by: Rob Stewart, Cloud Architect, SMS
The Case for Amazon Elastic Container Service
According to Corey Quinn, there are at least 17 Ways to Run Containers on AWS. However, if you are familiar with all the hype concerning containers in general and Kubernetes in particular, then you might conclude that there is no reason to even consider any of the 16+ other options that Amazon provides for running containers in AWS. The experts have all weighed in and Amazon Elastic Kubernetes Service (EKS) is the only option worth considering. Even though EKS is a great option, I invite you to consider Amazon Elastic Container Service (ECS) as an alternative, depending on what type of containerized workload you need to deploy and support.
AWS describes ECS as “a fully managed container orchestration service that makes it easy for you to deploy, manage, and scale containerized applications.” ECS became Generally Available (GA) in April of 2015, a good 3 years prior to the GA of EKS in June 2018. Given this timing, it is not surprising that ECS has strong Docker vibes. It might even be fair to call ECS “AWS Managed Docker Container Service.” Given this heritage, you would expect that ECS would be a good citizen of AWS, and you would be correct. ECS is tightly integrated with many other AWS services. Therefore, if you already have experience with EC2, ELB, ALBs, and CloudWatch then the additional concepts you need to grasp to start using ECS are far more incremental in nature. ECS is one more piece to snap into the larger AWS puzzle.
In contrast, EKS represents Amazon’s effort to address the needs of customers who have already adopted Kubernetes and want to run it using a managed service on AWS. Kubernetes is a fantastic container orchestrator; however, it is not by any stretch a simple one; adding the inherent complexity of AWS Services including IAM, EC2, etc. on top of the complexity of Kubernetes takes it to another level. In some cases, it is not necessary to deploy a containerized workload on Kubernetes. In these scenarios, using ECS may be a better option as it will be easier to get the workload running to start with and easier to maintain it going forward. There is value in simplicity.
Amazon Elastic Container Service Overview
Before diving into a simple deployment on ECS, it is helpful to have some understanding of the different components of the architecture at a high level.
To deploy containers on ECS, you must create an ECS Cluster. The ECS documentation describes the ECS Cluster like this:
An Amazon ECS cluster is a logical grouping of tasks or services. You can use clusters to isolate your applications. This way, they don’t use the same underlying infrastructure.
ECS Task Definition
To tell AWS what you want to run on your ECS cluster you must create an ECS Task Definition. A Task Definition is a JSON formatted document that lists the containers that you would like to deploy and how those containers will interact with other AWS services like Elastic File Systems and CloudWatch. The containers you reference in the task definition can come from a public registry like Docker Hub or Amazon’s own Elastic Container Registry.
ECS Tasks are created when you ask ECS to run a Task Definition on an ECS Cluster. There are multiple ways to run ECS Tasks on ECS:
- EC2 instances running in your VPC can run tasks if the ECS Container Agent is installed on them. The agent enables ECS to manage the tasks running on that instance.
- When you don’t want to manage EC2 instances, you can use AWS Fargate. When you use Fargate, AWS will provision the compute required to run the tasks and place Elastic Network Interfaces in your VPC so that these tasks can interact with the network.
ECS supports running task definitions directly as ECS Tasks. However, containers are ephemeral in nature; they should be considered cattle, not pets. Therefore, you will usually create an ECS Service which is responsible for scheduling one or more tasks for you and launching new tasks automatically if one of the running tasks should fail. The following diagram shows the ECS Cluster and how tasks are deployed to the VPC on EC2 instances or as Fargate tasks:
Exhibit 1: AWS ECS Architecture Overview
Deploying Dokuwiki on ECS
Now that we have provided a high-level overview of ECS, we’ll move on to describe how to deploy the Bitnami Dokuwiki container on ECS via the AWS Console. For those who may not be familiar with it, Dokuwiki is an open source Wiki engine that runs on PHP; what it lacks in flare it makes up in simplicity. We’ll be using the Bitnami Dokuwiki container because it doesn’t require databases or other services to function.
Step 1: Create a New AWS Account or Login to an AWS Account
To follow the remaining steps described in this post you will need to either create a new AWS Account or login to an existing AWS Account using an account with IAM permissions to resources such as IAM, EC2, and ECS resources. Providing guidance on how to sign up for a new AWS account is outside the scope of this post; however, Amazon provides guidance on how to create an account here.
NOTE: If you follow along with the steps in this post, there is some chance you may incur minimal charges. However, if you create a new account you will be under the AWS Free Tier. That said, it is always prudent to remove any resources you create in AWS right after you finish using them so that you limit the risk of unexpected charges. Guidance on how to remove the resources in provided below.
Step 2: Navigate to the ECS Dashboard
After you login to AWS, enter ECS in the search box at the top of the page and then select Elastic Container Service to navigate to the ECS Dashboard.
Exhibit 2: Navigate to the ECS Dashboard
NOTE: The steps in this blog post describe how to navigate the current version of the AWS ECS UI in the AWS Console. However, AWS is preparing to release a new version of the ECS Experience in the near future. There is a toggle switch in the upper left-hand corner which enables you to switch between the current version of the ECS UI and the New ECS Experience. If you find that the descriptions below do not match with what you are seeing then the New ECS experience may already be enabled. If so, please use the toggle switch to turn off the New ECS Experience. We plan to update this post in the future after Amazon transitions all customers over to the new experience.
Step 3: Create a New ECS Task Definition
- Select the Task Definitions link on the left-hand navigation.
- Select the Create new Task Definition
- Select Fargate for the launch type compatibility in Step 1.
- Select the Next step button on the bottom right hand corner of the page.
- For the Task definition name, enter the following: dokuwiki-task
- You can skip down to Operating System family and select Linux from the drop down.
- Next, set the Task size by setting Task memory (GB) to .5GB and Task CPU (vCPU) to .25 vCPU using the drop downs.
- Next, select the Add container button to define container settings.
- On the “Add Container” panel, specify the following:
- Container name: dokuwiki
- Image: bitnami/dokuwiki
- You do not need to configure any other settings, so scroll to the bottom and select the Add button.
- If you added the container definition correctly then you should see the container in the list of container definitions.
Exhibit 3: Adding a Container definition
After you finish adding the Container definition, scroll all the way down to the bottom of the page and select the Create If everything went okay, you should see messages telling you that AWS completed the creation of the task definition. Go ahead and select the View task definition button in the lower right-hand corner of the screen.
Step 4: Create an ECS Cluster
Before you can run an ECS Task based on the task definition you just created, you need to create a new ECS Cluster.
- Select Clusters on the left navigation.
- Select the Create Cluster
- For the cluster template, Networking only should already be highlighted as it is the default selection. This is the option we want so go ahead and select the Next step button on the bottom right hand corner of the page.
- Enter Dokuwiki-cluster for the Cluster name.
- There is no need to change the options for Networking or CloudWatch Container Insights so scroll down to the bottom of the page and select the Create
NOTE: In some cases, you may encounter an error the first time you attempt to create a new ECS cluster telling you that AWS wasn’t able to create the cluster. If this happens, just repeat the cluster creation steps one more time. It should work just fine on the second attempt.
- After the cluster has been created successfully, select View Cluster. You should now see the new ECS cluster you just created.
Exhibit 4: The new ECS Cluster
Step 5: Launch a new ECS task
Now that you have created an ECS Task Definition and a new ECS Cluster, it is time to create a new ECS Task based on the Task Definition.
- From the same ECS Cluster overview page, select the Tasks tab near the bottom of the page and then select the Run new task
Exhibit 5: Run a new ECS Task
2. On the Run Task page, select the following options:
a. Launch type: FARGATE
b. Operating System Family: Linux
c. Task Definition Family: dokuwiki-task
d. Task Definition Revision: 1 (latest)
e. Platform version: Latest
f. Cluster: Dokuwiki-cluster
Note: You can just leave Task group blank.
g. Cluster VPC: Select the VPC ID for the default VPC in your account. It should have an ID and IP CIDR range that looks similar to this: vpc-0b57fca38d911cb56 (172.31.0.0/16) Your VPC ID will be different. However, the IP CIDR range of 172.31.0.0/16 should match.
h. Subnets: Select one subnet from the drop down. It does not matter which subnet you select.
i. Security groups: Select the Edit button to open the Configure Security Groups panel.
j. On the Configure Security Groups panel, do the following:
i. On Assigned security groups, Select the Create new security group radio button.
ii. Security group name: dokuwiki-sg.
iii. Description: Dokuwiki security group
iv. For the Inbound rules for security group, set Type to Custom TCP, Protocol should be TCP, Port range should be 8080 and Source should be anywhere.
v. After you finish configuring the security group, select the Save button in the lower right-hand corner to close the panel.
Exhibit 6: Configure security groups
k. Auto assign public IP: Enabled
l. You do not need to change any other options, select the Run Task button to run the ECS Task Definition.
m. If you did everything correctly, you will see a message at the top of the page indicating that the task was created successfully.
Exhibit 7: ECS task created successfully
Step 6: Access the Dokuwiki Application
Now that we have created the new ECS task, we can access it via the browser using the public IP address that AWS provisioned for it.
- Select the task in the list:
Exhibit 8: Select the newly created ECS Task
- Amazon has assigned a public IP to your container. Locate and the Public IP on the Network section of the page and copy the IP address.
Exhibit 9: The public IP Address of the ECS Task
- Open a new browser tab, type http:// in the address bar, paste the public IP you just copied, add :8080 to the end of the address, and then hit the Enter key to load the page. If you did this correctly, you should see the Dokuwiki application load in your browser.
Exhibit 10: The Dokuwiki application loads in the browser
- Feel free to play around with Dokuwiki. You can click the pencil icon on the right side of the page to create a page, enter some text, and then click the save button at the bottom of the page.
- When you’re finished playing with Dokuwiki, switch back to the AWS Console tab in your browser. You should still have the ECS Task open. Go ahead and kill the task by selecting the Stop button in the upper right-hand corner of the page. When you select the Stop button, you will be prompted to confirm that you want to delete the task; go ahead and select the red Stop button to confirm that you want the task to be removed.
Exhibit 11: Stop the Dokuwiki ECS Task
- After the ECS Task has stopped, you will find that if you switch back to the browser tab where you had Dokuwiki loaded and hit the Refresh button on the browser that Dokuwiki will no longer load. The public IP associated with the task was removed when you stopped the ECS task.
- As we are done working with the ECS Cluster, you can go ahead and delete it. Select the Delete Cluster button in the upper right-hand corner of the page. After you select the Delete Cluster button, you will be prompted to confirm that you want to delete it. Enter delete me in the input box and then select the Delete button to confirm that you want the cluster to be deleted.
- The only other resource we created was the EC2 Security Group. Feel free to switch to the EC2 Service and remove the Security Group if you like. However, Amazon does not charge for security groups.
In this post, we provided a quick overview of AWS Elastic Container Service and then shared step by step directions for how to create an ECS Cluster and run a Dokuwiki container as an ECS Task. While this was a great start, there are several deficiencies with this approach.
- We performed all these actions via the AWS Console. When you are first learning about new services in AWS, it is very helpful to explore the console to get a better grasp on how services work. However, clicking through the console is not repeatable. Once you understand how a given AWS service works, it is better to provision all AWS resources using Infrastructure as Code (IaC) tools like AWS CloudFormation or Hashicorp Terraform. When you express your infrastructure as code then you can create it and destroy it with a single command as many times as you like, and all the details of the deployment are automatically documented. You can also track the IaC in a source code repository which enables version tracking, collaboration, and reviews.
- The deployment of the ECS Task was not fault tolerant. As soon as the ECS Task was deleted, our application no longer loaded in the browser. For a real deployment, we would want to use an ECS Service to run multiple Tasks. The Service would take responsibility for making sure new tasks are started up when a task fails.
- Further, any content we saved in Dokuwiki was gone forever when the ECS Task was deleted. For a real deployment, we would want to store this data in a redundant fashion so that it would not be lost when an ECS Task failed. One way to introduce redundancy for storage is to create an AWS Elastic File System and mount it to the container in the ECS Task Definition.
- The deployment was not secure. When we accessed Dokuwiki in the browser, we had to tell the browser to use the HTTP protocol and specify port 8080. Therefore, any data we entered into Dokuwiki would not be encrypted in transit using Transport Layer Security (TLS). One way to address this deficiency is to use an AWS Elastic Load Balancer to handle the traffic. Elastic Load Balancers can be configured with TLS certificates so that data is encrypted in transit.
We plan to address these deficiencies in future posts in this series.
Lastly, while ECS may work great in some cases, EKS shines in cases where the application is more complex. One of the advantages of Kubernetes is that complex deployments can be expressed as Helm charts which can be deployed on Amazon EKS or on another cloud provider’s version of Kubernetes. If you need to deploy a container-based application on AWS from a vendor who provides a well-documented Helm chart then using EKS is likely your best path forward.