Amazon ECS is a highly scalable, high-performance container service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines. Want to learn more? https://eagledream.com/cloud/
4. 4
Compute Options in AWS
Confidential | eagledream.com
Amazon EC2 Amazon ECS AWS Lambda
• Traditional VMs
• Provision on the fly
• Autoscaling
• Pay per second of
run time
• IaaS
• Docker Containers
• Micro Services
• AWS Specific
Scheduler
• Runs on top of EC2
• Scalable
• PaaS
• Nano Services
• Pay for the duration
of execution
• FaaS
• Fully AWS Managed
5. 5
Why Containers
Confidential | eagledream.com
• Next evolution in virtualization
• Domain Driven services/Micro services
• Complete packaging of running artifact
– Stops the problem of “Well, it ran fine on the developer’s laptop”
• Strong isolation of container to container
• Infrastructure becomes a platform
• Enables, “You built it, you run it”
6. 6
Amazon EC2 Container Service
Confidential | eagledream.com
Amazon EC2 Container Service (ECS) is a highly scalable, high
performance container management service that supports Docker
containers and allows you to easily run applications on a managed cluster
of Amazon EC2 instances. Amazon ECS eliminates the need for you to
install, operate, and scale your own cluster management
infrastructure. With simple API calls, you can launch and stop Docker-
enabled applications, query the complete state of your cluster, and
access many familiar features like security groups, Elastic Load
Balancing, EBS volumes, and IAM roles.
Source: https://aws.amazon.com/ecs/
7. 7
Why ECS vs. Other Schedulers
Confidential | eagledream.com
• Designed for AWS by AWS
• Very low technical barrier to use
• Integrated with other AWS services
• Hard problems are solved
• Its free!
9. 9
Securing ECS – Security Groups
Confidential | eagledream.com
• Security Groups
– Software defined firewalls
around objects in AWS
– Define inbound and outbound
traffic at the port and protocol
level
– Security groups can reference
each other
– Used to define application
communication patterns
Amazon
RDS
Application Load
Balancer
EC2 Instance
EC2 Instance
10. 10
Securing ECS – IAM Roles
Confidential | eagledream.com
• IAM Roles
– Define access to other AWS
services via policies
– Each Task has its own Role
– Token based and tokens are
constantly changed
– No more shared accounts
and password changes
– Implementation is fully
scriptable
EC2 InstanceEC2 Instance
Amazon
DynamoDB
Amazon
S3
IAM
Task 1 Task 2
11. 11
Securing ECS – Managing Secrets
Confidential | eagledream.com
• Simple Systems Manager
(SSM) Parameter Store
– Leverage KMS for encryption at
rest
– Access controlled via IAM
Roles
– Separate configuration from
code
– Store all configuration data not
just secrets
– Poll for changes and
dynamically change the running
containers
• Declare a Key
• Set a parameter
– Example: prod.app1.db-pass
– Example: general.license-code
• Setup IAM Role
• Associate Role to
Task/Container
• Have application request the
parameter
https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-
store-and-iam-roles-for-tasks/
Steps:
12. 12
Scaling Clusters
Confidential | eagledream.com
• Must scale in 2 vectors
– Dynamically alter Tasks as load changes
– Dynamically alter EC2 servers as load changes
• AWS natively supports scaling up both Tasks and EC2
• AWS natively supports scaling down Tasks
• Scale down of EC2 is a non-trivial problem
– Autoscaling will randomly choose an EC2 instance to scale down
– Must interrupt the process and force the re-distribution of the running containers
– AWS published solution is published on GitHub
14. 14
Primary Contact(s):
Jon Providence
VP of Enterprise Business Services
Phone: 585-943-0084
Email: Jon.Providence@eagledream.com
Contact Info
Contact Us
1.888.4EAGLEDREAM
info@eagledream.com
Eagledream.com
Headquarters | Rochester, NY
300 Trolley Blvd
Rochester, NY 14606
New England | Boston, MA
300 Baker Avenue, Suite 300
Concord, MA 01742
We look forward to being your AWS Partner. EagleDream.com
Confidential | eagledream.com