SAA
Overview
For each container, there is ECS Agent attached to it. ECS Agent talk to ECS Service, ECR to pull image and send log to CloudWatch.
There are two types of IAM roles:
- For EC2 instance, ECS Agent
- For Task defintion
For each Task, will attach ENI to bind network IP.
ECS Services & Tasks, Load Balancing
- In a Cluster, you can have multi services
- In a Service, you can run multi Tasks
- You can attach Application Load Balacner
- If you have Multi containers running in one Task
- You can using Dynamic Port mapping, (give 0 in Port input), it randomlly assign port
- ALB will connect to each ports
- EC2 instance SG should allow ANY PORT from the ALB security Group (because port are dynamic)
- ECS tasks can be invoked automaticlly by EventBridge or CloudWatch Event
ECS Scaling
- There are two types of scalings
- Auto scaling group to add new Task to handle increase traffic
- Scaling SEC Capacity Proivders to upgrade EC2 instance, in order to Launch more Tasks in EC2 instances
SAP
ECS - Security & Networking
- IAM Security
- EC2 instance Role must have basic ECS permissions
- ECS Task level should have an IAM Task Role (maximum security)
- Secrets and Configuration injection into parameters, environmnet variables
- Integration with SSM Parameter Store & Secret Manager
- Task Networking
- none: no network connectivity, no port mapping
- bridge: uses Docker‘s virtual container-based network
- host: bypass Docker‘s netowkr, uses the underlying host netowrk interface
- awsvpc:
- Every tasks launched on instance gets its own ENI and private IP address
- Simplified networking, enhanced security, security groups, monitoring, VPC flow logs
- Default mode for Fargate