18. Let’s look at the workflow

19. How do I know when to use Fargate vs EC2

    mode? • Depends on your workload. • For Fargate: if you have a Task Definition, and you’re ok with awsvpc networking mode, try Fargate. Some caveats: can’t exec into the container, or access the underlying host (this is also a good thing) • For EC2 mode: good if you need to customize!

20. Compute resources in Fargate

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CPU and memory specification Container Level Resources { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/fe“, "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } Units • CPU : cpu-units. 1 vCPU = 1024 cpu-units • Memory : MiB Task Level Resources: • Total CPU/Memory across all containers • Required fields Container Level Resources: • Defines sharing of task resources among containers • Optional fields Task Level Resources Task Definition Snippet

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Resource configuration with Fargate Flexible configuration options – 50 CPU/memory configurations CPU Memory 256 (.25 vCPU) 512MB, 1GB, 2GB 512 (.5 vCPU) 1GB, 2GB, 3GB, 4GB 1024 (1 vCPU) 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB 2048 (2 vCPU) Between 4GB and 16GB in 1GB increments 4096 (4 vCPU) Between 8GB and 30GB in 1GB increments

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Container CPU sharing • Task CPU is a hard upper bound • Container CPU is optional. By default all containers get an equal share of task CPU time • Specify container CPU to control relative sharing among containers • In our example: task cpu = 1024; scorekeep-frontend = 256; scorekeep-api = 768; scorekeep-api container scorekeep-frontend container Container 1 Container 2

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Container memory sharing • Task memory is a hard upper bound across all containers • Container level memory settings are optional. By default all task memory is available to all containers • • Two settings to control sharing at the container level: memory reservation & memory • Memory reservation is a soft lower bound. Can kick in when task memory is under contention • In our example: task memory = 2 gb; scorekeep-frontend = 512 mb; scorekeep-api = 512 mb; • Memory is a hard upper bound. Container will not be allowed to grow beyond this value Task Memory scorekeep-api container scorekeep-frontend container Available for all Container 1 Container 2 Available for all Task Memory non-critical container critical container Task Memory Memory Reservation Memory Reservation Memory Reservation Hard Memory Limit

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Platform version • What is it? • It refers to a specific runtime environment around your task • Version available today: 1.0.0 • New versions will be released as the runtime environment evolves: Kernel/OS updates, new features, bug fixes, and security updates • Why should I care? • It gives you explicit control over • Migration to new platform versions • Rollback to previous platform versions • Leave it blank and we will automatically place your tasks on the latest version • How do I use it? • $ aws ecs run-task ... --platform-version 1.0.0 • $ aws ecs run-task ... --platform-version LATEST #or just leave it blank

26. Let’s talk about networking (baby)

27. Traditional Docker networking Bridge: docker0. This is the default behavior.

    Containers on the same network can communicate via IP address. No automatic service discovery. Connect containers with ---link None: no network interface, only local loopback (which I’ll explain shortly) Host: connect to host network (container maps to host)

28. More networking • You can create your own bridge networks

    • For multi-host native networking, you can use overlay networks (like Consul, or Swarm). I’m not covering this today, but if you’re interested, you can start here: https://www.consul.io/docs/guides/consul- containers.html • For more info on container communication, start with the Docker documentation: https://docs.docker.com/engine/userguide/networking/default_network/ container-communication/

29. Networking two ways For our purposes today, networking falls into

    two categories: • Container (local) networking • External networking

30. Local networking 101 • On a single EC2 instance, two

    components could communicate via the local, loopback interface: more commonly known as `localhost` or 127.0.0.1 • This bypasses networking interface and lets processes communicate directly Got it? Good.

31. External networking • This covers communication with services that are

    not part of the same task, or to external services. This means traffic is (most likely) routed through the internet through your VPC. • Tasks are launched into subnets, which define traffic rules through routing tables. • Two types of subnets: • Public: associated internet gateway • Private: no direct internet gateway, traffic is routed through NAT (Network Address Translation)

32. awsvpc • With awsvpc, each task is allocated an ENI

    (Elastic Network Interface) • Containers launched as part of the same task can use the local loopback interface (remember that one?), since containers part of the same task share an ENI • With the ENI allocation comes a private IP. Public IPs can also be allocated. • ENIs are at the task level, though, so how to containers that are part of different tasks communicate?

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. VPC integration Launch your Fargate Tasks into subnets Beneath the hood : • We create an Elastic Network Interface (ENI) • The ENI is allocated a private IP from your subnet • The ENI is attached to your task • Your task now has a private IP from your subnet! You can also assign public IPs to your tasks Configure security groups to control inbound & outbound traffic 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 us-east-1a us-east-1b us-east-1c ENI Fargate Task Public / 208.57.73.13 /

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. VPC configuration { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": "awsvpc", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/fe", "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } $ aws ecs run-task ... -- platform-version LATEST -- network-configuration “awsvpcConfiguration = { subnets=[subnet1-id, subnet2- id], securityGroups=[sg-id] }” Other network modes not supported on Fargate Run Task Task Definition

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Internet access The Task ENI is used for: • All network traffic to and from your task • Image Pull (from ECR or a public repository) • Log Pushing to CloudWatch (if configured) Outbound Internet Access is required for Image Pull & Log Pushing (even if the application itself doesn’t require it) There are two ways to set this up: • Private task with outbound internet access. Does not allow inbound internet traffic. • Public task with both inbound and outbound internet access

36. Local networking with awsvpc

37. This shows both public and private subnets

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. A bigger picture: Fargate networking Internet Gateway 172.31.0.0/16 Subnet 3 Fargate Task Public IP 54.191.135.69 172.31.3.0/24 ENI Subnet 1 Fargate Task Public IP 54.191.135.66 172.31.1.0/24 ENI Subnet 2 Fargate Task 172.31.2.0/24 ENI

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Looking for more networking details? https://aws.amazon.com/blogs/comp ute/task-networking-in-aws-fargate/ https://aws.amazon.com/blogs/comput e/introducing-cloud-native-networking- for-ecs-containers/

40. Working with permissions and access in Fargate

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Types of permissions Cluster level permissions: • Control who can launch/describe tasks in your cluster Application level permissions: • Allows your application containers to access AWS resources securely Housekeeping permissions: • Allows us to perform housekeeping activities around your task: • ECR Image Pull • CloudWatch logs pushing • ENI creation • Register/Deregister targets into ELB Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Cluster level permissions { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Condition": { "ArnEquals": {"ecs:cluster":"<cluster-arn>"} }, "Resource": [ “<task_def_family>:*" ] } You can tailor IAM policies for fine grained access control to your clusters Attach these policies to IAM Users and/or Roles as necessary Some example policies: Example 1: Allow RunTask in a specific cluster with a specific task definition only { "Effect": "Allow", "Action": [ "ecs:ListTasks“, “ecs:DescribeTasks” ], "Condition": { "ArnEquals": {"ecs:cluster":"<cluster-arn>"} }, "Resource": “*” } Example 2: Read-only access to tasks in a specific cluster and many more!

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Application level permissions Do your application containers access other AWS resources? Need to get credentials down to the task? Create an IAM Role with the requisite permissions that your application needs. In our Scorekeep example, DDB & SNS permissions. Establish a trust relationship with ecs-tasks.amazonaws.com on that role. This lets us assume the role and wire the credentials down to your task. Add the ARN to your task definition and you’re done! AWS CLI/SDK calls from within your application will automatically use the Task Role credentials Credentials are rotated in a timely manner { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": “awsvpc“, “taskRoleArn": “arn:aws...role/scorekeepRole“, "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe", "cpu": 256, "memoryReservation": 512, "portMappings": [ { "containerPort": 8080 } ] }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512, "portMappings": [ { "containerPort": 5000 } ] } ] } Task Definition

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Housekeeping permissions • Fargate needs certain permissions in your account to bootstrap your task and keep it running. • Execution Role gives permissions for: • ECR Image Pull • Pushing Cloudwatch logs • ECS Service Linked Role gives permissions for: • ENI Management • ELB Target Registration/Deregistration

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Execution role Using an ECR Image or Cloudwatch Logs? • Create an IAM Role and add Read Permissions to ECR • ecr:GetAuthorizationToken & ecr:BatchGetImage • Or use AmazonEC2ContainerRegistryReadOnly managed policy • Add Write Permissions to CloudWatchLogs • logs:CreateLogStream & logs:PutLogEvents • Or use CloudWatchLogsFullAccess managed policy • Establish trust relationship with ecs-tasks.amazonaws.com. This lets us assume the role • Add the execution ARN into your task definition Give Fargate permissions via an Execution Role { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": “awsvpc“, “taskRoleArn": “arn:aws...role/scorekeepRole“, “executionRoleArn": “arn:aws...role/scorekeepExecutionRole“, "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe", "cpu": 256, "memoryReservation": 512, "portMappings": [ { "containerPort": 8080 } ] }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512, "portMappings": [ { "containerPort": 5000 } ] } ] } Task Definition

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Permissions summary Cluster Permissions Control who can launch/describe tasks in your cluster. via IAM Policies Application Permissions Allows your application containers to access AWS resources securely. via Task Role Housekeeping Permissions Allows us to perform housekeeping activities around your task. via Task Execution Role and Service Linked Role Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task via IAM Policies via Task Execution Role & Service Linked Role via Task Role

47. If you don’t know now you know

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Storage Container Filesystem space – 10GB Ephemeral storage backed by EBS

49. Hybrid clusters are possible The same cluster can run tasks

    of type Fargate, and of type EC2 FAQ: how do I exec into a Fargate container? Short Answer: you don’t Longer answer: if it were me, I’d stop the Fargate container and restart as type EC2 for debugging, then switch back over. Long term, something we’re looking at building.

50. The Fargate wizard doesn’t let me use my own VPC

    The wizard is just for learning Fargate concepts and how it works. You can absolutely use (and should use) your own VPC. Wait what? The wizard/getting started flow in Fargate will create a VPC and subnets for you. You can both a) edit the resources created through the wizard, or launch Fargate tasks into a previously created VPC through the regular console flow/the CLI.

51. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. VPC configuration { "family": "scorekeep", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": "awsvpc", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/fe", "cpu": 256, "memoryReservation": 512 }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east- 1.amazonaws.com/api", "cpu": 768, "memoryReservation": 512 } ] } $ aws ecs run-task ... -- platform-version LATEST -- network-configuration “awsvpcConfiguration = { subnets=[subnet1-id, subnet2- id], securityGroups=[sg-id] }” Other network modes not supported on Fargate Run Task Task Definition

52. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Isolation is at the Cluster level PROD Cluster Infrastructure DEV Cluster Infrastructure BETA Cluster Infrastructure QA Cluster Infrastructure Web Web Shopping Cart Shopping Cart Notifications Notifications Web Shopping Cart Notifications Web Shopping Cart Shopping Cart Notifications Notifications Web Web PROD CLUSTER BETA CLUSTER DEV CLUSTER QA CLUSTER

53. What does that mean? The cluster is your logical boundary.

    Anything that is part of the cluster is isolated from everything else.

54. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Load Balancer setup • ELB integration supported on services • ALB & NLB supported. Classic ELB not supported • Some details on ALB: • ALB requires that you pick at least two subnets in two different Azs • Ensure that the ALB subnet AZs are a superset of your task subnet Azs • Select ALB Target type: IP (not Instance)

55. I get by with a little help from my friends

    (CLIs).

56. CLIs (that I know of) for Fargate/ECS: • aws-cli: the

    official OG. Open source, includes most AWS services. • More info here: https://aws.amazon.com/cli/ • Github here: https://github.com/aws/aws-cli • ecs-cli: also official, but just for ECS. Supports docker compose files. • More info here: https://github.com/aws/amazon-ecs-cli Some good unofficial options: • Fargate cli: https://github.com/jpignata/fargate • Coldbrew cli: https://github.com/coldbrewcloud/coldbrew-cli

57. And one more thing.

58. The awesome-ecs project: https://github.com/nathanpeck/awesome-ecs

59. Workshops! • From @brentcontained • https://t.co/ba0usbZqHN

60. None

61. We love feedback/questions/comments!

62. Exciting announcements! AWS Pop-Up Loft is coming to Dublin! 9-14

    April Register here: awsloft-dublin.com Amazon offices, One Burlington Plaza, Burlington Road, Dublin 4

63. Questions? @abbyfuller