How to use AWS Nitro Enclave with ECS? - amazon-web-services

I am trying to setup AWS Nitro Enclave with ECS using AWS Cloudformation but I am struggling with assigning a launch template to an ECS service.
As far as I know, we can specify a launchType with the value of EC2 while creating the ECS Service but there is no way to manipulate the launch parameters.
Any help with examples will be appreciated.

The Nitro Enclave is part of the EC2 server. An ECS service is just a docker container running on the EC2 server. The EC2 server has to already be up and running (with things like Nitro Enclave already configured) before the ECS service is started on the server. The launchType parameter of the ECS Service just specifies if it should run on Fargate or EC2.
You can't configure your cluster's EC2 servers through an ECS service configuration. You would configure the EC2 servers in the ECS cluster through the cluster's Capacity Provider configuration. Specifically, since you are using EC2 instead of Fargate, you would need to configure the capacity provider with an EC2 auto-scaling group which is configured with an EC2 launch template that handles the Nitro Enclave setup.
To be clear, I've never heard of anyone using Nitro Enclaves with ECS, and I don't think you can actually run ECS services inside the Nitro Enclave. At most you could have ECS services running on the same server that also has a Nitro Enclave running some other process.

Related

Calling AWS Services from a container on ECS + EC2. Connection Timeout

I want to run an ECS Task on EC2 instance, and I want that task/container to be able to call other AWS services via Boto3.
When I run the same task on Fargate, it works as expected and I am able to call other AWS services from the task/container. When I run the ECS Task on EC2, it given me connection timeout errors when attempting to call other AWS services. (The specific errors depend on the service.)
In an attempt to rule out any permission issues, I am running in a public subnet and using a single IAM role (with the AdministratorAccess policy) for the EC2 instance, ECS task role, and ECS task execution role.
The ECS Task on EC2 IS able to access the internet (which I confirmed by having it ping google.com).
What are any other conditions that need to be satisfied in order to call other AWS services from a container on ECS + EC2?
The cause of my issue was using a public subnet and the awsvpc network mode.
Using Amazon EC2 — You can launch EC2 instances on a public subnet.
Amazon ECS uses these EC2 instances as cluster capacity, and any
containers that are running on the instances can use the underlying
public IP address of the host for outbound networking. This applies to
both the host and bridge network modes. However, the awsvpc network
mode doesn't provide task ENIs with public IP addresses. Therefore,
they can’t make direct use of an internet gateway.
-- Amazon Elastic Container Service Best Practices Guide

Choosing microservice using AWS EC2 and ECS

I am trying to develop a spring cloud micro services. And I planned to deploy into AWS cloud. When I reading AWS resources I found that ECS providing configuration less environment for deploying microservices other than EC2. My doubt is that
Can I choose ECS resource for my complete services deployment without configurations?
For creating ECS service, is EC2 instance mandatory? Can I use ECS only in my account without creating EC2 VM? I need to know about ECS is alternative for EC2?
ECS is a service which offers clustering of vm for docker container, manages container lifecycle.
1) Yes. You can use ECS for your service deployment and it needs some basic configuration which will be one time.
2) No. To run docker container you need EC2 instance without that its not possible to run. EC2 instance are managed by ECS so you only need to provide some config like region,security group etc.
For complete config and deployment refer below link.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_GetStarted.html

Spring Cloud microservice deployment in AWS

I am trying to develop a Spring Cloud microservice and need to deploy in AWS cloud. I am new to Spring Cloud and AWS. I would like to open a EC2 instance and like to deploy using Elastic Beanstalk environment wizard.
When I am exploring how to create EC instance and configuration, I found that the documentation explaining EC2 and EC2 container service. Here I need to deploy my service in Java environment and Tomcat as service structure. So I am confused about EC2 and EC2 container service. Which one is suitable for my criteria and requirement? EC2 or Ec2 container service for deploying my service?
EC2 container service is to be used if you want to run container systems like Docker. Are you comfortable using Docker containers?
If you want to use standard virtual machine; use EC2 instance. Your requirement of deploying microservice can be achieved using any of EC2 instance or EC2 container service. What is important is your comfort level.

What is the difference between Amazon ECS and Amazon EC2?

I'm just getting started on AWS EC2. I understand that EC2 is like a remote computer where I can do pretty much everything I want. Then I found out about ECS. I know it uses Docker, but I'm confused about the relationship between these two.
Is ECS just a Docker install in EC2?
If I already have an EC2 and I start an ECS, does it mean I have two instances?
Your question
Is ECS just a docker install in EC2? If I already have a EC2, then I
start a ECS, does it mean I have two instance?
No. AWS ECS is just a logical grouping (cluster) of EC2 instances, and all the EC2 instances part of an ECS act as Docker host i.e. ECS can send command to launch a container on them (EC2).
If you already have an EC2, and then launch ECS, you'll still have a single instance. If you add/register (by installing the AWS ECS Container Agent) the EC2 to ECS it'll become the part of the cluster, but still a single instance of EC2.
An Amazon ECS without any EC2 registered (added to the cluster) is good for nothing.
TL; DR
An overview
EC2 - is simply a remote (virtual) machine.
ECS stands for Elastic Container Service - as per basic definition of computer cluster, ECS is basically a logical grouping of
EC2 machines/instances. Technically speaking ECS is a mere
configuration for an efficient use and management of your EC2
instance(s) resources i.e. storage, memory, CPU, etc.
To simplify it further, if you have launched an Amazon ECS with no EC2 instances added to it, it's good for nothing i.e. you can't do anything about it. ECS makes sense only once one (or more) EC2 instances are added to it.
The next confusing thing here is the container term - which is not fully virtualized machine instances, and Docker is one technology we can use to create container instances. Docker is a utility you can install on our machine, which makes it a Docker host, and on this host you can create containers (same as virtual machines - but much more light-weight). To sum up, ECS is just about clustering of EC2 instances, and uses Docker to instantiate containers/instances/virtual machines on these (EC2) hosts.
All you need to do is launch an ECS, and register/add as much EC2 instances to it as you need. You can add/register EC2 instances, all you need is Amazon ECS Container Agent running on your EC2 instance/machine, which can be done manually or directly using the special AMI (Amazon Machine Image) i.e. Amazon ECS-optimized AMI, which already has the Amazon ECS Container Agent. During the launch of a new EC2 instance the Agent automatically registers it to the default ECS cluster.
The container agent running on each of the instances (EC2 instances) within an Amazon ECS cluster sends information about the instance's current running tasks and resource utilization to Amazon ECS, and starts and stops tasks whenever it receives a request from Amazon ECS. For more information, see Amazon ECS Container Agent. Once set, each of the created container instances (of whatever EC2 machine/node) will be an instance in Amazon ECS's swarm.
For more information – read step 10 from this documentation: Launching an Amazon ECS Container Instance:
Choose an AMI for your container instance. You can choose the Amazon
ECS-optimized AMI, or another operating system, such as CoreOS or
Ubuntu. If you do not choose the Amazon ECS-optimized AMI, you need to
follow the procedures in Installing the Amazon ECS Container Agent.
By default, your container instance launches into your default
cluster. If you want to launch into your own cluster instead of the
default, choose the Advanced Details list and paste the following
script into the User data field, replacing your_cluster_name with the
name of your cluster.
#!/bin/bash
echo ECS_CLUSTER=your_cluster_name >> /etc/ecs/ecs.config
Or, if you have an ecs.config file in Amazon S3 and have enabled
Amazon S3 read-only access to your container instance role, choose the
Advanced Details list and paste the following script into the User
data field, replacing your_bucket_name with the name of your bucket to
install the AWS CLI and write your configuration file at launch time.
Note For more information about this configuration, see Storing
Container Instance Configuration in Amazon S3.
#!/bin/bash
yum install -y aws-cli
aws s3 cp s3://your_bucket_name/ecs.config /etc/ecs/ecs.config
Just to clarify it further – you can create containers on your single EC2 instance without ECS. Install any of the containerization technology i.e. Docker and run the create container command, setting your EC2 as a Docker host, and have as much Docker containers as you want (or as much as your EC2's resources allow).
In simple words,ECS is a manager while EC2 instances are just like employees.
All the employees (EC2) under this manager(ECS) can perform "Docker" tasks and the manager also understands "docker" pretty well. So,whenever you need "docker" resources, you show up to the Manager. Manager already has status from every employee(EC2) decides which one should perform the task.
Now, coming back to your question, a manager without an "employee" does not make sense but is definitely possible.
EC2 allows you to launch individual instances which you can use for pretty much whatever you like.
ECS is a container service, which means it will launch instances that will be ready to launch container applications.
The main distinction between the two services is that with EC2 you have to manage each instance separately in whatever method you choose (manually, using a CM tool or any other way) - deploy your applications and maintain the connection between the servers yourself.
ECS allows you to launch a cluster of machines that will serve as the deployment ground of your container apps, allowing you to treat all instances in the cluster as one big instance available for your container workload.
And to answer your question - You can start an ECS cluster with no instances in it, but then it won't be able to run anything on it. Once you register an EC2 instance inside an ECS cluster, containers are ready to run in it. So the bottom line is - you can use both ECS and EC2 with only one instance, but that is not the actual use case these services were built for.
Put simply, Elastic Container Service (ECS) is a Docker container orchestration service.
You can ask it to run one or more Docker images, either as an auto-scaling capable "Service" or as an ad-hoc "Task".
The services and tasks run on a "Cluster". Originally, a Cluster was a group of one or more pre-configured EC2 servers running ECS Cluster Agent. The Cluster Agent would schedule the containers on the EC2 server. These EC2 servers show up in your EC2 Instances list and are charged at regular EC2 per-minute costs - You can even SSH onto them like any normal EC2 server.
If you wanted more capacity to run more Services or Tasks, or if you wanted resilience against EC2 failure, then you would more EC2 servers.
Around November 2017, AWS added ECS Fargate. Now a Cluster can run "serverless" without provisioning EC2 nodes. You simply define the amount of CPU and memory your Task or Service requires to operate, meaning that you just pay for the CPU and memory time rather than the EC2.
ECS stands for 'Elastic Container Service'. It is a container orchestration service.
Lets say you have a Docker container running and you decide to update the Docker image. It's relatively easy task to stop, pull and run if you have one container running but its tedious to do the same steps if you have 10 to 100 of containers running.
With AWS ECS you can have this control. You specify if update is required provide the latest image id and ECS will handle the stop, pull and run etc. commands for you. It also provides with much more additional features, refer - https://aws.amazon.com/ecs/features/
EC2 stand for 'Elastic Compute Cloud'. In simple terms its a virtual machine.
ECS uses EC2 to run your containers.
'These running docker containers (tasks) are run on EC2 instances'.
ECS is a container orchestrator just like Kubernetes or Docker swarm, EC2 is an Amazon Elastic Compute Cloud platform for Creating Virtual Machines. ECS allows you to run containers on either serverless environments (Fargate) where you don't have to run any VM or in a non managed environments where you host the containers on EC2 instances.
Okay, as you know EC2 is a virtual machine on AWS and ECS is a container orchestration system on AWS.
To use ECS, you need to run your container into some virtual machines which EC2 is one of an option to provide that.
You will need to install ecs-agent on EC2 to make a connection with ECS. And ECS also can monitor the resource usages on your EC2. So basically you choose the more high-level EC2 type, then more resource(CPU/MEM) your container can use.
EC2 is a compute service that enables applications to run on AWS, whereas ECS is an AWS service used primarily to orchestrate Docker containers.

Does AWS support Kubernetes?

I've read that AWS does not support Kubernetes and builds their own Docker orchestration engine EC2 Container Service. However, on Kubernetes getting-started -page there is a guide on how to run Kubernetes on AWS:
https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/getting-started-guides/aws.md
Which is right?
You can install Kubernetes on a normal Amazon EC2 server.
The new container service is a separate offering by Amazon, called ECS.
EDIT: AWS released in 2018 a new container service for Kubernetes called EKS: https://aws.amazon.com/eks/
Amazon Elastic Container Service for Kubernetes (Amazon EKS) makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. Amazon EKS runs the Kubernetes management infrastructure for you across multiple AWS availability zones to eliminate a single point of failure.
Kubernetes provides scripts to simple setup a cluster on a set of EC2 machines. The setup does pretty much everything needed to get started quickly.
Here is the link: https://github.com/GoogleCloudPlatform/kubernetes/blob/release-1.0/docs/getting-started-guides/aws.md
Yes its possible to setup Kubernetes on AWS See:http://kubernetes.io/v1.0/docs/getting-started-guides/aws.html
You can also manually setup Kubernetes on AWS by launching a EC2 instance
Foe setting in Redhat ami https://access.redhat.com/articles/1353773
(Note: Kubernetes needs flannel network to be setup for managing networking between docker containers running on different hosts(minions)
Amazons Container Service is unrelated to Kubernetes.
There are 3 main options for installing Kubernetes on AWS:
CoreOS have a cli for installing and managing kubernetes on aws: https://coreos.com/kubernetes/docs/latest/kubernetes-on-aws.html
Kubernetes have some scripts for setting up a cluster on AWS: http://kubernetes.io/docs/getting-started-guides/aws/
Manual installation on EC2. Lots of options here: http://kubernetes.io/docs/getting-started-guides/#cloud
As an aside minikube is now a thing which is nice for running locally to try stuff out:
http://kubernetes.io/docs/getting-started-guides/minikube/
AWS recently launched EKS, which provides a managed k8s master nodes. This should be
what you are looking for.
Yes. You can use kubeadm to install kubernetes on EC2 instances.
There are other tools also available.
KOPS
EKS
Kubeadm