© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Containers on AWS Paul Lewis Specialist Solutions Architect, Container Technologies July 2019 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Introductions Paul Lewis Specialist Solutions Architect Container Technologies • 15 years infrastructure experience • 11 years system and solutions architecture experience Email: [email protected] 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Why Containers? FizzBuzz! 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Application environment components Runtime Engine Code Dependencies Configuration 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Different environments Local Laptop Staging / QA Production On-Prem 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential It worked on my machine, why not in prod? Local Laptop Staging / QA Production On-Prem v6.0.0 v7.0.0 v4.0.0 v7.0.0 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Containers to the rescue Runtime Engine Code Dependencies 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential What is Docker? Lightweight container virtualization platform. Tools to manage and deploy your applications. Licensed under the Apache 2.0 license. First released March 2013 Built by Docker, Inc. 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Docker container image Read only image that is used as a template to launch a container. Start from base images that have your dependencies, add your custom code. Docker file for easy, reproducible builds. bootfs kernel Base image Image Image W ritable Container add ngix add nodejs Ubuntu References parent image 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Four environments, same container Local Laptop Staging / QA Production On-Prem 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Containers vs Virtual Machines Server (Host) Hypervisor Guest OS Bins/Libs App 2 Guest OS Bins/Libs App 3 Guest OS Bins/Libs App 1 Server (Host) Operating System (OS) Guest OS App 2 Guest OS App 3 Guest OS App 1 Docker Engine Bins/Libs Bins/Libs Bins/Libs Server (Host) Operating System (OS) Guest OS Guest OS Guest OS Libraries App 1, 2, 3 Bare Metal Virtual Machine Containers 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Container & Docker Benefits Portable application artifact that runs reliably everywhere Run different applications or application versions with different dependencies simultaneously Better resource utilization by running multiple lightweight containers per host 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential So what’s the catch? 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Managing one container is easy… Server Guest OS Bins/Libs Bins/Libs App2 App1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential …but managing many containers is difficult Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS Server Guest OS 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Enter container orchestration tools 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Make AWS the BEST PLACE to run ANY containerized applications © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS container services landscape Management Deployment, Scheduling, Scaling & Management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes Amazon EC2 AWS Fargate Image Registry Container Image Repository Amazon Elastic Container Registry Service Discovery And Service Mesh AWS Cloud Map AWS App Mesh 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Why are customers adopting containers? • Accelerate software development • Build modern applications • Automate operations at web scale © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Why customers love AWS container services Containers are a first-class citizen of the AWS Cloud Deeply integrated with AWS Security and Compliance Broad selection of compute instances and IAM security, VPC networking, load balancing, and autoscaling ISO, HIPPA, PCI, SOC1, SOC2, SOC3 Infocomm Media Development Auth. DevOps Workflow Best place to build and operate a complete DevOps workflow for containers—AWS DevTools and Cloud9 DEV OPS 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Service level agreement 99.99% Amazon ECS AWS Fargate 99.9% Amazon EKS Amazon ECR 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Typical use cases • Microservices: Java, Node.js, Go, Web Apps, etc. • Continuous Integration and Continuous Deployment (CICD) • Batch Processing and ETL jobs • Common PaaS Stack for Application Deployment • Legacy Application Migration to the Cloud • Hybrid Workloads • AI/ML • Scale Testing • Backend for IoT use cases 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon Elastic Container Service 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Scheduling and Orchestration Cluster Manager Placement Engine ECS 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Fargate 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Without Fargate, you end up managing more than just containers EC2 Instance ECS Agent Docker Agent OS 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon Elastic Container Service 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon Elastic Container Service AWS Fargate run serverless containers 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon ECS: What’s New In 2019 https://aws.amazon.com/containers/new/ January: Fargate Price Reduction By Up To 50% January: 99.9% SLA for ECR January: PrivateLink support for ECS and ECR February: ECS provides enhanced support for GPU-enabled instances February: PrivateLink support for Fargate March: ECS and Fargate support external Deployment Controllers for ECS services March: New local testing tools available for ECS April: Fargate PV1.3 adds secrets and enhanced container dependency mgmt. May: ECS console support for ECS-optimized AL2 AMI and A1 instance family June: ECS Support for Windows Server 2019 Containers is Generally Available June: ECS now supports increased (ENI) limits for tasks in awsvpc Networking Mode 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon Elastic Kubernetes Service 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes? 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Community, contribution, choice 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential But where you run Kubernetes matters Quality of the cloud platform Quality of the applications Your users 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential —CNCF survey 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential mycluster.eu-west-1.eks.amazonaws.com Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon EKS Control Plane • Highly available and single tenant infrastructure • All “native AWS” components • Fronted by an NLB VPC NLB Amazon EKS ELB etcd ASG API Servers ASG 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EKS is Kubernetes certified 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Kubernetes Versions • Minor versions controlled by customers • 1.10, 1.11, 1.12, 1.13 currently available • Patch versions automatically applied to control plane • Current versions are 1.10.13, 1.11.8, 1.12.6, 1.13.7 • Platform Version defines Kubernetes version and other key control plane capabilities v1.12.0 Major Minor Patch Breaking Changes New Features Bug fixes Security 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EKS Cluster Upgrades UpdateClusterVersion API – trigger an in-place upgrade of the Kubernetes minor version ListUpdates and DescribeUpdate APIs provide visibility into the status of a given cluster update 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Kubernetes v1.13 is now available for EKS! New features in K8s v1.13: • ECR PrivateLink endpoints are supported • CoreDNS as default DNS provider • PodSecurityPolicy admission controller is now enabled • Topology Aware Volume Scheduling • DryRun feature is in beta and enabled in EKS • TaintBasedEvictions feature is in beta and enabled in EKS • Raw block volume support is in beta and enabled in EKS NEW! 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Pod Security Policies – What Do I Need To Know? • Enable fine-grained authorization of pod creation and updates, e.g. • Prevent pods running as root • Prevent pods using host networking mode • Ensure a pod’s security context is correctly enforced • EKS includes default eks.permissive PSP which is equivalent to having the PSP admission controller disabled • More details in our Blog Post! 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential EKS is ready for sensitive & regulated workloads • HIPAA-eligible • ISO 9001, 27001, 27017, 27018 • PCI DSS Level 1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential How are customer using Amazon EKS? Microservices PaaS Platform-as-a-Service Enterprise App Migration Machine Learning 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon EKS: What We Did In 2018 April: EKS achieved K8s conformance June: EKS is HIPAA eligible July: EKS AMI build scripts available in GitHub August: New EKS-optimized AMI and updated CloudFormation template for provisioning worker nodes August: EKS supports GPU-enabled EC2 instances August: EKS platform version 2 launched August: EKS supports HPA with custom metrics September: EKS launches in Dublin, Ireland September: EKS simplifies cluster setup with update-kubeconfig CLI command October: EKS adds support for Dynamic Admission Controllers (Istio) November: EKS launches in Ohio November: EKS Adds ALB Support with AWS ALB Ingress Controller December: EKS Adds Managed Cluster Updates and Support for Kubernetes Version 1.11 December: Stockholm Region launches with EKS available December: EKS Available in Frankfurt, Singapore, Sydney, and Tokyo https://aws.amazon.com/containers/new/ 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon EKS: What’s New In 2019 January: EKS available in Seoul Region January: 99.9% SLA for EKS January: EKS achieves ISO and PCI compliance February: EKS available in London, Mumbai, and Paris Regions February: VPC CNI plugin v1.3.2 with Enhancements for P3dn Instances March: EKS adds Kubernetes API Server Endpoint Access Control March: EKS opens Public Preview of Windows Container Support March: EKS adds support for Kubernetes version 1.12 March: EKS adds Cluster Version Updates Via CloudFormation April: AWS introduces CSI Drivers for Amazon EFS and Amazon FSx for Lustre April: EKS now delivers Kubernetes control plane logs to Amazon CloudWatch April: EKS open Public Preview support of EC2 A1 Instances May: EKS Releases Deep Learning Benchmarking Utility May: EKS Adds Support for Public IP Addresses Within Cluster VPCs May: EKS Simplifies Kubernetes Cluster Authentication June: EKS adds support for Kubernetes version 1.13 https://aws.amazon.com/containers/new/ 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon container services AWS Fargate 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential New: AWS Cloud Map Service discovery for all your cloud resources Constantly monitor the health of every resource Dynamically update the location of each microservice Increase developer productivity Single registry for all app resources Define resources with user-friendly names Integration with Amazon container services AWS Fargate Amazon ECS Amazon EKS AWS Cloud Map 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential New: AWS App Mesh Observability & traffic control Easily export logs, metrics, and traces Client side traffic policies—circuit breaking, retries Routes for deployments Works across clusters and container services Amazon ECS Amazon EKS Kubernetes on EC2 AWS Fargate (coming soon!) AWS built and run No control plane to manage Ease of operations High scale 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Container Roadmap https://github.com/aws/containers-roadmap/projects/1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon ECS/ECR Roadmap • ECR image vulnerability scanning (#17) • Container Insights for ECS (#70) • App Mesh Integration in the ECS Console (#258) • ECS CodeDeploy Canary Deployments (#229) https://github.com/aws/containers-roadmap/projects/1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Fargate Roadmap • CloudWatch Metrics for Number of running/ pending Tasks per Service and Cluster (#282) • Fargate Ephemeral Volume Encryption (#314) • EFS Support for Fargate (#53) https://github.com/aws/containers-roadmap/projects/1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon EKS Roadmap • Managed worker nodes (#139) • Support for Kubernetes v1.14 (#212) • Support for Kubernetes v1.15 (#380) • IAM Roles for Pods (#23) • High-density pod scheduling (#138) • Fargate for EKS (#32) https://github.com/aws/containers-roadmap/projects/1 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential THANK YOU https://aws.amazon.com/containers