Running and managing large scale applications with microservices architectures is difficult and often requires operating complex container management infrastructure. Amazon EC2 Container Service (ECS) is a highly scalable, high performance service for running and managing Docker applications. In this webinar, we will walk through a number of patterns and tools used by our customers to run their applications on Amazon ECS. We will show you how to set up, manage and scale your Amazon ECS resources, keep them secure and deploy your applications to an Amazon ECS cluster. We will also provide best practices for monitoring, logging and service discovery.
Learning Objectives:
• Learn how to set up and manage Amazon ECS for production applications
• Learn how to schedule containers on production clusters using Amazon ECS
Who Should Attend:
•Developers, DevOps, Sys Admin
9. ECS Cluster Setup with Amazon ECS CLI
• Simplifies creating,
updating, and monitoring
clusters and tasks
• Supports Docker
Compose
• Available on github
https://github.com/aws/a
mazon-ecs-cli
10. ECS Cluster Setup with Amazon ECS CLI
# Build cluster and container instances
$ ecs-cli scale --size 2 --capability-iam --keypair demo-user
# Create task definition and start tasks
$ ecs-cli compose up
# See running tasks
$ ecs-cli compose ps
# Start tasks as ECS service
$ ecs-cli compose --project-name wordpress-test service start
# See the progress of task state
$ ecs-cli compose --project-name wordpress-test service ps
11. ECS Cluster Setup with AWS OpsWorks
• Update OpsWorks IAM role to
allow ecs:* actions
• Add instances to layer (24/7,
time-based, load-based)
• Manage security updates,
user permission and access
Note:
• One ECS Cluster layer per
stack
• An ECS Cluster can only be
associated with one stack
13. Amazon ECR Setup
• You have read and write access to the repositories you
create in your default registry, i.e.
<aws_account_id>.dkr.ecr.us-east-1.amazonaws.com
• Repository names can support namespaces, e.g. team-
a/web-app.
• Repositories can be controlled with both IAM user
access policies and repository policies.
14. Amazon ECR Setup
# Authenticate Docker to your Amazon ECR registry
> aws ecr get-login
> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-
east-1.amazonaws.com
> docker login -u AWS -p <password> -e none https://<aws_account_id>.dkr.ecr.us-
east-1.amazonaws.com
# Create a repository called ecr-demo
> aws ecr create-repository --repository-name ecr-demo
# Push an image to your repository
> docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/ecr-demo:v1
15. Amazon ECR Docker Credential Helper
• Available today - https://github.com/awslabs/amazon-
ecr-credential-helper
• Place the docker-credential-ecr-login binary on
your PATH
• Set the contents of ~/.docker/config.json file to be:
{ "credsStore": "ecr-login" }
• Push and pull images from ECR without docker login
19. Monitoring with Amazon CloudWatch
• Metric data sent to CloudWatch in 1-minute periods and
recorded for a period of two weeks
• Available metrics: CPUReservation, MemoryReservation,
CPUUtilization, MemoryUtilization
• Available dimensions: ClusterName, ServiceName
22. Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor
additional metrics, e.g. disk space:
# Edit crontab
> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes
*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used --
disk-space-avail --disk-path=/ --from-cron
23. CloudWatch Logs with awslogs driver
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon CloudWatch Logs
Amazon S3
Amazon Kinesis
AWS Lambda
Amazon Elasticsearch Service
Amazon ECS Store
Stream
Process
Search
29. Setup ECS Cluster with AutoScaling
Create LaunchConfiguration
• Pick instance type depending
on resource requirements, e.g.
memory or CPU
• Use latest Amazon Linux ECS-
optimized AMI, other distros
available
Create AutoScaling group and set
to cluster initial size
30. AutoScaling your Amazon ECS Cluster
• Create CloudWatch alarm
on a metric, e.g.
MemoryReservation
• Configure scaling policies
to increase and decrease
the size of your cluster
34. Service Discovery using ELB
• Automation built using
CloudWatch Events,
Lambda and Route53
private hosted zones
• Route53 is used as
service registry
• Lambda is used to
add/remove records based
on Service API’s from ECS
• Available on github
https://github.com/awslabs
/ecs-refarch-service-
discovery
36. Service Discovery using DNS
• Install an agent
(ecssd_agent.go) on
container instances
• The agent registers service
name, IP and port into
Route53 private hosted
zone
• lambda_health_check.py
used for cleanup
• Available on github
https://github.com/awslabs/
service-discovery-ecs-dns
38. Service Discovery with Weaveworks
• DNS interface for cross-host
container communication
• Gossip protocol to share grouped
updates
• Overlay network between hosts
39. Service Discovery and Configuration
Management with Consul
ECSCluster
consul-server
ECS Instance
consul-agent
registrator
ECS Instance
Back end 1
Back end 2
consul-agent
registrator
ECS Instance
Front end
ECSCluster
45. Secrets Management
• Option 1: Task Definition Environment Variables
• Easy to get Started
• Configuration stored Directly into Task Definition
• Version in Immutable Definition; Easy Rollback
• Not Great for Secrets
• Option 2: Encrypted DynamoDB or S3
• Use Environment Variables to Provide Pointer
• Use AWS Encryption Clients to Securely Store
• Use VPC-Endpoints, IAM Policies, and IAM Roles to Restrict
Access
48. AWS Elastic Beanstalk
• Elastic Beanstalk uses Amazon ECS to coordinate deployments to
multi-container Docker environments
• Dockerrun.aws.json file that describes how to deploy containers.
• Takes care of tasks including cluster creation, task definition and
execution
50. Convox
# Initialize your app and create default manifest
> convox init
# Locally build and run your app as declared in the manifest
> convox start
# Create app
> convox apps create my_app
# Deploy app, output ELB DNS name
> convox deploy
[...]
web: http://my_app-1234567890.us-east-1.elb.amazonaws.com
51. Remind Empire
• Offers a control layer on top of Amazon ECS that provides a Heroku
like workflow
• Any tagged Docker image can be deployed to Empire as an app
• When you deploy a Docker image to Empire, it will extract a Procfile
from the WORKDIR
• Each process type in the Procfile maps directly to an ECS Service
52. Remind Empire
• Get started by launching CloudFormation stack
• Use the emp client to start developing your app
# tell empire client where it can find the API
$ export EMPIRE_API_URL=http://empire-60-LoadBala-…elb.amazonaws.com/
# login to empire using your github credentials
$ emp login
# run your first app
$ emp deploy remind101/acme-inc:master
# check what’s running
$ emp apps
acme-inc Jun 15 20:42[...]
53. Additional Resources
• ECS CLI – http://bit.ly/2eKy3I6
• ECR Docker Credential Helper – http://bit.ly/2dD02xo
• AutoScaling – http://amzn.to/2eohA2a
• ECS integration with ALB to support Dynamic ports and
Path-based routing: http://amzn.to/2exhh07
• Service Discovery
• Service Discovery using ELB – http://bit.ly/2dAN6Dw
• Service Discovery using DNS – http://bit.ly/2eI831D