Amazon ECS (Elastic Container Service) is a container management service that support containers and makes it easy to provision, deploy and scale containerized applications in AWS. Since it is a fully managed service, it allows you to run and scale all your workloads based on containers across Availability Zones without the complexity of managing the control plane, cluster nodes configuration, etc. It is also well integrated with all AWS services and third-party tools so that the developers can focus on building the application only.
AWS Fargate service helps you run Docker containers in a “serverless” way without having to manage clusters of EC2 instances, to handle capacity planning and to isolate container workloads for security purposes. In this way, you will only need to define your application requirements and Fargate will manage all the scaling and infrastructure on your side and easily run your Docker containers.
AWS Fargate is fully integrated with AWS IAM and Governance tools, so that you can experience the same level of security and compliance that you already have in AWS. Furthermore, you can assign specific permissions to each one of your tasks, in a granular way, in order to reach a high level of isolation for your container workloads.
Amazon ECS gives you the possibility to dispatch multiple containers on the same node, so achieving high density on EC2 instances to lower the hourly costs for the customer. Also, ECS manages the state of containers and works so that, at any time, the minimum set of containers is running based on the customer requirements.
Finally, ECS supports the option to use ECS control plane, console, and all the other ECS features to manage your container workloads on-premises for a consistent experience across all of your containerized applications, exactly as you do with your container workloads running in the AWS cloud. Obviously, this requires that trust has been established between your on-premises servers and the ECS control plane and the AWS Systems Manager integration automatically does the rest for you.
Storm Reply, AWS Premier Consulting Partner since 2014, has developed a strong expertise and a set of best practices by designing and implementing solutions on Amazon ECS for several customers.
AWS ECS supports two launch types: EC2 and Fargate, you should choose the right one based on your requirements. If you need more control over the underlying infrastructure and you would like to use a specific instance type for performance reasons or mount EBS volumes, you should choose EC2 launch type. However, if you want a serverless experience that removes the need to manage infrastructure, Fargate is the best option to simplify your setup and reduce the operational overhead.
During the Build phase, application code and its dependency is gathered in a Container Image (stored in the Amazon Elastic Container Registry): it should only run a single application process with a container to simplify tasks orchestration, and it should avoid dynamically downloading files or installing libraries, but it should include them as static resources to optimize application startup time.
Use an infrastructure-as-code tool like AWS CloudFormation, AWS CDK or Terraform to define and provision your infrastructure and ECS resources. This approach makes it easy to manage and maintain ECS clusters. Keep container images up to date with the latest security patches and bug fixes using continuous integration/continuous deployment (CI/CD) pipelines with managed services like AWS CodePipeline and AWS CodeBuild.
Use each task definition family for only one business purpose, avoid adding multiple application containers to the same task definition to allow each application scaling separately. Tag container images with git commit SHA to maintain consistency between settings and code for new application versions and configure tasks with CPU and memory limits to minimize host's resources usage.
Use an Application Load Balancer or a Network Load Balancer to distribute traffic across your containers, ensuring that your application can handle high traffic volumes and recover from failures. AWS ECS allows you to set up auto scaling for your services based on metrics such as CPU utilization or request counts, use this feature to automatically scale your services up or down based on demand to ensure that you have the right amount of resources available at all times.
Use IAM roles and policies to control access to your ECS resources, assign Task Roles to services to restrict access to resources based on the roles' permissions and choose VPC Network Mode to select a security group for each ECS Service. Use AWS Secrets Manager or Amazon EC2 Systems Manager Parameter Store for storing secret materials, enable Amazon ECR free basic scanning or Amazon Inspector enhanced scanning, use AWS Security Hub to perform extra checks and monitor configurations such as privileged containers usage and read only access to root filesystems.
Use Amazon CloudWatch to monitor containers and set up alarms when resources are running low or errors occur, enable Container Insights for detailed container-level monitoring. Configure containerized applications to write directly to the stdout and stderr streams and choose Amazon CloudWatch Logs to store logs, use CloudWatch Logs Insight to analyze them.