Monthly Archives: November 2020

How to configure and run tasks in ECS

Configuring and running Tasks in Amazon ECS

Leave a reply

A step by step guide on how to create task definition in Amazon ECS and how to run tasks in Amazon ECS Cluster

All about Tasks in Amazon ECS

In this article, we will walk you through defining ECS tasks and running them on ECS Cluster. To begin with, let’s understand the basics of ECS tasks.

What is ECS task?

ECS task is responsible to instantiate docker containers in ECS instances or Fargate. Tasks are defined using Task definitions. Each task definition is a collection of parameters like docker image to use, CPU, memory limits, networking mode, etc. When the task is run in the ECS Cluster, it reads Task definitions and accordingly spins up docker containers.

How to configure Amazon ECS Task definition?

  • Login to Amazon ECS console.
  • In the left navigation panel, click on Task Definitions
  • Under the task definitions page, click on the Create new Task Definition button.

Task definitions start with defining the launch type. Choose launch type and click the Next step button.

ECS Task Launch types

ECS offers 2 launch types –

  1. Fargate
    • Tasks will be launched on infra managed by AWS. (serverless)
    • Tasks will be billed on resources being used and usage duration.
  2. EC2
    • TAsks will be launched on ECS instances registered to ECS Cluster
    • No separate bills. You will be paying for ECS instances as per normal EC2 instance bills.

For this exercise, I am using the ECS launch type since I have an ECS cluster running with 2 ECS instances registered to it.

After clicking the Next step button, the task and container definition screen should appear. Lots of things to be defined on this screen. Let’s go one by one –

Task definitions
  • Task Definition Name: For identification purpose
  • Task Role: If containers being used designed to access some AWS services then you can specify the IAM role here which to be used by containers while accessing AWS services.
  • Network Mode: There are 4 modes available here –
    • <default> which is bridge mode
    • Bridge: Traffic forwards between host and container by bridge (kernel-level software)
    • Host: Container network mapped directly to host network
    • awsvpc: Each container assigned with ENI (and hence SG too) Hence each container’s networking can behave like EC2’s ENI.
    • None: No networking for containers. Containers spin up with the loopback IP address assigned.
Task sizing

Task execution IAM role: Needed for pulling container images and sending container logs to Cloudwatch.

Task size: Resource allocation for the task. Limiting resources to be consumed by task container. Should be defined properly when using the FARGATE launch type. For EC2 launch type, this should be calculated depending on ECS instances resources available to the task. Since I am launching a small Apache container on EC2 I left it unfilled.

Container definitions

Container Definitions: Under this section, all container-related settings can be defined. Click on the Add container button and it should take you to the container definitions screen.

Container definitions

There are 2 sections under container definitions.

  1. Standard
  2. Advanced configuration: Covered in a separate article since it’s a long list of parameters. See ECS container Advanced Configurations here.

Under standard configuration, define –

  • Container name: For identification purpose
  • Image: Container image. repository-url/image:tag. If you want to use an image from Dockerhub then simply specify image:tag. And for that, you should be having internet access on ECS instances to pull images either via NAT or Internet gateway.
  • Private repository authentication: If you are using private container repo like ECR use this option.
  • Memory limits: Its memory reserved or allowed for containers during execution.
    1. Hard limit: Max allowed memory for containers to use.
    2. Soft limit: Memory reserved for the container.
  • Port mappings: Host port to container port mapping. It’s always advisable to use dynamic host port mapping by defining the host port as zero.

Click Add button to add this image definition in task definition.

More task definitions
  • Elastic Inference: Allows you to attach low-cost GPU powered acceleration to tasks. The inference is the process of making predictions using the trained model. It requires processing power. If your container is into such stuff it makes sense to use Elastic Inference which can save you up to 75% cost.
  • Constraint: Helps you to decide the placement of containers on ECS instances. Not applicable for the FARGATE launch type. Define conditions to filter and select ECS instances. Once the constraint is applied and instances are selected for task deployment, further placement strategy (Explained in the Run Task section below) will be applied and finally, tasks will be launched on the final instance.
  • Service Integration: It’s a facility by AWS to manage your microservices easily. This configures proxy to communicate between microservices for better visibility and HA for services.
  • Proxy configuration: Should be auto-configured once you select App Mesh and fill out the required details in that section.
  • Log Router Integration: Enables routing of container logs to other AWS services or APN services for storage and analysis. It will spin up the respective container using AWS provided image.
  • Volumes: Volumes to be mounted inside containers. It supports 3 types
    1. Bind mount: Mounts file or directory on the host inside the container. More info.
    2. Docker: Managed by docker and creates /var/lib/docker/volumes on the container where volume data resides. Drivers can be selected local or third-party. Can persist on task completion if declared as shared.
    3. EFS: Mount EFS volumes in containers!
  • Tags: For identification.

Click Create button to create task definition.

Task definition created!

Task definition should be created and it will be versioned as :1. Task definition can be edited using the Create new revision button and it will be versioned as :2 and so on.

How to run Amazon ECS Task?

From same page or going back to Task definitions page, select recently created task definition and click on Actions button.

Run ECS task

Run Task screen should appear where you can provide details on how tasks should be run.

Run Task screen!
  • Launch type: Fargate or EC2
  • Task Definition: choose which revision to be used
  • Cluster: On which cluster task should be run
  • Number of tasks: How many containers need to spin up. This count is for HA, FT, or for performance.
  • Task Group: Identification purpose.
  • VPC and security groups: Available only if the task definition mentions the use of awsvpc networking mode. Defines ENI level networking details for containers.
  • Task Placement: Supports 5 templates –
    1. AZ Balanced Spread
      • Deploy containers so that they are evenly spread across AZ
      • Make use of available ECS instances in each AZ
    2. AZ Balanced BinPack
      • Deploy containers by filling one host at a time.
      • Do not start with another host unless the current host capacity is full. Allows maintaining unused hosts.
      • Balanced it across AZ. So start with one host in each AZ and go on filling it till full capacity then move on to the next host in that AZ.
    3. BinPack
      • Same as above except AZ balancing
    4. One Task Per Host
      • Strictly one task per host.
      • If no free hosts available, the task will fail.
      • make sure you have enough available hosts for tasks you are running.
    5. Custom
      • User-defined with a combination of Spread, BinPack or random
      • Configure the order in which it needs to be evaluated.
Run Task advanced options

Under advanced options, IAM roles can be overridden that are defined in Task Definitions.

Task role and Task Execution role, both the IAM role can be overridden with a new one under this section.

ECS Task tagging

Lastly, tagging settings to be done. Enable ECS managed tags as ECS tag tasks with cluster and service name which is pretty much easy for identification later.

Click on Run Task button.

Running tasks in ECS cluster

The task will be started and in a couple of minutes, you should be seeing them in RUNNING state. In the above screenshot, the Pending tasks count lists 2 EC2 since I captured the screen by refreshing only the Tasks tab below. I did not refresh whole cluster page 🙂

Now, the task is in a RUNNING state that means containers are instantiated on ECS instances and port 80 of container bound to host port.

Click on any single task ID and it should show task details like below –

Finding host port

Under container details, a host port can be obtained. In this case, the 32768 host port is bounded to port 80 of the container. To verify the functionality of the Apache container, the external link needs to be checked.

Since this cluster is running with ECS instances placed in a private subnet we need to use bastion host to open this external link. Also, since these are private instances you can see the external link is a private IP address, not the public one.

I curled to the external link from bastion host and it worked!

[ec2-user@ip-10-0-0-164 ~]$ curl http://10.0.0.118:32768/
<html><body><h1>It works!</h1></body></html>
[ec2-user@ip-10-0-0-164 ~]$

If it’s not working for you make sure security groups allow the respective traffic between hosts.

And with this, we are completing the creating and running of ECS tasks tutorials. ECS services are used to manage the ECS tasks. We will walk through it in an upcoming article.

How to create the VPC endpoints for Amazon ECS

Leave a reply

A step by step guide to create VPC endpoint for Amazon ECS

ECS VPC endpoints!

Let’s start with some VPC endpoint basics and why we need VPC endpoint for Amazon ECS. Followed by step by step procedure to create the VPC endpoints for ECS along with screenshots.

What is VPC endpoint?

The VPC endpoint is your gateway for communicating with AWS services public endpoints from resources having no internet access at all. Services like S3, ECS, API Gateway has public endpoints. So when you access them, your request will route through the internet to those service endpoints.

In a secure environment, where instances or resources in the private subnet have absolutely no access to the internet not even via NAT gateway etc., they will not be able to communicate with public AWS endpoints. In such cases, we can leverage VPC endpoints to communicate with such services using Amazon’s internal network (Amazon PrivateLink).

Even with internet access, since traffic is going out to the internet and then reaching AWS services it will have some delay. Using VPC Endpoint makes your access pretty fast using Amazon PrivateLink!

Our Amazon ECS articles –

For this tutorial please refer below architecture –

VPC endpoints for Amazon ECS design

Creating VPC endpoint for Amazon ECS

For this exercise, I will be using a custom VPC and ECS cluster I created in previous tutorials.

  • Login to VPC dashboard
  • On the left navigation panel, click Endpoints
  • On the endpoint page displayed on right, click Create Endpoint
  • 3 endpoints need to be created for ECS.
    1. com.amazonaws.region.ecs-agent
    2. com.amazonaws.region.ecs-telemetry
    3. com.amazonaws.region.ecs
  • where the region is a region where the ECS cluster is running. In my case its us-east-1
Creating VPC Endpoint for ECS

Here list of fields to be set –

  • Service category: AWS services
  • Service Name: All 3 provided above.
  • VPC: Select VPC where ECS cluster is running
  • Subnets: Select subnets to associate endpoints with. I selected private subnets only.
  • Enable DNS name: Recommended to enable so that ECS agents can communicate with ECS service without any trouble.
  • Security Group: Security group to be attached to the ENI of this gateway. Make sure port 443 inbound traffic is allowed from above subnets
  • Tags: For identification

Finally, click the Create endpoint button. Repeat the same process to create 3 endpoints for the services mentioned above.

3 Endpoints should goto available status from pending.

3 VPC Endpoints for Amazon ECS

It is clear that each endpoint is having 2 ENIs in 2 subnets. i.e. one interface in each subnet.

This completes VPC Endpoint creation for ECS service. Now, ECS instances can make use of these interfaces when they spun up. If instances are already running then you need to restart the ECS agent on them using the below command and it will start using VPC Endpoints.

[ec2-user@ip-10-0-0-14 ~]$ sudo docker restart ecs-agent
ecs-agent

For testing, I just terminated existing ECS instances and the ECS autoscaling group spun up new ECS instances in a private zone (which does not have a NAT gateway so no internet). Both got registered to the ECS cluster successfully via VPC endpoint!

Private instances in ECS cluster

Troubleshooting:

In case ECS instances are not getting registered to the ECS cluster using VPC endpoints then the below points needs to be validated –

  1. The instance is running ECS agent version 1.25.1 or higher
  2. Security group of endpoints is allowing 443 traffic from instances
  3. Endpoints are created in the same region as the ECS cluster
  4. ECS agents are restarted on ECS instances after endpoints creation.

If ECS instances are registered but Agent connected is being shown as False. In such scenario below points needs to be validated –

  1. Docker and ECS agent services are running on the server. (systemctl status docker/ecs)
  2. The proper instance role (ecsInstanceRole) is attached to ECS instances. (curl http://169.254.169.254/latest/meta-data/iam/info)
  3. Inspect logfile at location : /var/log/ecs/ecs-agent.log on ECS instances.

Spinning up a new ECS cluster

Leave a reply

A quick walkthrough on how to create new ECS cluster

New ECS Cluster!

In our previous article, we got acquainted with Amazon ECS service theoretically. In this article, we will walk you through steps to create a new ECS cluster.

ECS Cluster is a logical grouping of ECS instances on which containerized application can be orchestrated.

This article is using below design to provision ECS cluster.

ECS Cluster architecture for this tutorial.

without further delay lets dive into it –

  • Login into Amazon ECS dashboard
  • From the left navigation panel, click on Clusters
  • Now, on the right-hand side click on the Create Cluster button
  • Here a user should be choosing the cluster template for the new cluster
Cluster template choice

Three templates mentioned here are :

  1. Networking only
    • No ECS instances.
    • All tasks will be launched using the Fargate launch type!
  2. EC2 Linux + Networking
    • Deploy with Linux ECS instances
    • EC2 and Fargate both launch types available for tasks
  3. EC2 Windows + Networking
    • Deploy with Windows ECS instances
    • EC2 and Fargate both launch types available for tasks

Most of the time, EC2 Linux + Networking should suffice the requirement. Select the appropriate template and click the Next Step button.

On cluster configuration screen various details can be filled.

  • Cluster name
  • Create an empty cluster is an option to create clusters with no ECS instances.

Then, instance configurations should be defined.

ECS Instance configuration

Under instance configurations choose :

  1. Provisioning model: Choose billing type of instances (on-demand or spot)
  2. Number of instances
  3. EC2 AMI ID. The dropdown allows choosing Amazon Linux AMI.
  4. Root EBS size
  5. Key Pair: If you want to log into ECS instances. If not then choose None.

Next section allows network configuration.

ECS cluster networking

By default setup present to create a new VPC to be used for this ECS cluster. But, if you wish to use existing or already created VPC then choose it from the dropdown.

In my case, I have a custom VPC created already. So I will use it from drop down. While using existing VPC, you need to choose which subnets to be used to place container instances and which security group should be applied to them.

Using existing VPC in ECS cluster

I used my existing VPC along with 2 private subnets in different AZ and security groups which allows SSH and HTTP traffic to instances. Since I will be testing webserver containers on this cluster. This SG should allow the ports you will be using in your containerized applications. Also, they should be allowing traffic from only intended sources.

Finally, IAM roles to be defined which will be attached to ECS instances.

Tags can be applied to instances here. Also, if container-level monitoring needs to be enabled it can be done here. Click Create and a cluster will be created in a few.

ECS Cluster creation complete!

ECS uses CloudFormation in the backend to deploy the whole stack. It can be verified in the Launch status or CloudFormation service dashboard as well.

ECS CloudFormation stack!

Now, click on the View Cluster button and new ECS cluster details will be presented on screen.

Cluster info

Both ECS instances are registered to cluster as well at this stage. Those Cluster ECS instances can be viewed from the EC2 dashboard as well.

ECS instances.

These instances will be named automatically by ECS. And if you observe those are deployed in different AZ (supplied at cluster creation) and assigned with SG as well.

So the ECS cluster is up and ready along with both ECS instances registered to cluster and ready to run tasks!

Issue: ECS instances not registering in ECS cluster

One of the common issues seen at this stage is although EC2 instances are running fine they do not get registered to the ECS cluster. You do not see them in the ECS Instances tab on the cluster details page.

Cause: This is caused when ECS instances have not to route to the internet. ECS agent on the instances needs to reach ECS public endpoint to register the instance in the ECS cluster. Since no route to the internet, they can not reach ECS public endpoint and can not register to cluster.

Solution: If instances are launched in a private subnet then they should be able to reach the internet using NAT gateway or HTTP proxy. Or you can configure VPC endpoints for Amazon ECS and route traffic from instances to ECS without giving them internet access at all.

If instances are launched in public subnet then make sure auto-assign public IPv4 address is enabled and the instance is allocated with public IPv4 address. Also, the subnet is associated with a routeing table that has a route to Internet Gateway.

Amazon ECS basics for beginners

Leave a reply

An article about Amazon ECS foundational topics for beginners

ECS basics.

Amazon ECS stands for Amazon Elastic Container Service. We will walk you through ECS bit by bit to help you understand what is ECS. We will touch base below topics –

  • What is ECS?
  • Use cases for ECS
  • ECS component concepts
  • Pricing

What is ECS?

Amazon ECS is a fully managed container orchestration service. It aimed to do all the heavy lifting of managing container orchestration clusters for customers while customers can focus on developing their containerized application.

If you are new to containers, please read our container articles –

In a nutshell, ECS is Amazon’s own homegrown container orchestration service. If you have learned about Docker Swarm then consider ECS as Amazon’s version of Swarm to manage your containers.

Browse through KernelTalk’s Amazon ECS articles.

Amazon ECS deep dive!

Amazon’s other service ‘Elastic Beanstalk’ actually using ECS in the background to spin up clusters of containers running your desired applications.

Where to use ECS?

In this section, we will see the use cases of Amazon ECS. This service sees uses cases mainly in two sectors:

Microservices

Application following microservices architecture approach can make most of ECS! The Microservices approach aims at decoupling the design so that architecture is failure-proof, can be scaled at the service level, etc. These benefits can be leveraged using containers! Containers can be spun using immutable images, tested locally, scaled using ECS clusters, each service can be defined using different tasks, and pipelined using CI/CD.

Batch Jobs

Since containers are easy, quick to spin up, and terminate they are perfect for running batch jobs. Using containers you can cut down your time to spin up EC2 instances for processing jobs, save time for their terminations, get away with the huge billing associated with them. And all of this can be well managed by AWS in the backend when you spin your containers using ECS. Fargate launch type in ECS is well suited for batch jobs since it doesn’t require to spin us even EC2 container instances. It’s like serverless and you pay for the resources you used and the time you used them.

ECS concepts

With a little bit of foundation let’s dive into a few ECS concepts. While using ECS you will come across the below terms –

  • Clusters
  • Container Instance
  • Task definitions
  • Launch types
  • Services
  • Amazon ECR
Cluster

Cluster is a grouping of tasks and/or services. These tasks/services are run on container instances (in case of EC2 launch types), in that case, EC2 container instances also come under this logical grouping called a cluster. You can have one or more clusters in your account.

Container instance

When you are running a task/service using the EC2 launch type, it will run on EC2 instances. These instances (Linux/Windows) are created when you are creating clusters. Basically, those are normal EC2 instances with docker software, ECS agent preinstalled. You can even connect to them like any other EC2 instances using SSH or RDP. You can view them in the EC2 dashboard of your account as well. Under ECS those will be referred to as container instances.

Tasks definitions

Task definitions are a collection of settings required to run a container in the Amazon ECS cluster. It has numerous parameters that you can configure including container definitions as well. The core of the task definition is container definition and launch type, where you define how your container should be instantiated. In short, you can visualize it as a container Dockerfile.

Launch types

It’s a type of compute on which containers should be instantiated. Amazon offers 2 launch types –

  1. EC2 Launch type
    • Runs containers on cluster container instances
    • You will be billed for EC2 instances, not the container runtimes
  2. Fargate types
    • Runs containers on serverless/managed infra in the backend
    • You will be billed on the number of resources used and for the duration, they are used
Services

Services are the schedulers that are responsible to maintain the desired number of containers of running tasks in a cluster. So container instantiation and termination to match the given conditions is done by services.

Amazon ECR

It’s Amazon Elastic Container Registry. It’s your own private container registry hosted on AWS. You can use IAM authentications to control the access to ECR and it can be connected to various apps for CI/CD purposes. Container definitions under tasks can refer to ECR images securely.

Pricing

ECS is a free service just like cloudformation! You will be billed only for the resources you deployed/used for using ECS.

When creating clusters, the container instance type should be selected. As I explained earlier these are normal EC2 instances that can be viewed in the EC2 dashboard as well. So they will be billed like any other EC2 instances (instance types and time for which they are running).

Another billing you can incur is when running containers on fargate launch type. It’s considered as pretty costly than the EC2 launch type and hence should be used only for short-running tasks. You will be billed for the number of resources you are using and the duration for which they are being used.

If you are leveraging ECR to maintain your own private container image repository then ECR charges will be applied to your account as well. ECR charges include two components :

  1. Storage. Billed for total storage being used by all of the images
  2. Data transfer. Data in and out bills i.e. data transferred from/to ECR during image pull/push operations

Conclusion

That’s pretty much about ECS basics. So, if you are working on a self-hosted container environment, it’s time to move to ECS and let AWS manage the stuff for you while you can concentrate on developing apps in containers!