Amazon Elastic Container Service

(1)

Amazon Elastic Container Service

Developer Guide

(2)

Amazon Elastic Container Service: Developer Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is Amazon Elastic Container Service?

Amazon Elastic Container Service (Amazon ECS) is a highly scalable and fast container management service. You can use it to run, stop, and manage containers on a cluster. With Amazon ECS, your containers are deﬁned in a task deﬁnition that you use to run individual tasks or tasks within a service.

In this context, a service is a conﬁguration that you can use to run and maintain a speciﬁed number of tasks simultaneously in a cluster. You can run your tasks and services on a serverless infrastructure that's managed by AWS Fargate. Alternatively, for more control over your infrastructure, you can run your tasks and services on a cluster of Amazon EC2 instances that you manage.

Amazon ECS provides the following features:

• A serverless option with AWS Fargate. With AWS Fargate, you don't need to manage servers, handle capacity planning, or isolate container workloads for security. Fargate handles the infrastructure management aspects of your workload for you. You can schedule the placement of your containers across your cluster based on your resource needs, isolation policies, and availability requirements.

• Integration with AWS Identity and Access Management (IAM). You can assign granular permissions for each of your containers. This allows for a high level of isolation when building your applications. In other words, you can launch your containers with the security and compliance levels that you've come to expect from AWS.

• AWS managed container orchestration. As a fully managed service, Amazon ECS comes with AWS conﬁguration and operational best practices built-in. This also means that you don't need to manage control plane, nodes, or add-ons. It's integrated with both Alexa Web Information Service and third- party tools, such as Amazon Elastic Container Registry and Docker. This integration makes it easier for teams to focus on building the applications, not the environment.

• Continuous integration and continuous deployment (CI/CD). This is a common process for microservice architectures that are based on Docker containers. You can create a CI/CD pipeline that takes the following actions:

• Monitors changes to a source code repository

• Builds a new Docker image from that source

• Pushes the image to an image repository such as Amazon ECR or Docker Hub

• Updates your Amazon ECS services to use the new image in your application

• Support for service discovery. This is a key component of most distributed systems and service- oriented architectures. With service discovery, your microservice components are automatically discovered as they're created and terminated on a given infrastructure.

• Support for sending your container instance log information to CloudWatch Logs. After you send this information to Amazon CloudWatch, you can view the logs from your container instances in one convenient location. This prevents your container logs from taking up disk space on your container instances.

The AWS container services team maintains a public roadmap on GitHub. The roadmap contains information about what the teams are working on and enables AWS customers to provide direct feedback. For more information, see AWS Containers Roadmap on the GitHub website.

Launch types

There are two models that you can use to run your containers:

(14)

Access Amazon ECS

• Fargate launch type - This is a serverless pay-as-you-go option. You can run containers without needing to manage your infrastructure.

• EC2 launch type - Conﬁgure and deploy EC2 instances in your cluster to run your containers.

The Fargate launch type is suitable for the following workloads:

• Large workloads that need to be optimized for low overhead

• Small workloads that have occasional burst

• Tiny workloads

• Batch workloads

The EC2 launch type is suitable for the following workloads:

• Workloads that require consistently high CPU core and memory usage

• Large workloads that need to be optimized for price

• Your applications need to access persistant storage

• You must directly manage your infrastucture

Access Amazon ECS

You can create, access, and manage your Amazon ECS resources using any of the following interfaces:

• AWS Management Console — Provides a web interface that you can use to access your Amazon ECS resources.

• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Amazon ECS. It's supported on Windows, Mac, and Linux. For more information, see AWS Command Line Interface.

• AWS SDKs — Provides language-speciﬁc APIs and takes care of many of the connection details. These include calculating signatures, handling request retries, and error handling. For more information, see AWS SDKs.

• AWS Copilot — Provides an open-source tool for developers to build, release, and operate production ready containerized applications on Amazon ECS. For more information, see AWS Copilot on the GitHub website.

• Amazon ECS CLI — Provides a command line interface for you to run your applications on Amazon ECS and AWS Fargate using the Docker Compose ﬁle format. You can quickly provision resources, push and pull images using Amazon Elastic Container Registry, and monitor running applications on Amazon ECS or Fargate. You can also test containers that are running locally along with containers in the Cloud within the CLI. For more information, see AWS Copilot on the GitHub website.

• AWS CDK — Provides an open-source software development framework that you can use to model and provision your cloud application resources using familiar programming languages. The AWS CDK provisions your resources in a safe, repeatable manner through AWS CloudFormation. For more information, see the section called “Using the AWS CDK” (p. 23).

Pricing

Amazon ECS pricing is dependent on whether you use AWS Fargate or Amazon EC2 infrastructure to host your containerized workloads. When using Amazon ECS on AWS Outposts, the pricing follows the same model that's used when you use Amazon EC2 directly. For more information, see Amazon ECS Pricing.

(15)

Amazon ECS components

Amazon ECS and Fargate also oﬀer Savings Plans that provide signiﬁcant savings based on your AWS usage. For more information, see the Savings Plans User Guide.

To view your bill, go to the Billing and Cost Management Dashboard in the AWS Billing and Cost Management console. Your bill contains links to usage reports that provide additional details about your bill. To learn more about AWS account billing, see AWS Account Billing.

If you have questions concerning AWS billing, accounts, and events, contact AWS Support.

Trusted Advisor is a service that you to help optimize the costs, security, and performance of your AWS environment. For more information about Trusted Advisor, see AWS Trusted Advisor.

Amazon ECS components

Clusters

An Amazon ECS cluster is a logical grouping of tasks or services. You can use clusters to isolate your applications. This way, they don't use the same underlying infrastructure. When your tasks are run on Fargate, your cluster resources are also managed by Fargate.

Containers and images

To deploy applications on Amazon ECS, your application components must be conﬁgured to run in containers. A container is a standardized unit of software development that holds everything that your software application requires to run. This includes relevant code, runtime, system tools, and system libraries. Containers are created from a read-only template that's called an image.

Images are typically built from a Dockerfile. A Dockerfile is a plaintext file that specifies all of the components that are included in the container. After they're built, these images are stored in a registry where they can be downloaded from. Then, after you download them, you can use them to run on your cluster. For more information about container technology, see Docker basics for Amazon ECS (p. 14).

Task deﬁnitions

A task definition is a text file that describes one or more containers that form your application. It's in JSON format. You can use it to describe up to a maximum of ten containers. The task definition functions

(16)

Tasks

as a blueprint for your application. It specifies the various parameters for your application. For example, you can use it to specify parameters for the operating system, which containers to use, which ports to open for your application, and what data volumes to use with the containers in the task. The specific parameters available for your task definition depend on the needs of your specific application.

Your entire application stack doesn't need to be on a single task definition. In fact, we recommend spanning your application across multiple task definitions. You can do this by combining related containers into their own task definitions, each representing a single component.

Tasks

A task is the instantiation of a task deﬁnition within a cluster. After you create a task deﬁnition for your application within Amazon ECS, you can specify the number of tasks to run on your cluster. You can run a standalone task, or you can run a task as part of a service.

Services

You can use an Amazon ECS service to run and maintain your desired number of tasks simultaneously in an Amazon ECS cluster. How it works is that, if any of your tasks fail or stop for any reason, the Amazon ECS service scheduler launches another instance based on your task deﬁnition. It does this to replace it and thereby maintain your desired number of tasks in the service.

Container agent

The container agent runs on each container instance within an Amazon ECS cluster. The agent sends information about the current running tasks and resource utilization of your containers to Amazon ECS.

It starts and stops tasks whenever it receives a request from Amazon ECS. For more information, see Amazon ECS container agent (p. 453).

(17)

Fargate architecture overview

Amazon ECS is a Regional service that simplifies the management involved with running containers in a highly available manner across multiple Availability Zones within an AWS Region. You can create Amazon ECS clusters within a new or existing VPC. After a cluster is up and running, you can create task definitions that define which container images run across your clusters. Your task definitions are used to run tasks or create services. Container images are stored in and pulled from container registries, such as the Amazon Elastic Container Registry.

The following diagram shows the architecture of an Amazon ECS environment that runs on AWS Fargate.

(18)

Common use cases

Common use cases in Amazon ECS

The following are common use cases for Amazon ECS:

• Microservices

• Websites

• Video rendering services

• Machine learning

You can use AWS Batch to farm out tasks across your containers.

Additional resources

You can use Amazon ECS to create a consistent build and deployment experience, to manage and scale batch and Extract-Transform-Load (ETL) workloads, and to build sophisticated application architectures on a microservices model. For more information about Amazon ECS use cases and scenarios, see Container Use Cases.

You can view the microservices reference architecture on GitHub. For more information, see Deploying Microservices with Amazon ECS, AWS CloudFormation, and an Application Load Balancer.

The following resources outline how to implement continuous integration and deployment (CI/CD):

• ECS Reference Architecture: Continuous Deployment: This reference architecture demonstrates how to achieve continuous deployment of an application to Amazon ECS using CodePipeline, CodeBuild, and AWS CloudFormation.

• Continuous Delivery Pipeline for Amazon ECS Using Jenkins, GitHub, and Amazon ECR: This AWS labs repository helps you set up and conﬁgure a continuous delivery pipeline for Amazon ECS using Jenkins, GitHub, and Amazon ECR.

The Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks post focuses on how to integrate the IAM roles for tasks (p. 740) functionality of Amazon ECS with the AWS Systems Manager Parameter Store. Parameter Store provides a centralized store to manage your conﬁguration data, whether it's plaintext data such as database strings or secrets such as passwords, encrypted through AWS Key Management Service.

The following resources outline how to make your services discoverable:

• Run Containerized Microservices with Amazon EC2 Container Service and Application Load Balancer:

This post describes how to use the dynamic port mapping and path-based routing features of Elastic Load Balancing Application Load Balancers. This provides service discovery for a microservice architecture.

• Amazon Elastic Container Service - Reference Architecture: Service Discovery: This Amazon ECS reference architecture provides service discovery to containers using CloudWatch Events, Lambda, and Route 53 private hosted zones.

• Service Discovery via Consul with Amazon ECS: This post shows how a third-party tool that's called Consul by HashiCorp can augment the capabilities of Amazon ECS by providing service discovery for an ECS cluster. This poses provides an example application for your reference.

Related services

Amazon ECS can be used along with the following AWS services:

(19)

Related services

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is an access management service that helps you securely control access to AWS resources. You can use IAM to control who's authenticated (signed in) and authorized (has permissions) to view or perform speciﬁc actions on resources. In Amazon ECS, you can use IAM to control access at the container instance level using IAM roles. You can also use it to control access at the task level using IAM task roles. For more information, see Identity and Access Management for Amazon Elastic Container Service (p. 692).

Amazon EC2 Auto Scaling

Auto Scaling is a service that sets up automatic scaling for your tasks. The scaling is based on user- deﬁned policies, health status checks, and schedules. You can use Auto Scaling alongside a Fargate task within a service to scale in response to a number of metrics. Or, alternatively, you can use it with an EC2 task to scale the container instances within your cluster. For more information, see Service auto scaling (p. 623).

Elastic Load Balancing

The Elastic Load Balancing service automatically distributes incoming application traffic across the tasks in your Amazon ECS service. You can use it to achieve greater levels of fault tolerance in your applications. At the same time, you can use it to also provide the amount of load-balancing capacity that's required to distribute application traffic. You can use Elastic Load Balancing to create an endpoint that balances traffic across services in a cluster. For more information, see Service load balancing (p. 606).

Amazon Elastic Container Registry

Amazon ECR is a managed AWS Docker registry service that's secure, scalable, and reliable. Amazon ECR supports private Docker repositories with resource-based permissions using IAM so that speciﬁc users or tasks can access repositories and images. Developers can use the Docker CLI to push, pull, and manage images. For more information, see the Amazon Elastic Container Registry User Guide.

AWS CloudFormation

AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources. More specifically, it makes provisioning and updating resources more predictable. You can define clusters, task definitions, and services as entities in an AWS CloudFormation script. For more information, see AWS CloudFormation Template Reference.

(20)

Setting up

Getting started with Amazon ECS

The following guides provide an introduction to the tools available to access Amazon ECS and introductory step by step procedures to run containers. Docker basics takes you through the basic steps to create a Docker container image and upload it to an Amazon ECR private repository. The getting started guides walk you through using the AWS Copilot command line interface and the AWS Management Console to complete the common tasks to run your containers on Amazon ECS and AWS Fargate.

Contents

• Setting up with Amazon ECS (p. 8)

• Docker basics for Amazon ECS (p. 14)

• Getting started with Amazon ECS using AWS Copilot (p. 19)

• Getting started with Amazon ECS using the AWS CDK (p. 23)

• Getting started with Amazon ECS using the classic console (p. 30)

Setting up with Amazon ECS

If you've already signed up for Amazon Web Services (AWS) and have been using Amazon Elastic

Compute Cloud (Amazon EC2), you are close to being able to use Amazon ECS. The set-up process for the two services is similar. The following guide prepares you for launching your ﬁrst Amazon ECS cluster.

Complete the following tasks to get set up for Amazon ECS.

Sign up for AWS

When you sign up for AWS, your AWS account is automatically signed up for all services, including Amazon EC2 and Amazon ECS. You are charged only for the services that you use.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Note your AWS account number, because you'll need it for the next task.

Create an IAM user

Services in AWS, such as Amazon EC2 and Amazon ECS, require that you provide credentials when you access them, so that the service can determine whether you have permission to access its resources. The console requires your password. You can create access keys for your AWS account to access the command line interface or API. However, we don't recommend that you access AWS using the credentials for your AWS account; we recommend that you use AWS Identity and Access Management (IAM) instead. Create an IAM user, and then add the user to an IAM group with administrative permissions or and grant this user administrative permissions. You can then access AWS using a special URL and the credentials for the IAM user.

(21)

Create an IAM user

If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM console.

To create an administrator user for yourself and add the user to an administrators group (console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

Note

We strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

2. In the navigation pane, choose Users and then choose Add user.

3. For User name, enter Administrator.

4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

6. Choose Next: Permissions.

7. Under Set permissions, choose Add user to group.

8. Choose Create group.

9. In the Create group dialog box, for Group name enter Administrators.

10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.

11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

NoteYou must activate IAM user and role access to Billing before you can use the

AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

13. Choose Next: Tags.

14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources, see Access management and Example policies.

To sign in as this new IAM user, sign out of the AWS console, then use the following URL, where your_aws_account_id is your AWS account number without the hyphens (for example, if your AWS account number is 1234-5678-9012, your AWS account ID is 123456789012):

https://your_aws_account_id.signin.aws.amazon.com/console/

Enter the IAM user name and password that you just created. When you're signed in, the navigation bar displays "your_user_name @ your_aws_account_id".

(22)

Create a key pair

If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an account alias. From the top of the IAM dashboard, to the right of your sign-in link, choose Customize and enter an alias, such as your company name. To sign in after you create an account alias, use the following URL:

https://your_account_alias.signin.aws.amazon.com/console/

To verify the sign-in link for IAM users for your account, open the IAM console and check under IAM users sign-in link on the dashboard.

For more information about IAM, see the AWS Identity and Access Management User Guide.

Create a key pair

For Amazon ECS, a key pair is only needed if you intend on using the EC2 launch type.

AWS uses public-key cryptography to secure the login information for your instance. A Linux instance, such as an Amazon ECS container instance, has no password to use for SSH access. You use a key pair to log in to your instance securely. You specify the name of the key pair when you launch your container instance, then provide the private key when you log in using SSH.

If you haven't created a key pair already, you can create one using the Amazon EC2 console. If you plan to launch instances in multiple regions, you'll need to create a key pair in each region. For more information about regions, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.

To create a key pair

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. From the navigation bar, select a Region for the key pair. You can select any Region that's available to you, regardless of your location. However, key pairs are speciﬁc to a Region. For example, if you plan to launch a container instance in the US East (Ohio) Region, you must create a key pair for the instance in the US East (Ohio) Region.

(23)

Create a key pair

3. In the navigation pane, under NETWORK & SECURITY, choose Key Pairs.

TipThe navigation pane is on the left side of the console. If you do not see the pane, it might be minimized; choose the arrow to expand the pane. You may have to scroll down to see the Key Pairs link.

4. Choose Create Key Pair.

5. Enter a name for the new key pair in the Key pair name ﬁeld of the Create Key Pair dialog box, and then choose Create. Use a name that is easy for you to remember, such as your IAM user name, followed by -key-pair, plus the region name. For example, me-key-pair-useast2.

(24)

Create a virtual private cloud

6. The private key file is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.

Important

This is the only chance for you to save the private key ﬁle. Provide the name of your key pair when you launch an instance and the corresponding private key each time you connect to the instance.

7. If you use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key ﬁle so that only you can read it.

chmod 400 your_user_name-key-pair-region_name.pem

For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

To connect to your instance using your key pair

To connect to your Linux instance from a computer running macOS or Linux, specify the .pem file to your SSH client with the -i option and the path to your private key. To connect to your Linux instance from a computer running Windows, you can use either MindTerm or PuTTY. If you plan to use PuTTY, you need to install it and use the following procedure to convert the .pem file to a .ppk file.

To prepare to connect to a Linux instance from Windows using PuTTY

1. Download and install PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Be sure to install the entire suite.

2. Start PuTTYgen (for example, from the Start menu, choose All Programs > PuTTY > PuTTYgen).

3. Under Type of key to generate, choose RSA.

4. Choose Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, select the option to display files of all types.

5. Select the private key ﬁle that you created in the previous procedure and choose Open. Choose OK to dismiss the conﬁrmation dialog box.

6. Choose Save private key. PuTTYgen displays a warning about saving the key without a passphrase.

Choose Yes.

7. Specify the same name for the key that you used for the key pair. PuTTY automatically adds the .ppk ﬁle extension.

Create a virtual private cloud

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've deﬁned. We strongly suggest that you launch your container instances in a VPC.

(25)

Create a security group

NoteThe Amazon ECS console ﬁrst-run experience creates a VPC for your cluster, so if you intend to use the Amazon ECS console, you can skip to the next section.

If you have a default VPC, you also can skip this section and move to the next task, Create a security group (p. 13). To determine whether you have a default VPC, see Supported Platforms in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances. Otherwise, you can create a nondefault VPC in your account using the steps below.

Important

If your account supports Amazon EC2 Classic in a region, then you do not have a default VPC in that region.

To create a nondefault VPC

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. From the navigation bar, select a region for the VPC. VPCs are speciﬁc to a region, so you should select the same region in which you created your key pair.

3. On the VPC dashboard, choose Launch VPC Wizard.

4. On the Step 1: Select a VPC Conﬁguration page, ensure that VPC with a Single Public Subnet is selected, and choose Select.

5. On the Step 2: VPC with a Single Public Subnet page, enter a friendly name for your VPC in the VPC name field. Leave the other default configuration settings, and choose Create VPC. On the confirmation page, choose OK.

For more information about Amazon VPC, see What is Amazon VPC? in the Amazon VPC User Guide.

Create a security group

Security groups act as a ﬁrewall for associated container instances, controlling both inbound and outbound traﬃc at the container instance level. You can add rules to a security group that enable you to connect to your container instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere. Add any rules to open ports that are required by your tasks. Container instances require external network access to communicate with the Amazon ECS service endpoint.

NoteThe Amazon ECS console ﬁrst run experience creates a security group for your instances and load balancer based on the task deﬁnition you use, so if you intend to use the Amazon ECS console, you can move ahead to the next section.

If you plan to launch container instances in multiple Regions, you need to create a security group in each Region. For more information, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.

TipYou need the public IP address of your local computer, which you can get using a service.

For example, we provide the following service: http://checkip.amazonaws.com/ or https://

checkip.amazonaws.com/. To locate another service that provides your IP address, use the search phrase "what is my IP address." If you are connecting through an internet service provider (ISP) or from behind a ﬁrewall without a static IP address, you must ﬁnd out the range of IP addresses used by client computers.

To create a security group with least privilege

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

(26)

Install the AWS CLI

2. From the navigation bar, select a Region for the security group. Security groups are speciﬁc to a Region, so you should select the same Region in which you created your key pair.

3. In the navigation pane, choose Security Groups, Create Security Group.

4. Enter a name for the new security group and a description. Choose a name that is easy for you to remember, such as ecs-instances-default-cluster.

5. In the VPC list, ensure that your default VPC is selected. It's marked with an asterisk (*).

NoteIf your account supports Amazon EC2 Classic, select the VPC that you created in the previous task.

6. Amazon ECS container instances do not require any inbound ports to be open. However, you might want to add an SSH rule so you can log into the container instance and examine the tasks with Docker commands. You can also add rules for HTTP and HTTPS if you want your container instance to host a task that runs a web server. Container instances do require external network access to communicate with the Amazon ECS service endpoint. Complete the following steps to add these optional security group rules.

On the Inbound tab, create the following rules (choose Add Rule for each new rule), and then choose Create:

• Choose HTTP from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the source. This is acceptable for a short time in a test environment, but it's unsafe in production environments. In production, authorize only a speciﬁc IP address or range of addresses to access your instance.

• Choose HTTPS from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

This is acceptable for a short time in a test environment, but it's unsafe in production

environments. In production, authorize only a speciﬁc IP address or range of addresses to access your instance.

• Choose SSH from the Type list. In the Source ﬁeld, ensure that Custom IP is selected, and specify the public IP address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing preﬁx /32. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

Important

For security reasons, we don't recommend that you allow SSH access from all IP addresses (0.0.0.0/0) to your instance, except for testing purposes and only for a short time.

Install the AWS CLI

The AWS Management Console can be used to manage all operations manually with Amazon ECS.

However, installing the AWS CLI on your local desktop or a developer box enables you to build scripts that can automate common management tasks in Amazon ECS.

To use the AWS CLI with Amazon ECS, install the latest AWS CLI, version. For information about installing the AWS CLI or upgrading it to the latest version, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

Docker basics for Amazon ECS

Docker is a technology that provides the tools for you to build, run, test, and deploy distributed applications that are based on Linux containers. Amazon ECS uses Docker images in task deﬁnitions to launch containers as part of tasks in your clusters.

(27)

Install Docker

AWS and Docker have collaborated to make a simpliﬁed developer experience that enables you to deploy and manage containers on Amazon ECS directly using Docker tools. You can now build and test your containers locally using Docker Desktop and Docker Compose, and then deploy them to Amazon ECS on Fargate. To get started with the Amazon ECS and Docker integration, download Docker Desktop and optionally sign up for a Docker ID. For more information, see Docker Desktop and Docker ID signup.

Docker provides a walkthrough on deploying containers on Amazon ECS. For more information, see Deploying Docker containers on Amazon ECS.

The documentation in this guide assumes that readers possess a basic understanding of what Docker is and how it works. For more information about Docker, see What is Docker? and the Docker overview.

Install Docker

Important

If you already have Docker installed, skip to Create a Docker image (p. 16).

Docker Desktop is an easy-to-install application for your Mac or Windows environment that enables you to build and share containerized applications and microservices. Docker Desktop includes Docker Engine, the Docker CLI client, Docker Compose, and other tools that are helpful when using Docker with Amazon ECS. For more information about how to install Docker Desktop on your preferred operating system, see Docker Desktop overview.

If you don't need a local development environment and you prefer to use an Amazon EC2 instance to use Docker, we provide the following steps to launch an Amazon EC2 instance and install Docker Engine and the Docker CLI.

To install Docker on an Amazon EC2 instance

1. Launch an instance with the Amazon Linux 2 or Amazon Linux AMI. For more information, see Launching an instance in the Amazon EC2 User Guide for Linux Instances.

2. Connect to your instance. For more information, see Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances.

3. Update the installed packages and package cache on your instance.

sudo yum update -y

4. Install the most recent Docker Engine package.

Amazon Linux 2

sudo amazon-linux-extras install docker

Amazon Linux.

sudo yum install docker 5. Start the Docker service.

sudo service docker start

(Optional) On Amazon Linux 2, to ensure that the Docker daemon starts after each system reboot, run the following command:

sudo systemctl enable docker

6. Add the ec2-user to the docker group so you can execute Docker commands without using sudo.

(28)

Create a Docker image

sudo usermod -a -G docker ec2-user

7. Log out and log back in again to pick up the new docker group permissions. You can accomplish this by closing your current SSH terminal window and reconnecting to your instance in a new one.

Your new SSH session will have the appropriate docker group permissions.

8. Verify that the ec2-user can run Docker commands without sudo.

docker info

NoteIn some cases, you may need to reboot your instance to provide permissions for the ec2- user to access the Docker daemon. Try rebooting your instance if you see the following error:

Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Create a Docker image

Amazon ECS task deﬁnitions use Docker images to launch containers on the container instances in your clusters. In this section, you create a Docker image of a simple web application, and test it on your local system or Amazon EC2 instance, and then push the image to a container registry (such as Amazon ECR or Docker Hub) so you can use it in an Amazon ECS task deﬁnition.

To create a Docker image of a simple web application

1. Create a file called Dockerfile. A Dockerfile is a manifest that describes the base image to use for your Docker image and what you want installed and running on it. For more information about Dockerfiles, go to the Dockerfile Reference.

touch Dockerfile

2. Edit the Dockerfile you just created and add the following content.

FROM ubuntu:18.04

# Install dependencies RUN apt-get update && \ apt-get -y install apache2

# Install apache and write hello world message RUN echo 'Hello World!' > /var/www/html/index.html

# Configure apache

RUN echo '. /etc/apache2/envvars' > /root/run_apache.sh && \ echo 'mkdir -p /var/run/apache2' >> /root/run_apache.sh && \ echo 'mkdir -p /var/lock/apache2' >> /root/run_apache.sh && \ echo '/usr/sbin/apache2 -D FOREGROUND' >> /root/run_apache.sh && \ chmod 755 /root/run_apache.sh

EXPOSE 80

CMD /root/run_apache.sh

This Dockerﬁle uses the Ubuntu 18.04 image. The RUN instructions update the package caches, install some software packages for the web server, and then write the "Hello World!" content to the

(29)

Push your image to Amazon Elastic Container Registry

web server's document root. The EXPOSE instruction exposes port 80 on the container, and the CMD instruction starts the web server.

3. Build the Docker image from your Dockerﬁle.

Note

Some versions of Docker may require the full path to your Dockerﬁle in the following command, instead of the relative path shown below.

docker build -t hello-world .

4. Run docker images to verify that the image was created correctly.

docker images --filter reference=hello-world

Output:

REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest e9ffedc8c286 4 minutes ago 241MB 5. Run the newly built image. The -p 80:80 option maps the exposed port 80 on the container to

port 80 on the host system. For more information about docker run, go to the Docker run reference.

docker run -t -i -p 80:80 hello-world

NoteOutput from the Apache web server is displayed in the terminal window. You can ignore the "Could not reliably determine the server's fully qualified domain name" message.

6. Open a browser and point to the server that is running Docker and hosting your container.

• If you are using an EC2 instance, this is the Public DNS value for the server, which is the same address you use to connect to the instance with SSH. Make sure that the security group for your instance allows inbound traﬃc on port 80.

• If you are running Docker locally, point your browser to http://localhost/.

• If you are using docker-machine on a Windows or Mac computer, ﬁnd the IP address of the VirtualBox VM that is hosting Docker with the docker-machine ip command, substituting machine-name with the name of the docker machine you are using.

docker-machine ip machine-name

You should see a web page with your "Hello World!" statement.

7. Stop the Docker container by typing Ctrl + c.

Push your image to Amazon Elastic Container Registry

Amazon ECR is a managed AWS Docker registry service. You can use the Docker CLI to push, pull, and manage images in your Amazon ECR repositories. For Amazon ECR product details, featured customer case studies, and FAQs, see the Amazon Elastic Container Registry product detail pages.

(30)

Clean up

• You have the AWS CLI installed and conﬁgured. If you do not have the AWS CLI installed on your system, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

• Your user has the required IAM permissions to access the Amazon ECR service. For more information, see Amazon ECR managed policies.

To tag your image and push it to Amazon ECR

1. Create an Amazon ECR repository to store your hello-world image. Note the repositoryUri in the output.

aws ecr create-repository --repository-name hello-repository --region region

Output:

{

"repository": {

"registryId": "aws_account_id", "repositoryName": "hello-repository",

"repositoryArn": "arn:aws:ecr:region:aws_account_id:repository/hello- repository",

"createdAt": 1505337806.0,

"repositoryUri": "aws_account_id.dkr.ecr.region.amazonaws.com/hello-repository"

} }

2. Tag the hello-world image with the repositoryUri value from the previous step.

docker tag hello-world aws_account_id.dkr.ecr.region.amazonaws.com/hello-repository 3. Run the aws ecr get-login-password command. Specify the registry URI you want to authenticate

to. For more information, see Registry Authentication in the Amazon Elastic Container Registry User Guide.

aws ecr get-login-password | docker login --username AWS --password- stdin aws_account_id.dkr.ecr.region.amazonaws.com

Output:

Login Succeeded

Important

If you receive an error, install or upgrade to the latest version of the AWS CLI. For more information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

4. Push the image to Amazon ECR with the repositoryUri value from the earlier step.

docker push aws_account_id.dkr.ecr.region.amazonaws.com/hello-repository

Clean up

When you are done experimenting with your Amazon ECR image, you can delete the repository so you are not charged for image storage.

(31)

Using AWS Copilot

aws ecr delete-repository --repository-name hello-repository --region region --force

Getting started with Amazon ECS using AWS Copilot

Get started with Amazon ECS using AWS Copilot by deploying an Amazon ECS application.

Prerequisites

Before you begin, make sure that you meet the following prerequisites:

• Set up an AWS account. For more information see Setting up with Amazon ECS (p. 8).

• Install the AWS Copilot CLI. Releases currently support Linux and macOS systems. For more information, see Installing the AWS Copilot CLI (p. 50).

• Install and conﬁgure the AWS CLI. For more information, see AWS Command Line Interface.

• Run aws configure to set up a default proﬁle that the AWS Copilot CLI will use to manage your application and services.

• Install and run Docker. For more information, see Get started with Docker.

Deploy your application using one command

Make sure that you have the AWS command line tool installed and have already run aws configure before you start.

Deploy the application using the following command.

git clone https://github.com/aws-samples/amazon-ecs-cli-sample-app.git demo-app && \ cd demo-app && \

copilot init --app demo \ --name api \ --type 'Load Balanced Web Service' \ --dockerfile './Dockerfile' \ --port 80 \ --deploy

Deploy your application step by step

Step 1: Conﬁgure your credentials

Run aws configure to set up a default proﬁle that the AWS Copilot CLI uses to manage your application and services.

aws configure

Step 2: Clone the demo app

Clone a simple Flask application and Dockerﬁle.

(32)

Deploy your application step by step

git clone https://github.com/aws-samples/amazon-ecs-cli-sample-app.git demo-app

Step 3: Set up your application

1. From within the demo-app directory, run the init command.

copilot init

AWS Copilot walks you through the setup of your ﬁrst application and service with a series of terminal prompts, starting with next step. If you have already used AWS Copilot to deploy applications, you're prompted to choose one from a list of application names.

2. Name your application.

What would you like to name your application? [? for help]

Enter demo.

Step 4: Set up an ECS Service in your "demo" Application

1. You're prompted to choose a service type. You're building a simple Flask application that serves a small API.

Which service type best represents your service's architecture? [Use arrows to move, type to filter, ? for more help]

> Load Balanced Web Service Backend Service

Scheduled Job

Choose Load Balanced Web Service . 2. Provide a name for your service.

What do you want to name this Load Balanced Web Service? [? for help]

Enter api for your service name.

3. Select a Dockerﬁle.

Which Dockerfile would you like to use for api? [Use arrows to move, type to filter, ? for more help]

> ./Dockerfile

Use an existing image instead Choose Dockerfile.

4. Deﬁne port.

Which port do you want customer traffic sent to? [? for help] (80) Enter 80 or accept default.

5. You will see a log showing the application resources being created.

Creating the infrastructure to manage services under application demo.

Amazon Elastic Container Service

Amazon Elastic Container Service

Developer Guide

Amazon Elastic Container Service: Developer Guide

Table of Contents

What is Amazon Elastic Container Service?

Launch types

Access Amazon ECS

Pricing

Amazon ECS components

Clusters

Containers and images

Task deﬁnitions

Tasks

Services

Container agent

Fargate architecture overview

Common use cases in Amazon ECS

Additional resources

Related services

Getting started with Amazon ECS

Setting up with Amazon ECS

Sign up for AWS

Create an IAM user

Create a key pair

Create a virtual private cloud

Create a security group

Install the AWS CLI

Docker basics for Amazon ECS

Install Docker

Create a Docker image

Push your image to Amazon Elastic Container Registry

Clean up

Getting started with Amazon ECS using AWS Copilot

Prerequisites

Deploy your application using one command

Deploy your application step by step

Step 1: Conﬁgure your credentials

Step 2: Clone the demo app

Step 3: Set up your application

Step 4: Set up an ECS Service in your "demo" Application