The course is part of these learning paths
Amazon ECS Service
This course is an introduction to the Amazon ECS Container Service (ECS). ECS is highly scalable, high performance container management service that supports Docker. This course will provide a detailed introduction to what ECS is and how to get started using it. ECS has built-in support for many Amazon EC2 services and also allows you to customize parts of the infrastructure to meet your application-specific needs. This course will also provide a brief overview of the rich ecosystem that is developing around EC2 including continuous integration, scheduling, and monitoring.
This course is for developers or operation engineers looking to deploy containerized applications on Amazon EC2. Experience with container technology (e.g. Docker) or Amazon EC2 would be helpful, but is not required.
Fundamentals of AWS Learning Path
Introduction to Docker
- Describe the concepts around running Docker containers on Amazon EC2.
- Run and configure containers on EC2
- Understand the ecosystem around EC2 Container Service (ECS) to help guide next steps
This Course Includes:
- Over 45 minutes of high-definition video
- Hands-on demo
What You'll Learn:
- Course Intro: An introduction to what we will be covered in this course.
- EC2 Overview: In this detailed overview we’ll cover task definition, resource allocation, service definition, capacity, load balancing, scheduling, cluster configuration and Security
- EC2 Demo: A hands on demo of the EC2 service.
- AWS Related Services: In this lesson we’ll go through ELB, EBS, and IAM.
- Ecosystem: In this lesson you’ll learn about third part applications and services ecosystems
- Summary: A wrap-up and summary of what we’ve learned in this course.
Hello and welcome back to the introduction to Amazon EC2 Container Service course. In this lecture, we'll look more closely at some of the Amazon Web Services related to ECS, in particular the following, Elastic Load Balancer, Elastic Block Store, and Identity and Access Management. Elastic Load Balancers can be used to spread traffic evenly.
There are currently two types of Elastic Load Balancers available in ECS, application load balancers and classic load balancers. Application load balancers make rapid decisions at the application layer by looking at the HTTP/HTTPS traffic. There are a couple features that make application load balancers the preferred load balancer type for ECS, specifically dynamic port mapping and path-based routing.
Dynamic host port mapping means that two docker containers can listen to the same port and ECS can automatically pick a free host port to map them to. This is accomplished by passing zero as the host port which tells ECS to select an available ephemeral port in the range 32768 to 61000. Path-based routing is a technique that allows you to configure the load balancer to look at the content of an HTTP request and specifically at the path to route the traffic to a different container based on the path. So for example www.example.com/images could route to a different container than www.example.com/orders. This allows two different services to use the same listener port on a single application load balancer. This is an advantage over the classic load balancer because with the classic load balancer, you would need a load balancer per service listening on a port.
The classic load balancer operates at the TCP SSL layer of the stack and also the application HTTP/HTTPS layer of the stack, but lacks the new features of the application load balancer. So unless you have a use case where the application load balancer cannot be used, the application load balancer is recommended. Notice that the sample application that we created used a classic load balancer. So when you a production setup, be sure to create application load balancers. ELB can be configured to send metrics such as number of healthy instances to AWS CloudWatch and ELB can also be configured to send access logs to S3 for ELB debugging. Elastic Block Storage provides persistent block storage for container instances.
This storage can be managed just like any other EC2 instance storage would be managed. One key thing to take note of is that the only file systems that will be available to docker containers are those that are available when the docker daemon starts. AWS Identity and Access Management, IAM, is a service that allows administrators to manage fine-grained access to AWS resources based on users, groups, and roles. The basic idea is to create policies that grant specific permissions to specific AWS resources and then assign those policies to a role or EC2 instance. As with other AWS services, Amazon has created a number of managed policies for ECS. These managed policies are the following, AmazonEC2ContainerServiceFullAccess, AmazonEC2ContainerServiceforEC2Role, AmazonEC2ContainerServiceRole, AmazonEC2ContainerServiceAutoscaleRole, and AmazonEC2ContainerServiceTaskRole.
The AmazonEC2ContainerServiceFullAccess policy should be added to an ECS administrator role and that role should be added to a user or group that will act as an ECS administrator. The AmazonEC2ContainerServiceforEC2Role policy is designed to be used by the ECS container instance role. Recall that this is the EC2 instance that runs the ECS agent. So if you use the ECS optimized Amazon Machine Image, AMI, then this role is applied.
Or if you want to run the agent in another AMI, then this IAM role should be added to that AMI. The AmazonEC2ContainerServiceRole policy is designed to be used with the ECS Service Scheduler Role. This IAM role should be applied to ELB load balancers to have access to register and deregister container instances with load balancers. This role should have been created by the ECS first run wizard. The next Amazon managed policy is the AmazonEC2ContainerServiceAutoscaleRole. This policy is designed to be applied to the ECS auto scaling IAM role.
This role is used by the Application Auto Scale Service to scale your service's desired count in response to CloudWatch alarms. This role should also have been created during the ECS first run wizard. The last policy that we'll cover is the AmazonEC2ContainerServiceTaskRole. This policy is designed to be applied to the ECS Task Role. The role is used by tasks to access AWS APIs to access various AWS resources. Custom IAM policies and roles can be created to provide fine-grain access to various users, groups, and EC2 instances to provide specific access. You may want to look into other Cloud Academy courses on IAM or review the Amazon IAM documentation for further information.
This concludes an introductory look at the AWS services closely related to ECS. We've only scratched the surface on what we're able to cover and AWS is adding new integrations continually as well. So be sure to keep track of AWS ECS announcements if you're interested in further AWS integration points. Now that we've covered the AWS resources closely related to ECS, let's take one step back and look at the ecosystem around ECS and how that's evolving and what is supported through various third-party applications and services.
About the Author
Todd Deshane is a Software Build Engineer at Excelsior College. He previously worked for Citrix Systems as a Xen.org Technology Evangelist. Todd has a Ph.D. in Engineering Science from Clarkson University and while at Clarkson he co-authored a book called Running Xen also published various research papers related to virtualization and other topics. Todd is a DevOps advocate and is passionate about organizational culture.