Introduzione a Amazon Elastic Container Service

2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda Introduction to the container Elastic container service • Core components • Networking • IAM role • Storage • Monitor and logging • Demo

3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A container is an atomic, self-contained package of software that includes everything it needs to run (code, runtime, libraries, packages, etc.) A popular, widely-used container platform with a suite of open-source tools and public registry is Docker More on that here: https://docker.com

4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why are containers so popular? • Portable • Lightweight • Easy to deploy • Facilitate implementing microservice architecture

7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiplication Along with containers, comes the “monolith to microservices” story: containers and microservices go hand in hand (more on that in a second)

9. © 2020, Amazon Web Services, Inc. or its Affiliates. Amazon Elastic Container Service (ECS) is a highly scalable, high performance container orchestration service that supports Docker containers and allows you to run and scale containerized applications on AWS.

10. © 2020, Amazon Web Services, Inc. or its Affiliates. Why customers love AWS container services Containers are a first-class citizen of the AWS Cloud Deeply integrated with AWS Security and Compliance Broad selection of compute instances and IAM security, VPC networking, load balancing, and autoscaling ISO, HIPPA, PCI, SOC1, SOC2, SOC3 Infocomm Media Development Auth. DevOps Workflow Best place to build and operate a complete DevOps workflow for containers—AWS DevTools and Cloud9 DEV OPS

14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. *For distributed state management Availability Zone #1 Availability Zone #2 Availability Zone #3 Amazon ECS: Cluster management as a hosted service Scheduling and orchestration Cluster manager* Placement engine

15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS: Cluster management as a hosted service ECS agent Docker agent OS EC2 instance ECS agent Docker agent OS EC2 instance ECS agent Docker agent OS EC2 instance Availability zone Availability zone

18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless No EC2 container instances to provision, scale, or manage, pay per second Elastic Scale up and down seamlessly; pay for only what you use Integrated with the AWS ecosystem VPC networking, Elastic Load Balancing, IAM permissions, Amazon CloudWatch, and more AWS FARGATE Your containers

19. © 2020, Amazon Web Services, Inc. or its Affiliates. AWS native container stack MANAGEMENT The API interface you use to launch applications Tracks application state and connects application to other resources like load balancers HOSTING Containers run on demand No capacity planning needed Automatically updated and patched infrastructure IMAGE REGISTRY Stores your docker container right there in the datacenter where you will run it

22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Task definition { "family": “nginx-demo", "containerDefinitions": [ { "name":“nginx", "image":”nginx" } ] } JSON document Contains a list of up to 10 container definitions All containers are colocated on the same host Each container definition has: • A name • Image URL (Amazon ECR or public images) • And more … Task definition snippet

23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CPU & memory Task Level { ”cpu": “1 vCPU”, ”memory": “2 gb”, "networkMode": “awsvpc", "compatibilities": [”FARGATE", ”EC2"], "placementConstraints": [], "containerDefinitions": [ { ... Task level resources • Configurable independently (within a range) Dimensions: Task level CPU and memory Task level resources

24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fargate Task CPU & memory configurations Flexible configuration options – 50 CPU/memory configurations CPU Memory 256 (.25 vCPU) 512 MB*, 1 GB, 2 GB 512 (.5 vCPU) 1–4 GB (1-GB increments) 1024 (1 vCPU) 2–8 GB (1-GB increments) 2048 (2 vCPU) 4–16 GB (1-GB increments) 4096 (4 vCPU) 8–30 GB (1-GB increments)

26. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC integration Subnet Internet Other entities in VPC LB DB etc. • Amazon VPC networking mode – each task gets its own interface • All Fargate tasks run in customer VPC and subnets • Configure security groups to control inbound & outbound traffic • Public IP support ENI Fargate task

27. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC configuration { "family": ”nginx-demo", "cpu": "1 vCpu", "memory": "2 gb", "networkMode": "awsvpc", "containerDefinitions": [ { … $ aws ecs run-task ... -- task-definition nginx-demo:1 -- network-configuration “awsvpcConfiguration = { subnets=[subnet1-id, subnet2- id], securityGroups=[sg-id] }” Enables ENI creation & attachment to task Run taskTask definition snippet

28. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public subnet Private subnet Fargate taskENI Private IP 172.31.1.164 NAT gateway public EIP 34.214.162.237 Internet gateway 172.31.0.0/16 172.31.2.0/24 172.31.1.0/24 Internet Attach internet gateway to VPC Set up a public subnet with • Route to internet gateway • NAT gateway Setup private subnet with • Fargate task • Route to NAT gateway Security group to allow outbound traffic Private task setup

29. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Outbound Inbound Public task setup Public subnet Fargate task Public IP 54.191.135.66 Internet gateway 172.31.0.0/16 172.31.2.0/24 Internet ENI $ aws ecs run-task ... -- network-configuration “awsvpcConfiguration = { subnets=[public-subnet], securityGroups=[sg-id], assignPublicIp=ENABLED}” Launch the task into a public subnet Give it a public IP address Security group to allow the expected inbound traffic Run task

30. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public subnet Private subnet Fargate taskENI Private IP 172.31.1.164 :8080 ALB Public IP 208.57.73.13 :80 172.31.0.0/16 172.31.2.0/24 172.31.1.0/24 Internet Task in private subnet with private IP ALB in public subnet with public IP Make sure the AZs of the two subnets match ALB security group to allow inbound traffic from internet Task security group to allow inbound traffic from the ALB security group Task security groupALB Security Group us-east-1a us-east-1a Internet-facing load balancer VPC setup

31. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internet access Task network interface is used for all inbound and outbound network traffic to and from your task It is also used for • Image pull (from ECR or a public repository) • Pushing logs to CloudWatch These endpoints need to be reachable via your task network interface Three common modes of setup • Private with no inbound internet traffic, but allows outbound internet access • Public task with both inbound and outbound internet access

33. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Permission tiers Cluster permissions Task role Task execution role Cluster Fargate task Cluster Control who can launch/describe tasks in your cluster Application: Task role Allows your application containers to access AWS resources securely Housekeeping: Task execution role Allows us to perform housekeeping activities around your task: • Private Registry Image Pull • CloudWatch Logs pushing • Elastic network interface creation • Register/Deregister targets into Elastic Load Balancing

35. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Storage Writable layer storage – 10 GB Amazon EBS-backed non-persistent storage provided in the form of: Volume storage – 20 GB Volume storage EFS

36. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Layer storage Writable layer Image layers Writable layer Container 1 Container 2 10 GB per task• Docker images are composed of layers—topmost layer is the writable layer to capture file changes made by the running container • 10 GB layer storage available per task across all containers, including image layers • Writes are not visible across containers • Ephemeral storage is not available after the task stops Image layers

37. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container 1 Container 2 20 GB volume storage Mount /var/container1/data /var/container2/data Volume storage • Need writes to be visible across containers? • Fargate provides 20 GB volume space per task • Configure via volume mounts in task definition • Can mount at different container paths • Do not specify host source path • Remember that this is also ephemeral, i.e., not available after the task stops

39. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. { "family": "mytask", ... "containerDefinitions": [{ "name":“container1", ... "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "mytask", "awslogs-region": “us-east-1", "awslogs-stream-prefix": "mytask/container1“}} },{ "name":“container2", ... "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "mytask", "awslogs-region": “us-east-1", "awslogs-stream-prefix": "mytask/container2"}} } ]} Task definition CloudWatch logs configuration • Use the awslogs driver to send stdout from your application to CloudWatch logs • Create a log group in CloudWatch • Configure the log driver in your task definition • Remember to add permissions via the task execution role

43. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do I know when to use Fargate vs EC2 mode? Depends on your workload. Fargate: if you have a Task Definition, and you’re ok with awsvpc networking mode, try Fargate. Some caveats: can’t exec into the container, or access the underlying host (this is also a good thing) EC2 mode Good if you need to customize!

44. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploying Containers on ECS – Choose a Scheduler Batch Jobs ECS Manual Tasks Run tasks once Batch jobs RunTask (random) StartTask (placed) Long-Running Apps ECS Service Scheduler Health management Scale-up and scale-down AZ aware Grouped containers

45. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS GPU Pinning Service Discovery Daemon Scheduling CLI Supports Docker Compose V3 SSM Parameter Support Configure shm-size and tmpfs Docker Container Health Checks Task metric & metadata endpoint App MeshTarget Tracking Autoscaling Capacity provider

46. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.51 AWS Training & Certification https://www.aws.training: Free on-demand courses to help you build new cloud skills e-Learning: Introduction to Containers https://www.aws.training/Details/eLearning?id=27182 e-Learning: Amazon Elastic Container Service (ECS) Primer https://www.aws.training/Details/eLearning?id=30260 Video: Deep Dive on Container Security https://www.aws.training/Details/Video?id=26841 Video: Introduction to Amazon Elastic Container Registry https://www.aws.training/Details/Video?id=15876 For more info on AWS T&C visit: https://aws.amazon.com/it/training/ e-Learning: Amazon Elastic Kubernetes Service (EKS) Primer https://www.aws.training/Details/eLearning?id=32894 Video: Introduction to AWS Fargate https://www.aws.training/Details/Video?id=16623 Video: Deep Dive on AWS Fargate: Building Serverless Containers at Scale https://www.aws.training/Details/Video?id=26855

Introduzione a Amazon Elastic Container Service

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Introduzione a Amazon Elastic Container Service

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à Introduzione a Amazon Elastic Container Service (20)

Plus par Amazon Web Services (20)