Containers on AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Containers on AWS C h r i s t o p h K a s s e n S o l u t i o n s A r c h i t e c t , A W S h t t p s : / / t w i t t e r . c o m / c h r i s t o p h _ k A W S U G B e r l i n - F e b r u a r y 2 0 t h , 2 0 1 8

rights reserved. AMAZON CONTAINER SERVICES (coming soon)

rights reserved. CONTAINERS, CONTAINERS, CONTAINERS

rights reserved. WHY DO WE LOVE CONTAINERS? Packaging Distribution Immutable infrastructure

rights reserved. OUR JOURNEY

rights reserved. DAY ONE

rights reserved. BUILDING AN ECOSYSTEM

rights reserved. PRODUCTION WORKLOADS ON AWS AWS VPC networking mode Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers

rights reserved. HELPING CUSTOMERS SCALE CONTAINERS 450+% growth Hundreds of millions of containers started each week millions of container instances

rights reserved.

rights reserved. SERVICE LEVEL AGREEMENT 99.99

rights reserved. Make containers a fundamental compute primitive

rights reserved. TASK NETWORKING Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 1. Pre ENI Attachment: The Primary ENI (eth0) is in the default namespace 2. ENI Attachment: The new ENI (eth1) is in the default namespace 3. ENI Provisioned: The ECS Agent invokes CNI plugins to move the new ENI into a new namespace and configures addresses and routes Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 eth1 Default/Root Global Namespace ecs0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 ve-c1

rights reserved. MANAGED SERVICE DISCOVRY Applications invoked by name Automatically resolved to IP or port Native to Amazon ECS services No infrastructure to manage

rights reserved. FULL CD WITH AWS CODEPIPELINE AWS CodeCommit AWS CodeBuild Amazon ECR Amazon ECS Source Repository Build Deploy or or AWS CodePipeline Store Image

rights reserved. WINDOWS CONTAINERS NOW GA AWS IAM roles for tasks Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers

rights reserved. CUSTOMERS ARE OUR KEY! 50+ releases since 2015 Customers Release Feedback / New Use Cases Learn Experiment, Innovate, & Build Features

rights reserved. ENABLE FOCUS ON APPLICATIONS

rights reserved. INTRODUCING AWS FARGATE!

rights reserved. No instances to manage Task native API Resource based pricing Simple, easy to use, powerful – and new consumption model = CHANGING COMPUTE CONSUMPTION MODEL

rights reserved. HOW DO I RUN CONTAINERS ON FARGATE?

rights reserved. RUNNING A SINGLE CONTAINER

rights reserved. EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task RUNNING CONTAINERS

rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine RUNNING CONTAINERS AT SCALE WITH ECS Availability Zone #1 Availability Zone #2 Availability Zone #3

rights reserved. ECS AMI Docker agent ECS agent ECSTask ECSTask ECSTask ECSTask EC2 Instance

rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance

rights reserved. RUNNING FARGATE CONTAINERS WITH ECS

rights reserved. Define application containers: Image URL, CPU & Memory requirements, etc. register Task Definition create Cluster • Infrastructure Isolation boundary • IAM Permissions boundary run Task • A running instantiation of a task definition • Use FARGATE launch type create Service Elastic Load Balancer • Maintain x running copies • Integrated with Load Balancing • Unhealthy tasks automatically replaced ECS CONSTRUCTS

rights reserved. TASK DEFINITION { "family": “scorekeep", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe" }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api" } ] } Immutable, versioned document Identified by family:version Contains a list of up to 10 container definitions All containers are co-located on the same host Each container definition has: • A name • Image URL (Amazon ECR or Public Images) • And more…stay tuned! Task Definition Snippet

rights reserved. RUNNING FARGATE CONTAINERS WITH ECS Use ECS APIs to launch Fargate Containers Easy migration – Run Fargate and EC2 launch type tasks in the same cluster Same Task Definition schema

rights reserved. DEMO

rights reserved. NETWORKING

rights reserved. VPC INTEGRATION 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 • AWS VPC Networking Mode – each task gets its own interface • All Fargate Tasks run in customer VPC and subnets • Configure security groups to control inbound & outbound traffic • Public IP support • Spread your application across subnets in multiple Availability Zones (AZs) for resiliency us-east-1a us-east-1b us-east-1c ENI Fargate Task Public / 208.57.73.13 /

rights reserved. LOAD BALANCING APPLICATION LOAD BALANCER NETWORK LOAD BALANCER

rights reserved. SECURITY

rights reserved. CLUSTER LEVEL ISOLATION PROD Cluster Infrastructure DEV Cluster Infrastructure BETA Cluster Infrastructure QA Cluster Infrastructure Web Web Shopping Cart Shopping Cart Notifications Notifications Web Shopping Cart Notifications Web Shopping Cart Shopping Cart Notifications Notifications Web Web PROD CLUSTER BETA CLUSTER DEV CLUSTER QA CLUSTER

rights reserved. PERMISSION TIERS Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task Cluster Permissions: Who can run/see tasks in the cluster? Application (Task) Permissions: Which of my AWS resources can this application access? Housekeeping Permissions: What permissions do I want to grant ECS to perform? e.g. • ECR Image Pull • CloudWatch Logs pushing • ENI creation • Register/Deregister targets into ELB

rights reserved. CONTAINER REGISTRIES

rights reserved. REGISTRY SUPPORT 3rd Party Private Repositories (coming soon!) Public Repositories supported Amazon Elastic Container Registry (ECR)

rights reserved. VISIBILITY AND MONITORING Service-level metrics available CloudWatch Logs CloudWatch Events supported

rights reserved. STORAGE Container Storage Space – 10GB Ephemeral storage backed by EBS Shared volume space for containers within the task – 4GB

rights reserved. CONFIGURATIONS & PRICING

rights reserved. PRICING DIMENSIONS { ”cpu": “1 vCPU”, ”memory": “2 gb”, "networkMode": ”AWSVPC", "compatibilities": [”FARGATE", ”EC2"], "placementConstraints": [], "containerDefinitions": [ { <snip>….... Task level resources • Configurable independently (within a range) Dimensions: Task level CPU and memory Per-second billing Task Level Resources

rights reserved. TASK CPU & MEMORY CONFIGURATIONS Flexible configuration options – 50 CPU/memory configurations CPU Memory 256 (.25 vCPU) 512MB*, 1GB, 2GB 512 (.5 vCPU) 1GB to 4GB (1GB increments) 1024 (1 vCPU) 2GB to 8GB (1GB increments) 2048 (2 vCPU) 4GB to 16GB (1GB increments) 4096 (4 vCPU) 8GB to 30GB (1GB increments)

rights reserved. ECS Instance ECS Instance ECS Instance ECS Instance ECS Instance ECS Instance EC2 FARGATE Notifications Amazon ECS CLUSTER Availability Zone #1 Availability Zone #2 Availability Zone #3 Subnet 2 172.31.2.0/24 Subnet 1 172.31.1.0/24 Subnet 3 172.31.3.0/24 Web Shopping Cart

rights reserved. AVAILABLE NOW!

rights reserved.

rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?

rights reserved.

rights reserved. W h y d e v e l o p e r s l o v e K u b e r n e t e s Kubernetes can be run anywhere O N - P R E M I S E S C L O U D

rights reserved. W h y d e v e l o p e r s l o v e K u b e r n e t e s A single extensible API S C A L E P E R F O R M A N C E B R E A D T H

rights reserved. Cloud-native applications M I C R O S E R V I C E T O O L I N G N AT I V E A P P L I C AT I O N S

rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L AT F O R M Q U A L I T Y O F T H E A P P L I C AT I O N S Y O U R U S E R S

rights reserved. 63%of Kubernetes workloads run on AWS today —CNCF survey

rights reserved. 3x Kubernetes masters for HA Kubernetes on AWS

rights reserved. API server Cloud controller Controller manager Scheduler Add-ons KubeDNS Kubernetes master

rights reserved. Availability Zone 1 etcd Master etcd Master etcd Master Availability Zone 2 Availability Zone 3

rights reserved. Availability Zone 1 etcd Master etcd Master Availability Zone 2 Availability Zone 3 etcd Master

rights reserved. “Run Kubernetes for me.”

rights reserved. “Native AWS Integrations.”

rights reserved. ”An Open Source Kubernetes Experience.”

rights reserved. E L A S T I C C O N TA I N E R S E RV I C E F O R K U B E R N E T E S (EKS)

rights reserved.

rights reserved. Availability Zone 1 etcd Master etcd Master Availability Zone 2 Availability Zone 3 etcd Master

rights reserved. mycluster.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 kubectl

rights reserved. DEMO

rights reserved.

rights reserved. Heptio IAM Authenticator An open source approach to integrating AWS IAM authentication with Kubernetes

rights reserved. Kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth

1.7.4 1.7.5 Version 1.7 Version 1.8

rights reserved. Kubectl Workers PrivateLink Interface Amazon EKS

rights reserved. PLANNED FOR LATER IN 2018…

rights reserved. AMAZON CONTAINER SERVICES (coming soon)

rights reserved. Questions?

rights reserved. THANK YOU https://aws.amazon.com/containers

Containers on AWS

Containers on AWS

More Decks by Christoph Kassen

Other Decks in Technology

Featured

Transcript