In this session, learn how to easily containerize and migrate existing applications to Amazon Elastic Container Service for Kubernetes (Amazon EKS) without needing to refactor your code or tooling. Amazon EKS makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS.

1. S U M M I T
San ta Clara

2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Modernizing Applications with
Amazon EKS
Nathan Taber
Sr Product Manager
AWS Container Services
M A D 3 0 4

3. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Agenda
Customer use cases
Kubernetes and why it matters
Introducing Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Amazon EKS Control Plane
Amazon EKS Worker Nodes
Amazon EKS networking and load balancing

4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
How are customers using Amazon EKS?
Enterprise app migration
Microservices
Machine learning

5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Who is using Amazon EKS?
“We built the next generation of our PaaS using EKS for large enterprise
workloads.We manage thousandsof applications and have hundreds of
DevOps teams.”

6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Who is using Amazon EKS?
“Kubernetes is fast becoming the preferred solution for container
orchestration. Its biggest downside is that it is not simple to set up and
operate. EKS gives us all the benefits of Kubernetes, but takes care of managing
the hard stuff. We can dedicate less resources to deployment and operationsas
result.”

7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Who is using Amazon EKS?

8. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Which customers are using Amazon EKS?
“The performance from Amazon EKS makes it feasible to effectively manage
large-scale databases delivering over a million queries per second. EKS also
helps with our cluster management and scalability challenges.”

9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
recap: What’s a container
Runtime
Code
Dependencies
Single, immutable object

11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Open source container
management platform
Helps you run
containers at scale
Gives you primitives
for building
modern applications
What is Kubernetes?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T

12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
What it takes to enable rapid innovation
Quality Agility Velocity
Rapid
innovation

13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Kuberentes puts Ops above Dev
Quality
• Standard system for deploying and running any application/ workload
Agility
• Plug and play architecture
• Modular, run anywhere
Velocity
• Automation for workload deployment and scaling

14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Modernization with Kubernetes
1 Migrate in place
Move apps to containers without code changes.
2
3 Run anywhere
Move entire organizations to the cloud using the same
containers, tooling, and remove the need to manage any
infrastructure.
Implement tooling
Use Kubernetes to implement standard deployment and
operational tooling across all your apps.

15. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Amazon EKS Architecture
prod-cluster-123.eks.amazonaws.com
EKS workers
kubectl
AZ 1 AZ 2 AZ 3
Your AWSaccount
VPC
Amazon EKS

17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Amazon EKS, a year in review
April – June 2018:
EKS achieves K8s conformance, HIPAA-eligibility, Generally available
July – September 2018:
Amazon EKS AMI build scripts and CloudFormation templates available in GitHub.
Support for GPU-enabled EC2 instances, support for HPA with custom metrics.
EKS launches in Dublin, Ireland
EKS simplifies cluster setup with update-kubeconfig CLI command
October – December 2018:
EKS adds support for Dynamic AdmissionControllers (Istio), ALB Support with AWS ALB Ingress Controller
Amazon EKS launches in Ohio, Frankfurt, Singapore, Sydney, and Tokyo
EKS adds Managed Cluster Updates and Support for Kubernetes Version 1.11
January - March 2019:
EKS launches in Seoul, Mumbai, London, and Paris
EKS achieves ISO and PCI compliance, announces 99.9%SLA, cluster creation limit raised to 50
API Server Endpoint Access Control, AWS App Mesh controller, Windows support (preview)

18. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Open Source and EKS
EKS runs 100% upstream Kubernetes
Key components of EKS are Open Source
• AWS VPC CNI Plugin
• AWS IAM Authenticator
• Amazon EKS AMI

19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Open Source and EKS
Team contributes to or manages 20+ OSS projects
• /kubernetes
• /kubernetes/autoscaler
• /aws-labs/aws-service-operator
• /weaveworks/eksctl
• EBS, EFS, FSX CSI drivers
• kops

20. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
VPC
Kubernetes control plane
Highly available and single tenant
infrastructure
All “native AWS” components
Fronted by an NLB
NLB
Amazon EKS
Availability Zone 1 Availability Zone 2 Availability Zone 3
Etcd
API Servers

22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
VPC
Kubernetes control plane
Highly available and single tenant
infrastructure
All “native AWS” components
Fronted by an NLB
NLB
Amazon EKS
Multiple Availability Zones
Etcd
API Servers

23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
VPC
Kubernetes control plane
Highly available and single tenant
infrastructure
All “native AWS” components
Fronted by an NLB
NLB
Amazon EKS
Etcd
API Servers

24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Creating a cluster: Planning

25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Provide Amazon EKS a role with the correct
policies attached
Creating a cluster: Amazon EKS role

26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Creating a cluster: Amazon Virtual Private Cloud (Amazon
VPC)
Provide all subnets that will host Kubernetes resources:
Load balancers and worker nodes
Subnets can be public, private or both
Amazon EKS will tag the subnets with
kubernetes.io/cluster/<cluster-name> =
shared
Subnets that will host internal load balancers need the tag
kubernetes.io/role/internal-elb = 1

27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Creating a cluster: Amazon VPC
Plan ahead with subnet sizes! Pods each consume an
Amazon VPC IP address.
/24 subnet = 254 IPs total. Subtract one for each node in
your cluster, and the remainder is what you have for pods
(probably not enough!)
Amazon EKS provided sample VPC template uses a /18

28. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Creating a cluster: Control plane Security Group
This Security Group defines connectivity between the
Kubernetes control plane and worker nodes
At minimum, Kubernetes needs 443 inbound and 10250
outbound
This security group needs permissions that align with the
worker node security group

29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Kubernetes version
Latest: 1.11.8
Coming soon: 1.12
Amazon EKS will support up to three versions of Kubernetes at once
Deprecation in line with the community stopping support for older
versions

30. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Amazon EKS platform version
Platform version revisions represent API server configuration
changes or Kubernetes patches
Platform versions increment within a Kubernetes version only

31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
API server configuration
Kubernetesversion Kubernetespatchversion AmazonEKS platformversion Enabledadmissioncontrollers Release notes
1.10 1.10.3 eks.2 ​Initializers, NamespaceLifecycle, Limi
tRanger, ServiceAccount,DefaultStor
ageClass, ResourceQuota,DefaultTol
erationSeconds, NodeRestriction,Mu
tatingAdmissionWebhook,Validating
AdmissionWebhook
•Added supportfor
Kubernetes aggregation layer.
•Added supportfor
Kubernetes HorizontalPod
Autoscaler(HPA).
•Kubernetes Metrics Server 0.3.0 or
greater is compatible with Amazon
EKS platformversion eks.2.

32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
EKS Kubernetes version update

33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS Identity and Access Management (IAM)
Authentication
Kubectl
3) Authorizes AWS identity with RBAC
K8s API
1) Passes AWS identity
2) Verifies AWS identity
4) K8s action
allowed/denied

34. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
PKI configuration
Kubelet
Generates
public/private keys
Kubelet installs
server cert
Kubelet issues CSR
Certificate rotation
Amazon EKS API serverEKS worker
Amazon

35. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Amazon EKS is ready for sensitive and regulated
workloads

36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
aws eks update-kubeconfig --name my-cluster
CLI Helper command to create kubeconfig file
Creates a new context for each cluster in the config
Wrapping it all up
Easily export control plane config

37. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
✅
✅
✅
✅
Bring your own instances
Instance Flexibility

39. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Bring your own OS
EKS AMI build scripts
https://github.com/awslabs/amazon-eks-ami
Amazon
Amazon
Amazon

40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Provisioning worker nodes
AWS CloudFormation eksctl partners…
…more
Terraform
Pulumi
Rancher

41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Updating worker nodes
Amazon

42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Storage – CSI drivers
CSI == Container Storage Interface
Flexible standard for orchestration and storage provider connections
Amazon Elastic Block Store: AWS EBS CSI Driver
Now supported for production workloadsas a Kubernetes Beta
Part of Kubernetes SIGS on GitHub
Amazon Elastic File System: AWS EFS CSI Driver
Amazon FSx for Lustre: AWS FSx CSI Driver
Both now available as a Kubernetes Alpha
Part of Kubernetes SIGS on GitHub

43. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Cross account ENI
WorkerVPC(youraccount)
Kubectl
Master VPC(AWSaccount)
etcd
AZ 1
APIServer
etcd
APIServer
prod-cluster-123.eks.amazonaws.com
EKS-ownedENI
Kubelet
AZ 1
Worker
node
EKS-ownedENI
Kubelet
AZ 2
Worker
node
AZ 2
Kube-proxy Kube-proxy

45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
API-server Endpoint Access Control
WorkerVPC(youraccount)
Kubectl
Master VPC(AWSaccount)
etcd
AZ 1
APIServer
etcd
APIServer
prod-cluster-123.eks.amazonaws.com
EKS-ownedENI
Kubelet
AZ 1
Worker
node
EKS-ownedENI
Kubelet
AZ 2
Worker
node
Public == true
AZ 2
Kube-proxy Kube-proxy

46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
API-server Endpoint Access Control
WorkerVPC(youraccount)
Kubectl
Master VPC(AWSaccount)
etcd
AZ 1
AZ 2
APIServer
etcd
APIServer
prod-cluster-123.eks.amazonaws.com
EKS-ownedENIs
Public == true
Private == true
prod-cluster-123.eks.amazonaws.com
Private hosted zone
Kubelet
AZ 1
Worker
node
Kube-proxy
Kubelet
AZ 2
Worker
node
Kube-proxy

47. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
API-server Endpoint Access Control
WorkerVPC(youraccount)
Kubectl
Master VPC(AWSaccount)
etcd
AZ 1 AZ 2
APIServer
etcd
APIServer
EKS-ownedENIs
Public == false
Private == true
prod-cluster-123.eks.amazonaws.com
Private hosted zone
Kubelet
AZ 1
Worker
node
Kube-proxy
Kubelet
AZ 2
Worker
node
Kube-proxy

48. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Amazon VPC CNI plugin
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
10.0.0.1
10.0.0.2
ENI
10.0.0.20
10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2
VPC

49. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
EKS Supports Advanced Networking Architectures
VPC - Multiple IP ranges
Subnet 1 – 10.0.0.0/16 Subnet 2 – 100.64.0.0/10
Customer
gateway
Corporate data
center
On-Premise – 10.1.0.0/16
VPN or DX PodOutbound
TrafficSNAT
EKS Worker Node
PrimaryENI PodSecondary
ENI
Pod–
100.64.0.200

50. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Load balancing
All three AWS Elastic Load Balancing products are supported
NLB and CLB supported by Kubernetes Service type=LoadBalancer
Internal and External Load Balancer support

51. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Load balancing
Want to use an Internal Load Balancer? Use annotation:
service.beta.kubernetes.io/aws-load-balancer-
internal: 0.0.0.0/0
Want to use an NLB? Use annotation:
service.beta.kubernetes.io/aws-load-balancer-
type: nlb

52. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
ALB Ingress controller
Production-ready 1.0 release
Supported by Amazon EKS team
Open source development: https://github.com/kubernetes-sigs/aws-
alb-ingress-controller
Customers are using it in production today!

53. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
ALB Ingress controller
AWS resources
Kubernetes cluster
Node Node
Kubernetes
API server ALB Ingress
controller
Node
HTTP listenerHTTPS listener
Rule: /cheesesRule: /charcuterie
TargetGroup:
Green (IP Mode)
TargetGroup:
Blue (Instance
Mode)
NodePort NodePort

54. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

55. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
1
2
3

56. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Deep learning model lifecycle
Training
• Gather data for training and testing
• Hyper-parameter tuning
• Distributed training using GPUs
• Cost-to-train and time-to-train
Inference
• Hundreds of machines
• Throughput and latency important
• Cost per inference and inference/sec.
• Run at scale for long

57. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SU M M I T

58. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS Deep Learning
Containers
Quickly set up deep learning environments with optimized,
pre-packaged Docker container images
Get best performance automatically;no tuning required
Support TensorFlow and Apache MXNet
Deploy on Amazon ECS, Amazon EKS, or Amazon EC2
Customizablecontainerimages
Available at no cost from Amazon Elastic Container Registry (Amazon ECR)
and AWS Marketplace Amazon Elastic
Container Registry
AWS
Marketplace

59. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS Deep Learning Containers
Customizable container images Support for TensorFlow, Apache
MXNet
Single and multi-node training
and inference
Optimized and customizable containers for deep learning environments

60. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Now supporting P3dn.24xlarge instances
CUDA 10 with NVIDIA v410 coming soon!
Amazon EKS-optimized GPU AMI

61. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

62. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Windows Containers
Developer preview for all customers today
Run Windows containers and Windows server nodes with EKS.
Supports heterogeneous (mixed) clusters.
Kubernetes version 1.11+
Available in all EKS regions.
Get started and give feedback on GitHub
https://github.com/aws/containers-roadmap

63. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Recap!
Amazon 🎉

64. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Global availability
Americas
Virginia, Ohio, Oregon
EMEA
Ireland, Frankfurt, London, Paris, Stockholm
Asia Pacific
Singapore, Tokyo, Sydney, Seoul, Mumbai

65. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
AWS containers roadmap
Stay up to date with what we’re working on
Give us feedback and propose ideas
Get notified when new features ship
https://github.com/aws/containers-roadmap

66. Thank you!
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Nathan Taber
AWS Containers Team

67. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.