rights reserved. Containers on AWS C h r i s t o p h K a s s e n S o l u t i o n s A r c h i t e c t , A W S h t t p s : / / t w i t t e r . c o m / c h r i s t o p h _ k A W S U G B e r l i n - F e b r u a r y 2 0 t h , 2 0 1 8
rights reserved. PRODUCTION WORKLOADS ON AWS AWS VPC networking mode Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers
rights reserved. TASK NETWORKING Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 1. Pre ENI Attachment: The Primary ENI (eth0) is in the default namespace 2. ENI Attachment: The new ENI (eth1) is in the default namespace 3. ENI Provisioned: The ECS Agent invokes CNI plugins to move the new ENI into a new namespace and configures addresses and routes Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 eth1 Default/Root Global Namespace ecs0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 ve-c1
rights reserved. MANAGED SERVICE DISCOVRY Applications invoked by name Automatically resolved to IP or port Native to Amazon ECS services No infrastructure to manage
rights reserved. FULL CD WITH AWS CODEPIPELINE AWS CodeCommit AWS CodeBuild Amazon ECR Amazon ECS Source Repository Build Deploy or or AWS CodePipeline Store Image
rights reserved. WINDOWS CONTAINERS NOW GA AWS IAM roles for tasks Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers
rights reserved. CUSTOMERS ARE OUR KEY! 50+ releases since 2015 Customers Release Feedback / New Use Cases Learn Experiment, Innovate, & Build Features
rights reserved. No instances to manage Task native API Resource based pricing Simple, easy to use, powerful – and new consumption model = CHANGING COMPUTE CONSUMPTION MODEL
rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine RUNNING CONTAINERS AT SCALE WITH ECS Availability Zone #1 Availability Zone #2 Availability Zone #3
rights reserved. Define application containers: Image URL, CPU & Memory requirements, etc. register Task Definition create Cluster • Infrastructure Isolation boundary • IAM Permissions boundary run Task • A running instantiation of a task definition • Use FARGATE launch type create Service Elastic Load Balancer • Maintain x running copies • Integrated with Load Balancing • Unhealthy tasks automatically replaced ECS CONSTRUCTS
rights reserved. TASK DEFINITION { "family": “scorekeep", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe" }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api" } ] } Immutable, versioned document Identified by family:version Contains a list of up to 10 container definitions All containers are co-located on the same host Each container definition has: • A name • Image URL (Amazon ECR or Public Images) • And more…stay tuned! Task Definition Snippet
rights reserved. RUNNING FARGATE CONTAINERS WITH ECS Use ECS APIs to launch Fargate Containers Easy migration – Run Fargate and EC2 launch type tasks in the same cluster Same Task Definition schema
rights reserved. VPC INTEGRATION 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 • AWS VPC Networking Mode – each task gets its own interface • All Fargate Tasks run in customer VPC and subnets • Configure security groups to control inbound & outbound traffic • Public IP support • Spread your application across subnets in multiple Availability Zones (AZs) for resiliency us-east-1a us-east-1b us-east-1c ENI Fargate Task Public / 208.57.73.13 /
rights reserved. PERMISSION TIERS Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task Cluster Permissions: Who can run/see tasks in the cluster? Application (Task) Permissions: Which of my AWS resources can this application access? Housekeeping Permissions: What permissions do I want to grant ECS to perform? e.g. • ECR Image Pull • CloudWatch Logs pushing • ENI creation • Register/Deregister targets into ELB
rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?
rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L AT F O R M Q U A L I T Y O F T H E A P P L I C AT I O N S Y O U R U S E R S