Containers on AWS - Speaker Deck

Slide 1

Slide 1 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Containers on AWS C h r i s t o p h K a s s e n S o l u t i o n s A r c h i t e c t , A W S h t t p s : / / t w i t t e r . c o m / c h r i s t o p h _ k A W S U G B e r l i n - F e b r u a r y 2 0 t h , 2 0 1 8

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRODUCTION WORKLOADS ON AWS AWS VPC networking mode Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers

Slide 9

Slide 9 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. HELPING CUSTOMERS SCALE CONTAINERS 450+% growth Hundreds of millions of containers started each week millions of container instances

Slide 10

Slide 10 text

Slide 11

Slide 11 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Make AWS the BEST PLACE to run containerized applications © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TASK NETWORKING Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 1. Pre ENI Attachment: The Primary ENI (eth0) is in the default namespace 2. ENI Attachment: The new ENI (eth1) is in the default namespace 3. ENI Provisioned: The ECS Agent invokes CNI plugins to move the new ENI into a new namespace and configures addresses and routes Default/Root Global Namespace docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 eth1 Default/Root Global Namespace ecs0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 docker0 Io eth0 172.16.0.0 172.16.1.0 172.16.2.0 ve-c1

Slide 15

Slide 15 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MANAGED SERVICE DISCOVRY Applications invoked by name Automatically resolved to IP or port Native to Amazon ECS services No infrastructure to manage

Slide 16

Slide 16 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FULL CD WITH AWS CODEPIPELINE AWS CodeCommit AWS CodeBuild Amazon ECR Amazon ECS Source Repository Build Deploy or or AWS CodePipeline Store Image

Slide 17

Slide 17 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WINDOWS CONTAINERS NOW GA AWS IAM roles for tasks Advanced task placement Deep integration with AWS platform ECS CLI … { } Global footprint Powerful scheduling engines Auto scaling CloudWatch metrics Load balancers

Slide 18

Slide 18 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CUSTOMERS ARE OUR KEY! 50+ releases since 2015 Customers Release Feedback / New Use Cases Learn Experiment, Innovate, & Build Features

Slide 19

Slide 19 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Make AWS the BEST PLACE to run ANY containerized applications © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. No instances to manage Task native API Resource based pricing Simple, easy to use, powerful – and new consumption model = CHANGING COMPUTE CONSUMPTION MODEL

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task EC2 Instance Task Task Task Task RUNNING CONTAINERS

Slide 26

Slide 26 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine RUNNING CONTAINERS AT SCALE WITH ECS Availability Zone #1 Availability Zone #2 Availability Zone #3

Slide 27

Slide 27 text

Slide 28

Slide 28 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scheduling and Orchestration Cluster Manager Placement Engine ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance ECS AMI Docker agent ECS agent EC2 Instance

Slide 29

Slide 29 text

Slide 30

Slide 30 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define application containers: Image URL, CPU & Memory requirements, etc. register Task Definition create Cluster • Infrastructure Isolation boundary • IAM Permissions boundary run Task • A running instantiation of a task definition • Use FARGATE launch type create Service Elastic Load Balancer • Maintain x running copies • Integrated with Load Balancing • Unhealthy tasks automatically replaced ECS CONSTRUCTS

Slide 31

Slide 31 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TASK DEFINITION { "family": “scorekeep", "containerDefinitions": [ { "name":“scorekeep-frontend", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/fe" }, { "name":“scorekeep-api", "image":"xxx.dkr.ecr.us-east-1.amazonaws.com/api" } ] } Immutable, versioned document Identified by family:version Contains a list of up to 10 container definitions All containers are co-located on the same host Each container definition has: • A name • Image URL (Amazon ECR or Public Images) • And more…stay tuned! Task Definition Snippet

Slide 32

Slide 32 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RUNNING FARGATE CONTAINERS WITH ECS Use ECS APIs to launch Fargate Containers Easy migration – Run Fargate and EC2 launch type tasks in the same cluster Same Task Definition schema

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC INTEGRATION 172.31.0.0/16 Subnet 172.31.1.0/24 Internet Other Entities in VPC EC2 LB DB etc. Private IP 172.31.1.164 • AWS VPC Networking Mode – each task gets its own interface • All Fargate Tasks run in customer VPC and subnets • Configure security groups to control inbound & outbound traffic • Public IP support • Spread your application across subnets in multiple Availability Zones (AZs) for resiliency us-east-1a us-east-1b us-east-1c ENI Fargate Task Public / 208.57.73.13 /

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CLUSTER LEVEL ISOLATION PROD Cluster Infrastructure DEV Cluster Infrastructure BETA Cluster Infrastructure QA Cluster Infrastructure Web Web Shopping Cart Shopping Cart Notifications Notifications Web Shopping Cart Notifications Web Shopping Cart Shopping Cart Notifications Notifications Web Web PROD CLUSTER BETA CLUSTER DEV CLUSTER QA CLUSTER

Slide 39

Slide 39 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PERMISSION TIERS Cluster Permissions Application Permissions Task Housekeeping Permissions Cluster Fargate Task Cluster Permissions: Who can run/see tasks in the cluster? Application (Task) Permissions: Which of my AWS resources can this application access? Housekeeping Permissions: What permissions do I want to grant ECS to perform? e.g. • ECR Image Pull • CloudWatch Logs pushing • ENI creation • Register/Deregister targets into ELB

Slide 40

Slide 40 text

Slide 41

Slide 41 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. REGISTRY SUPPORT 3rd Party Private Repositories (coming soon!) Public Repositories supported Amazon Elastic Container Registry (ECR)

Slide 42

Slide 42 text

Slide 43

Slide 43 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. STORAGE Container Storage Space – 10GB Ephemeral storage backed by EBS Shared volume space for containers within the task – 4GB

Slide 44

Slide 44 text

Slide 45

Slide 45 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRICING DIMENSIONS { ”cpu": “1 vCPU”, ”memory": “2 gb”, "networkMode": ”AWSVPC", "compatibilities": [”FARGATE", ”EC2"], "placementConstraints": [], "containerDefinitions": [ { ….... Task level resources • Configurable independently (within a range) Dimensions: Task level CPU and memory Per-second billing Task Level Resources

Slide 46

Slide 46 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TASK CPU & MEMORY CONFIGURATIONS Flexible configuration options – 50 CPU/memory configurations CPU Memory 256 (.25 vCPU) 512MB*, 1GB, 2GB 512 (.5 vCPU) 1GB to 4GB (1GB increments) 1024 (1 vCPU) 2GB to 8GB (1GB increments) 2048 (2 vCPU) 4GB to 16GB (1GB increments) 4096 (4 vCPU) 8GB to 30GB (1GB increments)

Slide 47

Slide 47 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS Instance ECS Instance ECS Instance ECS Instance ECS Instance ECS Instance EC2 FARGATE Notifications Amazon ECS CLUSTER Availability Zone #1 Availability Zone #2 Availability Zone #3 Subnet 2 172.31.2.0/24 Subnet 1 172.31.1.0/24 Subnet 3 172.31.3.0/24 Web Shopping Cart

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes?

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Slide 56

Slide 56 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But where you run K8s matters Q U A L I T Y O F T H E C L O U D P L AT F O R M Q U A L I T Y O F T H E A P P L I C AT I O N S Y O U R U S E R S

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Slide 60

Slide 60 text

Slide 61

Slide 61 text

Slide 62

Slide 62 text

Slide 63

Slide 63 text

Slide 64

Slide 64 text

Slide 65

Slide 65 text

Slide 66

Slide 66 text

Slide 67

Slide 67 text

Slide 68

Slide 68 text

Slide 69

Slide 69 text

Slide 70

Slide 70 text

Slide 71

Slide 71 text

Slide 72

Slide 72 text

Slide 73

Slide 73 text

Slide 74

Slide 74 text

Slide 75

Slide 75 text

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

Slide 78

Slide 78 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubectl 3) Authorizes AWS Identity with RBAC K8s API 1) Passes AWS Identity 2) Verifies AWS Identity 4) K8s action allowed/denied AWS Auth

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

No content

Slide 81

Slide 81 text

1.7.4 1.7.5 Version 1.7 Version 1.8

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

Slide 84

Slide 84 text

Slide 85

Slide 85 text

Slide 86

Slide 86 text

Slide 87

Slide 87 text