Components and Usage
Highly scalable and fast container management service. Easily can start, stop and manage containers on a cluster comprised of Amazon EC2 instances.
What makes up the ECS?
In the console, go to Identity and Access Management.
If you create the secret access key, make sure you download it and provide it for login.
Ensure that you also create a group for this that is specific to the EC2 Container service.
Normally we wouldn't recommend Admin access, but you want to assign a group security policy so future users added can get these group policies and we can manage it at a group level.
From the AWS IAM panel, we can just into the new
ecsadmin group and now we can create some sign in passwords from
Now with the alias link we have from the main dashboard, we can use that give other users a chance to log in.
It is very important that we want the alias used wherever possible instead of your account number.
Now, once the user signs in, they have a chance to see a new password.
THIS IS HOW WE MAINTAIN THE SECURITY WITH GRANUAL PERSMISSIONS FOR OTHERS TO USE
EC2 Virtual Servers > Network and Security > Key Pairs - you can import a key pair or create a key-pair. This is used to SSH in securely.
Create and save that file and store it somewhere securely.
If we use
ssh-agent bash, that will launch a shell where we can run
ssh-add key-pair.pem added to the key exchange, and now we can
ssh -i key-pair.pem email@example.com (ensure an instance is running).
ssh-agent bash ssh-add key-pair.pem ssh -i key-pair.pem firstname.lastname@example.org
In the VPC section of AWS, in the list of VPCs you can see a list of the VPCs and there can be allocated a default if you haven't named one.
Create a VPC, give is a name tag, the CIDR block is the network range eg.
10.17.0.0/16 (16 is as large as we can make our VPC) and we can choose the VPC to be
Once the instance config is up, we can choose
Actions > Edit DHCP Options which will edit how those addresses/options are set. Currently the /16 address range will be
10.17.0.1 but the config will basically assign ranges between .2 and .253. We can change that range with
DHCP Options Set if we want to.
Dynamic Host Configuration Protocol.
We can also assign a DNS resolution if we didn't want them publicly available by name, we can say don't do it.
Now we can go back and apply a security group.
Back in the
EC2 > Network and Security > Security Groups, we can now create a security group.
As you create this, you will give it a name and choose the VPC associated! This will be where we select the
ECS_VPC we created.
As for the inbound and outbound rules, we add an inbound SSH rule for TCP, port 22, Anywhere which will allow in SSH connections.
As a second option, we choose HTTPS and a HTTP role as well.
Outbound, we want SSH to anywhere and HTTP and HTTPS as well. After configuring our services, we may want to choose a more restricive kind of traffic.
Again, from here, we can edit the inbound and outbound rules too.
We recommend that you only open up SSH to a few IP ranges.
pip3 install awscli which will give us access to using the command line.
aws configure allows us to put in our id and secret key, and commands such as
aws ec2 describe-regions allow us to see available regions for instances.
In the ECS Wizard, let's click
This will deploy an EC2 Container Service in a particular region.
We want to add some information about
Tasks which is how we get things to run on ECS.
Give the task a definition name
ecs-sample-web-app-static as an example.
Container name we want to run could be
Image is the image format we want to run.
The ports can be configured depending on what ports we have exposed on the security settings.
If we look at the advanved settings, we can look at environment, network settings etc.
We can also mount additional volumes external from the container.
On the next step, we can edit the Service name and we can also have a multiple number of tasks running.
We can also do elastic load balancing too.
These containers also run in a cluster. We can choose what instance type we want, and a number of instances.
Key-Pairs are also region specific and you'll need a new key-pair for another cluster in a different region.
We need to make sure
ecsinstanceRole IAM policy is also currently allowed.
In the review, you will get an overview of what is being created and the cluster configuration.
If we now view this service in
Clusters, it will show us our cluster and the current task that is running.
If we look at
Task Definition we can use actions to do thingsl like run tasks.
When we launched the cluster, we had 2 instances running EC2 instances.
If we now go to
EC2 > Instances, we should be able to now see our running instances!
If we grab the IP, we can now use that pem file and AWS CLI. Again, run the
At the IP itself, we can see that the website is now running, but the second instance isn't running the container... why? Because it is a cluster. Even though we have two INSTANCES running we only configured ONE service running ONE task with ONE task definition.
A lot of this is because we haven't set the ELB. Since we didn't add a ELB, we will only see the container on the first EC2 we launched.
What we can do for our security groups is edit the settings that need to be changed or deploy a cluster and do that manually.
In the previous lessons, we quickly went through the ECS Wizard.
Let's take a look at how we can set up a cluster with a basic web app.
If we head back to the EC2 container service, let's walk through how we can customize our cluster initially and can use it in a manner more enterprise ready.
Now, in the advaned options, we want to make some changes.
Handy inclusions will be our environment variables.
Now, when the host starts, the container will start this image.
In this case, we will also define a load balance on a particular port.
Since we still have a very restricive security group, we still cannot SSH in. Why is that? We can configure our security groups.
How can we connect using SSH even when we have a key pair already?
The reason we cannot, is that during the initial launch, we don't have a way to apply another security group to another instance.
So in the
EC2 > Instances, we can view the Security Group being used as the source. If we click onto it, it will take us to the container security group.
Now if we look at the inbound and outbound rules!
There is a
ECSAllowedPorts and the
ELBAllowedPorts, and we are allow to enter one if we allowed in the ELB security group. Effectively, the ELB permissions are imported directly to the ECS allowed ports.
So we can in fact now add in the SSH IP that we want to use. As soon as we save, it immediately applies to our instance!
If we now run
ps aux | grep http we can now see the shell script we have run to launch the container.
We have the ability in the EC2 instances live into our cluster.
ECS > Clusters > ECS Instance > Scale ECS Instances we can choose what we are scaling. If will load it with reference to the ELB but it won't be auto setup.
If we head to
EC2 > Instances is our new instane configured exactly the same way as the original one.
Once the EC2 is up, the container won't be showing up on the IP just yet. If we SSH into that address, we can see that it is running but no
http service is running.
Head back to
ECS and we can see in the clusters that we only have one running task.
Now, if we select
Clusters > Task, we run a new task and choose our task definition. We still only need to run 1 task, since we just ran 1 additional instance. It's a 1-to-1 relationship.
Something that is cool, is that just because we are running a new task, we don't have to choose the same definition eg. like how we are running a database to support the cluster.
Once that task is running, if we now check that IP, we can now see the website is actually running.
Now that we have two instances running, but the load balancer on has 1 of 1 instances.
What we have to do in
EC2 > Load Balancers > Status, we click on it and edit the instances. The the ELB has already registered that there is another container instance (as you'll be able to see) so we click on it and then we select save.
Now we have multiple nodes, and the ELB will now use round robin to choose the node to use.
Load balancers do not currently store session state by default, which can be a trouble if you are running with round robin. You need to turn on Stickiness on the Port Configuration in order to keep sessions.
We can enabled
Load Balancer generated cookies or appliation generated cookie stickiness. Application will look for a cookie you set.
Generally you just want 5 minutes or so or you could suffer from
affinity overload if one server gets overloaded.
What we can do for loading containers is run from Docker Hub.
If you are going to use a propriatary system, use a private Docker Hub repo.
This example is given from AWS Labs.
The Dockerfile will be used to get a base image we want it built on and then we can declare variables that we want associated with it.
In this example, we will run
docker build -t username/name-of-repo and it will work from the Dockerfile and line everything up.
After the build, it will now be another image we can run against.
docker run -p 80:80 latest123/amazon-ecs-sample:latest
We can run
docker ps to ensure it is running and then we should be able to check localhost and see it all running.
docker login will sign us into our Docker account and the credentials will be saved.
Now if we
docker push, we can push that image.
We can now see that our repo has been pushed up to the account.
With the repo available for a docker pull, what we can now do is create a new task definition that will apply to a running task definition.
Creating the task definition
ECS > Task Definitions > Create a new definition.
What we can do is now add a container! We can also do a configure via JSON.
How do we do that? We can add a
config.json file that has all of the details.
In the example config that we paste in here from the AWSLabs example, we just need to change the Image that we wish to change.
Once we have created that task definition, we can head back to Clusters and see the task there.
Now that the task definition is done, how can we use that in our cluster? As we've seen before, we can scale the cluster with the additional instances.
Before we can apply a task to, we need to scale the instances.
Once the new EC2 instance is up, we can again check that it isn't running if we check the Public IP.
ECS > Clusters > ECS Instances, we have two tasks running and we can now run a new task.
One thing to notice is that the task definition list cannot be removed.
Once the task has run, get the IP that is provisioned and see if you can head to it - which you can!
ACTIVE- Check the instances and the tasks