𝓓𝓻-𝓛𝓲𝓷𝓾𝔁𝓮𝓻 𝓑𝓵𝓸𝓰

Getting Started with Amazon ECS

Aung Aung Myo Myint's photo
Aung Aung Myo Myint
·

16 min read

Table of contents

Lab Tasks

1. Introduction

  • Getting Started

2. Push Docker Image to Amazon ECR Repository

  • Create a Repository

  • Launch an EC2 Instance

  • Push Docker Image

3. Deploy a Container on Amazon ECS

  • Create an ECS Cluster

  • Configure a Task Definition

4. Configure a Load Balancer

  • Create Security Groups

  • Create a Service with Load Balancer

5. Conclusion

  • Clean Up

  • Wrap Up!

Amazon Elastic Container Service (ECS) is a highly scalable, fully-managed container orchestration service that helps run Docker containers on AWS. ECS allows us to quickly deploy and manage containerized applications with features like auto-scaling, load balancing, and container health checks. It integrates well with other AWS services, such as AWS Fargate, AWS CloudFormation, and AWS Identity and Access Management (IAM). It can be used for many use cases, from small projects to large-scale applications.

Create a Repository

Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry service from AWS. ECR lets us store, manage, and deploy Docker container images securely and at scale. With ECR, we can easily connect our container deployment pipeline with other AWS services like Amazon ECS, AWS Fargate, and AWS CodePipeline.

In this task, we will create a private repository in Amazon ECR. After completing this task, the provisioned infrastructure should look like the one shown in the figure below:

Architecture diagram

Architecture diagram

To create a private repository, follow these steps:

  • Search for “ECR” in the search bar and select “Elastic Container Registry” from the results.

  • Click on “Repositories” in the left sidebar.

  • Click the “Create repository” button.

  • In the “Visibility settings” section, select “Private.”

  • Name the repository ecs-container-repo.

  • Keep all other settings as they are, and click the “Create repository” button at the bottom.

In the next task, we will set up an EC2 instance to build our Docker image.

Launch an EC2 Instance

Amazon Elastic Compute Cloud (EC2) provides on-demand, scalable computing capacity in the AWS cloud. EC2 instances are highly scalable and customizable, offering a wide range of computing resources to meet the needs of various applications.

In this task, we will create an EC2 instance, which will be used to build our Docker image. Once the Docker image is built, it can be easily pushed to the Amazon Elastic Container Registry (ECR) for deployment and distribution. After completing this task, the provisioned infrastructure should look like the one shown in the figure below:

Architecture diagram

Architecture diagram

To launch an instance, follow the steps mentioned below:

  • Go to the AWS Console and search for the “EC2” option. Click the EC2 service from the search results to access the EC2 Dashboard.

  • Click the “Instances” option on the left sidebar under the “Instances” section. Then, click the “Launch instances” button.

Note: Ensure that the us-east-1 US East (N. Virginia) region is set as the default region in the AWS Cloud console.

  • Follow the steps below to configure and create the instance:

    • In the “Name and tags section,” add the instance name as ecs-instance.

    • In the “Application and OS Images (Amazon Machine Image)” section, select “Amazon Linux.” Then, select “Amazon Linux 2023” as the “Amazon Machine Image (AMI)” from the drop-down menu below.

    • In the “Instance type” section, select the t2.micro instance type.

    • In the “Key pair (login)” dialog box, select the “Proceed without a key pair (Not recommended)” option.

    • Keep the default settings in the “Network settings” section.

    • In the “Configure storage” section, type “8 GiB” and select “gp2” from the drop-down menu.

    • Review the settings for the new instance before clicking the “Launch instance” button. Once clicked, it will launch the instance.

  • Click “Instances” in the sidebar on the left. Select the instance that you created and click the “Connect” button.

  • In the “Connect to instance” section, click the “Connect” button. This will open a new tab, and you’ll be able to see an Amazon Linux terminal.

In the next task, we will build our Docker image and push it to the Amazon ECR repository using this EC2 instance.

Push Docker Image

In this task, we'll use the EC2 instance we created earlier to build a Docker image and push it to our private repository. Once we complete this task, the infrastructure we've set up should look like the illustration in the figure below:

Architecture diagram

Architecture diagram

Follow the steps below to push the Docker image to ecs-container-repo:

  • In the EC2 instance terminal, first run the following commands one by one given below to install Docker:
sudo yum update -y
sudo yum install docker -y
sudo systemctl start docker && sudo systemctl enable docker

  • Next, configure the AWS CLI on the EC2 instance to enable you to push your image to the ECR private repository. For this step, you need to create an IAM user and assign the necessary permissions to that user.

    Attach the following AWS-managed policies to the role:

    • AmazonEC2ContainerRegistryReadOnly: For read-only access (pull images only).

    • AmazonEC2ContainerRegistryFullAccess: If you need to push and delete images as well.

  • In this lab, I created an IAM user named "ecr-access-user01" and assigned the permission "AmazonEC2ContainerRegistryFullAccess".

  • Run the command given below and provide the required credentials.

aws configure
  • Now, run the command given below to fetch the files required to build the Docker image:
wget https://github.com/Educative-Content/my-ecs-demo-app/zipball/master/main.zip &&\
unzip main.zip &&\
cd Educative-Content-my-ecs-demo-app-babd8b4
  • Execute the command below to create a Docker client and make sure to replace <Account ID> with the actual account ID, which can be found under account information located at the top-right corner:

Note: Please replace <ACCOUNT ID> with the your account ID in both the commands below. Click the top-right corner in AWS Management Console. Copy <ACCOUNT ID> from the drop-down menu.

aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin <ACCOUNT ID>.dkr.ecr.us-east-1.amazonaws.com
  • Next, run the command given below to build a Docker image:

Note: This step takes 4–5 minutes to complete.

sudo docker build -t ecs-container-repo .
  • After the build is completed, tag the image to push it to the repository:

Note: Please replace <ACCOUNT ID> with the your account ID in both the commands below.

sudo docker tag ecs-container-repo:latest <ACCOUNT ID>.dkr.ecr.us-east-1.amazonaws.com/ecs-container-repo:latest
  • Lastly, run the following command to push this image to the repository:
sudo docker push <ACCOUNT ID>.dkr.ecr.us-east-1.amazonaws.com/ecs-container-repo:latest

  • Navigate to the “Elastic Container Service” console on AWS and click the “Repositories” option in the left-hand navigation pane.

  • Look for ecs-container-repo and save the “Repository URI” for later. You will need it in the “Create a Task Definition” task.

We have successfully pushed the Docker image to the ECR private repository. We will now use this image to create a container in Amazon ECS and deploy our application.

Create an ECS Cluster

An ECS cluster is a logical grouping of container instances on which you can run Docker containers. ECS clusters enable us to manage multiple containers across multiple availability zones, scaling up or down to meet changing demand and distributing incoming traffic across multiple container instances for high availability.

In this task, we will create a cluster in Amazon ECS and a role in AWS IAM. After completing this task, the provisioned infrastructure should look like the one shown in the figure below:

Architecture Diagram

Architecture Diagram

Create a cluster

Follow the steps below to create a cluster:

  • Search for “ECS” in the search bar and choose “Elastic Container Service” from the search results.

  • Click the “Clusters” option in the left-hand menu.

  • Click the “Create cluster” button on the top-right.

  • Enter ecs-demo-cluster in the “Cluster name” field.

  • Use “AWS Fargate (serverless)” for infrastructure. It is selected by default.

Note: AWS Fargate is a compute engine that lets you run containers without managing the underlying EC2 instances. It eliminates the need for infrastructure management and offers a serverless experience for running your containers.

  • Review your settings and click the “Create” button.

It will take a few minutes to create your cluster. Once the process is complete, your cluster will appear in the "Clusters" section.

Creating an IAM Role for ECS Task Execution

AWS IAM is a web service provided by AWS that helps manage users, groups, and roles. An IAM role is a set of permissions determining what actions can be taken on AWS resources. It is a way to grant permissions to entities you trust without sharing access keys, usernames, or passwords.

Follow these detailed steps to create an IAM role for your ECS task:

  1. Log in to the AWS Management Console:

    • Navigate to the AWS IAM console.

  2. Access the Roles Section:

    • In the navigation pane on the left, under "Access management," click Roles.

  3. Start the Role Creation Process:

    • Click the Create role button at the top.

  4. Select a Trusted Entity:

    • Under "Select trusted entity," choose AWS Service.

    • For the use case, select Elastic Container Service.

    • Next, choose the Elastic Container Service Task option, and click Next.

  5. Attach Policies:

    • In the "Attach permissions policies" step:

      • Use the search bar to find and select the policy AmazonECSTaskExecutionRolePolicy.

      • Clear the filter and search again for CloudWatchLogsFullAccess. Select this policy as well.

    • Click Next.

  6. Name and Review the Role:

    • For the role name, input ecs-task-role.

    • Review the selected permissions and ensure everything looks correct.

  7. Create the Role:

    • Click the Create role button to finalize and establish the role.

What's Next

With this role created, you’re ready to use it when defining a task in ECS. This role ensures that ECS tasks can:

  • Pull container images from Amazon ECR.

  • Write logs to Amazon CloudWatch Logs for better monitoring and debugging.

Configure a Task Definition

A task definition is a blueprint for a containerized application that specifies various parameters, including the Docker image to use, the amount of CPU and memory to allocate, network settings, and storage requirements. It can define one or more containers that work together to form a single application. Task definitions are used to run tasks or services on an ECS cluster.

In this task, we’ll create a definition that will enable us to run our container on the ECS cluster successfully. Once the task definition is created, we can run the container and observe our application running as intended. Once this task is finished, the provisioned infrastructure should appear similar to the illustration in the figure below:

Architecture diagram

Architecture diagram

Create a task definition

Follow the steps given below to create a task definition:

  • Navigate to the Amazon ECS console and choose “Task definitions” from the left-hand menu.

  • Press the “Create new task definition” button and choose the “Create new task definition” option.

  • Write ecs-demo-task-definition in the “Task definition family name” field.

  • In the “Infrastructure requirements” section, select “AWS Fargate” as the “Launch type” and Linux/X86_64 for the “Operating System/Architecture” option.

  • Click the drop-down menu under the “CPU” field, select .5 vCPU, and select “1 GB” for the “Memory” field.

  • Choose “None” for the “Task Role” field and select the ecs-task-role for the “Task execution role” option.

  • Enter ecs-demo-app in the “Name” field under the “Container - 1” section.

  • Paste the Image URI from the ECR repository you saved earlier in the “Image URI” field.

  • Set the “Container port” to 80 and keep the default settings for the other sections.

  • Click “Create” to save the definition.

Deploy task definition

Given below are the steps for deploying a task definition in Amazon ECS:

  • Click the “Clusters” field in the left-hand navigation pane and select the ecs-demo-cluster cluster.

  • Navigate to the “Tasks” section of the cluster and click the “Run new task” button.

  • Select “Launch Type” in the “Compute options” section. Keep “Launch type” as “FARGATE” and the “Platform version” as “LATEST.”

  • Click the drop-down menu under the “Family” field in the “Deployment configuration” section and select ecs-demo-task-definition.

  • Select us-east-1a as “Subnets” and click the “Create a new security group” radio button under the “Security group” field in the “Networking” section.

  • Enter ecs-demo-app-sg as “Security group name” and Security group for ecs demo app as “Security group description.”

  • Select “HTTP” from the drop-down menu under the “Type” field and set “Port range” to 80.

  • Choose “Anywhere” as “Source” from the drop-down menu.

  • Click the “Create” button to launch the task. The task may take a few minutes to begin running.

Observe your application

After the “Last status” of the task changes from “Provisioning” to “Running,” follow the steps below to see if your application is working correctly:

  • Navigate to ecs-demo-cluster, click the “Tasks” section in your cluster, and click the newly created task. This will take you to a new page.

  • Navigate to the “Network bindings” section under the “Container details for ecs-demo-app” heading.

  • Click the “open address” hyperlink (present next to “Public IP”) to open a new tab and view your application. If the image was built successfully, you can view your application.

Create Security Groups

Security groups function as a firewall that manages the traffic going to and from resources in our virtual private cloud (VPC). They serve as a virtual firewall that controls traffic based on the rules we set. Each security group can have multiple inbound and outbound rules, specifying the type of traffic, its source, and its destination.

In this task, we’ll create two security groups. One for the load balancer, accepting inbound traffic, Port 80 from anywhere, and another for the containers accepting inbound traffic from the load balancer.

Architecture diagram

Architecture diagram

Security group for the application load balancer

Follow the steps below:

  • Navigate to the EC2 dashboard.

  • Click on the “Security Groups” option under the “Network and Security” section in the left-hand menu.

  • Click the “Create security group” button.

  • Enter application-load-balancer-sg in the “Security group name” field, and Inbound traffic Port 80 from anywhere in the “Description” field.

  • Add an inbound rule where the type is HTTP and the source is Anywhere IPv4.

  • Review and confirm the security group settings.

  • Click the “Create security group” button to create the new security group.

Security group for the ECS service

We will repeat the same steps as above to create a new security group. A few changes are given below:

  • The “Security group name” is traffic-from-alb-sg.

  • The “Description” is “Inbound traffic from application-load-balancer-sg.”

  • For the inbound rule, the type is All TCP and the source is Custom. Select application-load-balancer-sg from the search list on its right.

  • Click the “Create security group” button to create the new security group.

In the next task, we’ll create a service in Amazon ECS that will run two new tasks and use a load balancer to distribute the incoming traffic.

Create a Service with Load Balancer

An ECS service defines how tasks should be run and maintained. It specifies the number of tasks that should be running at any given time, the task definition to use, and the load balancer configuration. The service manages and replaces the tasks if they fail or become unhealthy. It also automatically load balances traffic to the tasks using an Application Load Balancer.

An Application Load Balancer (ALB) is a powerful tool for managing incoming network traffic to multiple servers, allowing for efficient distribution and scaling of application workloads.

In this task, we will create an ECS service with Application Load Balancer. After completing this task, the provisioned infrastructure should look like the one shown in the figure below:

Architecture Diagram

Architecture Diagram

Create a service

  • Go to the ECS Dashboard, navigate to “Clusters” in the left-hand menu, and select the “ecs-demo-cluster” cluster.

  • In the “Services” section, click the “Create” button.

  • Select “Service” as “Application Type” and select ecs-demo-task-definition as “Family.”

  • Write ecs-app-with-alb-service in the “Service name” field and specify 2 as the “Desired tasks.”

  • In the “Networking” section, select the default VPC and choose us-east-1a and us-east-1b as “Subnets.”

  • For “Security group,” select “Use an existing security group” and choose traffic-from-alb-sg from the drop-down menu under the “Security group name” heading. Remove the default security group if it is preselected.

  • In the “Load balancing” section, choose “Application Load Balancer” as the “Load balancer type.”

  • Choose “Create a new load balancer” and enter load-balancer-for-ecs-app in the “Load balancer name” field.

  • Write ecs-app-target-group in the “Target group name” field, select HTTP for “Protocol” and enter 15 seconds for “Health check grace period.”

  • Click the “Create” button to create the service.

It will take a few minutes for the service to start running. In the meantime, we will update the security group for the load balancer.

Change the load balancer security group

  • Navigate to the EC2 console and select “Load Balancers” in the “Load Balancing” section from the left navigation pane.

  • Search for the load-balancer-for-ecs-app load balancer we created and select it.

  • In the “Security” section, click the “Edit” button.

  • Remove the traffic-from-alb-sg security group and select application-load-balancer-sg. Remove the default security group if it is preselected.

  • Click the “Save changes” button.

Explore your application

  • Navigate back to the ECS console and select the cluster ecs-demo-cluster.

  • Select the ecs-app-with-alb-service in the “Service” section of the cluster. This will open a new page.

  • After deployment is finished, go to the Configuration and networking section of the service and click the “open address” hyperlink under the “DNS names” field to view your application.

This will take you to the application's URL served by the load balancer. Since the load balancer is connected to two tasks, it ensures high availability and evenly distributes incoming traffic between them. Enjoy exploring your React app!

Clean Up

The final task we must perform is to remove all the resources that we created. Follow the steps given under each task to delete the resources:

Stop ECS cluster task

  • Search “ECS” in the search bar and click the “Elastic Container Service” option.

  • Click the “Clusters” option in the left navigation pane.

  • Click the ecs-demo-cluster cluster and navigate to the “Tasks” section.

  • Select all tasks, click the “Stop” button, and press the “Stop selected” button.

Delete the ECS service

  • Go to the “Service” section of the cluster.

  • Select the ecs-app-with-alb-service and click the “Delete service” button.

  • Tick the “Force delete” option, enter “delete” in the field, and confirm deletion

Deregister the ECS task definition

  • Click “Task definitions” from the sidebar.

  • Select the task definition ecs-demo-task-definition.

  • Select ecs-demo-task-definition:1 and click the “Deregister” button from the “Actions” drop-down menu.

Delete the ECS cluster

  • Click “Clusters” from the left-navigation pane.

  • Select the cluster ecs-demo-cluster and click the “Delete cluster” button.

  • Enter the phrase delete ecs-demo-cluster to confirm the deletion.

Delete the IAM role

  • Navigate to the IAM console and select “Roles” under the “Access management” section in the left navigation pane.

  • Search ecs-task-role, select it, and click the “Delete” button.

  • Enter the full name of the role in the input field and click “Delete” to complete the process.

Terminate the EC2 instance, Security Groups, and LoadBalancer

  • Search for “EC2” in the search bar and open “EC2.”

  • Click “Instances” from the sidebar.

  • Select the instance named ecs-instance and click the “Instance state” button on the top-right corner.

  • From the drop-down menu, select the “Terminate instance” option.

  • Click the “Terminate” button in the prompt box.

Delete the ECR repository

  • Search for “ECR” in the search bar and open “Elastic Container Repository.”

  • Select “Repositories” from the sidebar.

  • Select the repository you created and click the “Delete” button.

  • Enter “delete” in the prompt and click the “Delete” button.

Wrap Up!

Let’s finish this lab by summarizing what we did.

First, we made a private repository on Amazon ECR. Then, we set up an EC2 instance. We used this instance to get our files, build a Docker image, and push it to the ECR repository.

Next, we set up an ECS cluster and an IAM role. We registered a task definition for our cluster and ran a task on it. We also created two security groups and an ECS service with a load balancer.

Finally, we deleted all the resources we created to avoid extra costs.

ECS