The following diagram shows the application lifecycle and how it works with the Amazon ECS components.
You must architect your applications so that they can run on containers. A container is a standardized unit of software development that holds everything that your software application requires to run. This includes relevant code, runtime, system tools, and system libraries. Containers are created from a read-only template that's called an image. Images are typically built from a Dockerfile. A Dockerfile is a plaintext file that contains the instructions for building a container. After they're built, these images are stored in a registry such as Amazon ECR where they can be downloaded from.
After you create and store your image, you create an Amazon ECS task definition. A task definition is a blueprint for your application. It is a text file in JSON format that describes the parameters and one or more containers that form your application. For example, you can use it to specify the image and parameters for the operating system, which containers to use, which ports to open for your application, and what data volumes to use with the containers in the task. The specific parameters available for your task definition depend on the needs of your specific application.
After you define your task definition, you deploy it as either a service or a task on your cluster. A cluster is a logical grouping of tasks or services that runs on the capacity infrastructure that is registered to a cluster.
A task is the instantiation of a task definition within a cluster. You can run a standalone task, or you can run a task as part of a service. You can use an Amazon ECS service to run and maintain your desired number of tasks simultaneously in an Amazon ECS cluster. How it works is that, if any of your tasks fail or stop for any reason, the Amazon ECS service scheduler launches another instance based on your task definition. It does this to replace it and thereby maintain your desired number of tasks in the service.
The container agent runs on each container instance within an Amazon ECS cluster. The agent sends information about the current running tasks and resource utilization of your containers to Amazon ECS. It starts and stops tasks whenever it receives a request from Amazon ECS.
After you deploy the task or service, you can use any of the following tools to monitor your deployment and application:
-
CloudWatch
-
Runtime Monitoring
Capacity
The capacity is the infrastructure where your containers run. The following are the options:
-
Amazon EC2 instances
-
Serverless (AWS Fargate)
-
On-premises virtual machines (VM) or servers
You specify the infrastructure when you create a cluster. You also specify the infrastructure type when you register a task definition. The task definition refers to the infrastructure as the "launch type". You also use the launch type when you run a standalone task or deploy a service. For information about the launch type options, see Amazon ECS launch types.
Networking
AWS resources are created in subnets. When you use EC2 instances, Amazon ECS launches the instances in the subnet that you specify when you create a cluster. Your tasks run in the instance subnet. For Fargate or on-premises virtual machines, you specify the subnet when you run a task or create a service.
Depending on your application, the subnet can be a private or public subnet and the subnet can be in any of the following AWS resources:
-
Availability Zones
-
Local Zones
-
Wavelength Zones
-
AWS Regions
-
AWS Outposts
For more information, see Amazon ECS applications in shared subnets, Local Zones, and Wavelength Zones or Amazon Elastic Container Service on AWS Outposts.
You can have your application connect to the internet by using one of the following methods:
-
A public subnet with an internet gateway
Use public subnets when you have public applications that require large amounts of bandwidth or minimal latency. Applicable scenarios include video streaming and gaming services.
-
A private subnet with a NAT gateway
Use private subnets when you want to protect your containers from direct external access. Applicable scenarios include payment processing systems or containers storing user data and passwords.
AWS PrivateLink
Use AWS PrivateLink to have private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet.
Feature access
You can use your Amazon ECS account settings to access the following features:
-
Container Insights
CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices. The metrics include utilization for resources such as CPU, memory, disk, and network.
-
awsvpctrunkingFor certain EC2 instances types, you can have additional network interfaces (ENIs) available on newly launched container instances.
-
Tagging authorization
Users must have permissions for actions that create a resource, such as
ecsCreateCluster. If tags are specified in the resource-creating action, AWS performs additional authorization on theecs:TagResourceaction to verify if users or roles have permissions to create tags. Fargate FIPS-140 compliance
Fargate supports the Federal Information Processing Standard (FIPS-140) which specifies the security requirements for cryptographic modules that protect sensitive information. It is the current United States and Canadian government standard, and is applicable to systems that are required to be compliant with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP).
-
Fargate task retirement time changes
You can configure the wait period before Fargate tasks are retired for patching.
-
Dual-stack VPC
Allow tasks to communicate over IPv4, IPv6, or both.
-
Amazon Resource Name (ARN) format
Certain features, such as tagging authorization, require a new Amazon Resource Name (ARN) format.
For more information, see Access Amazon ECS features with account settings.
IAM roles
An IAM role is an IAM identity that you can create in your account that has specific permissions. In Amazon ECS, you can create roles to grant permissions to Amazon ECS resource such as containers or services.
Some Amazon ECS features require roles. For more information, see IAM roles for Amazon ECS.
Logging
Logging and monitoring are important aspects of maintaining the reliability, availability, and performance of Amazon ECS workloads. The following options are available:
-
Amazon CloudWatch logs - route logs to Amazon CloudWatch
-
FireLens for Amazon ECS - route logs to an AWS service or AWS Partner Network destination for log storage and analysis. The AWS Partner Network is a global community of partners that leverages programs, expertise, and resources to build, market, and sell customer offerings.
