Image for post
Image for post

Gentle Introduction to How AWS ECS Works with Example Tutorial

Tung Nguyen
Sep 10, 2017 · 10 min read

ECS is the AWS Docker container service that handles the orchestration and provisioning of Docker containers. This is a beginner level introduction to AWS ECS. I’ve seen some nightmare posts and some glowing reviews about the ECS service so I knew it was going to interesting to get my hands dirty and see what ECS was all about.

Summary of the ECS Terms

First we need to cover ECS terminology:

  • Task Definition — This a blueprint that describes how a docker container should launch. If you are already familiar with AWS, it is like a LaunchConfig except instead it is for a docker container instead of a instance. It contains settings like exposed port, docker image, cpu shares, memory requirement, command to run and environmental variables.
  • Task — This is a running container with the settings defined in the Task Definition. It can be thought of as an “instance” of a Task Definition.
  • Service — Defines long running tasks of the same Task Definition. This can be 1 running container or multiple running containers all using the same Task Definition.
  • Cluster — A logic group of EC2 instances. When an instance launches the ecs-agent software on the server registers the instance to an ECS Cluster. This is easily configurable by setting the ECS_CLUSTER variable in /etc/ecs/ecs.config described here.
  • Container Instance — This is just an EC2 instance that is part of an ECS Cluster and has docker and the ecs-agent running on it.

I remember when I first got introduced to the all the terms, I quickly got confused. AWS provides nice detailed diagrams to help explain the terms. Here is a simplified diagram to help visualize and explain the terms.

Image for post
Image for post

In this diagram you can see that there are 4 running Tasks or Docker containers. They are part of an ECS Service. The Service and Tasks span 2 Container Instances. The Container Instances are part of a logical group called an ECS Cluster.

I did not show a Task Definition in the diagram because a Task is simply an “instance” of Task Definition.

Tutorial Example

In this tutorial example I will create a small Sinatra web service that prints the meaning of life: 42.

  1. Create ECS Cluster with 1 Container Instance
  2. Create a Task Definition
  3. Create an ELB and Target Group to later associate with the ECS Service
  4. Create a Service that runs the Task Definition
  5. Confirm Everything is Working
  6. Scale Up the Service to 4 Tasks.
  7. Clean It All Up

The ECS First Run Wizard provided in the Getting Started with Amazon ECS documentation performs the similar above with a CloudFormation template and ECS API calls. I’m doing it out step by step because I believe it better helped me understand the ECS components.

1. Create ECS Cluster with 1 Container Instance

Before creating a cluster, let’s create a security group called my-ecs-sg that we’ll use.

aws ec2 create-security-group --group-name my-ecs-sg --description my-ecs-sg

Now create an ECS Cluster called my-cluster and the ec2 instance that belongs to the ECS Cluster. Use the my-ecs-sg security group that was created. You can get the id of the security group from the EC2 Console / Network & Security / Security Groups. It is important to select a Key pair so you can ssh into the instance later to verify things are working.

For the Networking VPC settings, I used the default VPC and all the Subnets associated with the account to keep this tutorial simple. For the IAM Role use ecsInstanceRole. If ecsInstanceRole does not yet exist, create it per AWS docs. All the my settings are provided in the screenshot. You will need to change the settings according to your own account and default VPC and Subnets.

Image for post
Image for post

Wait a few minutes and the confirm that the Container Instance has successfully registered to the my-cluster ECS cluster. You can confirm it by clicking on the ECS Instances tab under Clusters / my-cluster.

Image for post
Image for post

2. Create a task definition that will be blueprint to start a Sinatra app

Before creating the task definition, find a sinatra docker image to use and test that it’s working. I’m using the tongueroo/sinatra image.

$ docker run -d -p 4567:4567 --name hi tongueroo/sinatra
6df556e1df02e93b05aa46425fc539121f5e50afee630e1cd918b337c3b6c202
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6df556e1df02 tongueroo/sinatra "ruby hi.rb" 2 seconds ago Up 1 seconds 0.0.0.0:4567->4567/tcp hi
$ curl localhost:4567 ; echo
42
$ docker stop hi ; docker rm hi
$

Above, I’ve started a container with the sinatra image and curl localhost:4657. Port 4567 is the default port that sinatra listens on and it is exposed in the Dockerfile. It returns “42” as expected. Now that I’ve tested the sinatra image and verify that it works, let’s create the task definition. Create a task-definition.json and add:

{
"family": "sinatra-hi",
"containerDefinitions": [
{
"name": "web",
"image": "tongueroo/sinatra:latest",
"cpu": 128,
"memoryReservation": 128,
"portMappings": [
{
"containerPort": 4567,
"protocol": "tcp"
}
],
"command": [
"ruby", "hi.rb"
],
"essential": true
}
]
}

The task definition is also available on GitHub: task-definition.json. To register the task definition:

$ aws ecs register-task-definition --cli-input-json file://task-definition.json

Confirm that the task definition successfully registered with the ECS Console:

Image for post
Image for post

3. Create an ELB and Target Group to later associate with the ECS Service

Now let’s create an ELB and a target group with it. We are creating an ELB because we eventually want to load balance requests across multiple containers and also want to expose the sinatra app to the internet for testing. The easiest way to create an ELB is with the EC2 Console.

Go the EC2 Console / Load Balancing / Load Balancers, click “Create Load Balancer” and select Application Load Balancer.

Wizard Step 1 — Configure Load Balancer

  • Name it my-elb and select internet-facing.
  • Use the default Listener with a HTTP protocol and Port 80.
  • Under Availability Zone, chose a VPC and choose the subnets you would like. I chose all 4 subnets in the default VPC just like step 1. It is very important to chose the same subnets that was chosen when you created the cluster in step 1. If the subnets are not the same the ELB health check can fail and the containers will keep getting destroyed and recreated in an infinite loop if the instance is launched in an AZ that the ELB is not configured to see.

Wizard Step 2 — Configure Security Settings

  • There will be a warning about using a secure listener, but for the purpose of this exercise we can skip using SSL.

Wizard Step 3 — Configure Security Groups

  • Create a new security group named my-elb-sg and open up port 80 and source 0.0.0.0/0 so anything from the outside world can access the ELB port 80.

Wizard Step 4 — Configure Routing

  • Create a new target group name my-target-group with port 80.

Wizard Step 5 — Register Targets

  • This step is a little odd for ECS. We do actually not register any targets here because ECS will automatically register the targets for us when new tasks are launched. So simply skip and click next.

Wizard Step 6 — Review

  • Review and click create.
Image for post
Image for post

When we created the ELB with the wizard we opened it’s my-elb-sg group port 80 to the world. We also need to make sure that the my-ecs-sg security group associated with the instance we launched in step 1 allows traffic from the ELB. We created the my-ecs-sg group in step 1 at the very beginning of this tutorial. To allow all ELB traffic to hit the container instance run the following:

$ aws ec2 authorize-security-group-ingress --group-name my-ecs-sg --protocol tcp --port 1-65535 --source-group my-elb-sg

Confirm the rules were added to the security groups via the EC2 Console:

Image for post
Image for post

With these security group rules, only port 80 on the ELB is exposed to the outside world and any traffic from the ELB going to a container instance with the my-ecs-group group is allowed. This a nice simple setup.

4. Create a Service that runs the Task Definition

The command to create the ECS service takes a few parameters so it is easier to use a json file as it’s input. Let’s create a ecs-service.json file with the following:

{
"cluster": "my-cluster",
"serviceName": "my-service",
"taskDefinition": "sinatra-hi",
"loadBalancers": [
{
"targetGroupArn": "FILL-IN-YOUR-TARGET-GROUP",
"containerName": "web",
"containerPort": 4567
}
],
"desiredCount": 1,
"role": "ecsServiceRole"
}

You will have to find your targetGroupArn created in step 3 when we created the ELB. To find the targetGroupArn you can go to the EC2 Console / Load Balancing / Target Groups and click on the my-target-group.

Now create the ECS service: my-service.

$ aws ecs create-service --cli-input-json file://ecs-service.json

You can confirm that the container is running on the ECS Console. Go to Clusters / my-cluster / my-service and view the Tasks tab.

Image for post
Image for post

5. Confirm Everything is Working

Confirm that the service is running properly. You want to be thorough about confirming that all is working by checking a few things.

Check that my-target-group is showing and maintaining healthy targets. Under Load Balancing / Target Groups, click on my-target-group and check the Targets tab. You should see a Target that is reporting healthy.

Image for post
Image for post

If the target is not healthy, check these likely issues:

  • Check that the my-ecs-sg security group is allowing all traffic from the my-elb-sg security group. This was done in Step 4 with the authorized-security-group-ingress command after you created the ELB.
  • Check that the security groups for the ELB, in step 3, is set to the same security groups that you use when you created the ECS Cluster and Container Instance in step 1. Remember the ELB can only detect healthy instances in AZs that it is configure to use.

Let also ssh into the instance and see the running docker process is returning a good response. Under Clusters / ECS Instances, click on the Container Instance and grab the public dns record so you can ssh into the instance.

Image for post
Image for post
Image for post
Image for post
$ ssh ec2-user@ec2-52-3-252-86.compute-1.amazonaws.com
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e9a55399589 tongueroo/sinatra:latest "ruby hi.rb" 16 minutes ago Up 16 minutes 8080/tcp, 0.0.0.0:32773->4567/tcp ecs-sinatra-hi-1-web-d8efaad38dd7c3c63a00
4fea55231363 amazon/amazon-ecs-agent:latest "/agent" 41 minutes ago Up 41 minutes ecs-agent
$ curl 0.0.0.0:32773 ; echo
42
$

Above, I’ve verified that the docker container running on the instance by curling the app and seeing a successful response with the “42” text.

Lastly, let’s also verify by hitting the external DNS address of the ELB. You can find the DNS address in the EC2 Console under Load Balancing / Load Balancers and clicking on my-elb.

Image for post
Image for post

Verify the ELB publicly available dns endpoint with curl:

$ curl my-elb-1693572386.us-east-1.elb.amazonaws.com ; echo
42
$

6. Scale Up the Service to 4 Tasks

This is the easiest part. To scale up and add more containers simply go to Clusters / my-cluster / my-service and click on “Update Service”. You can change “Number of tasks” from 1 to 4 there. After only a few moments you should see 4 running tasks. That’s it!

7. Clean It All Up

It is quickest to use the EC2 Console to delete the following resources:

  • ELB: my-elb
  • ECS Service: my-service Task Definition: sinatra-hi Cluster: my-cluster
  • Security group: my-elb-sg and my-ecs-sg.

Summary

In this post I covered the ECS terminology and went through a simple example to create a sinatra app behind a ELB.

Overall, I think that ECS is a pretty amazing service and it has taken the hassle of managing docker orchestration and provisioning responsibility away.

Thanks for reading this far. If you found this post useful, I’d really appreciate it if you recommend this post (by clicking the clap button) so others can find it too! Also, connect with me on LinkedIn.

Image for post
Image for post

P.S. Be sure to join the BoltOps newsletter to receive free DevOps tips and updates.

BoltOps

All AWS All the Time

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store