Initial Guide to Deploying Docker Containers into AWS ECS07 Nov 2019
In this tutorial we will walk through how to deploy simple docker containers into AWS ECS. ECS is a container service to deploy and manage your Docker containers on AWS. Basically, there are two types to deploy containers on ECS clusters which are;
- EC2 instances
- Fargate (Serverless)
We will use EC2 type container instances. Before starting there are some components specific to ECS terminology which we need to understand;
- Task Definition: JSON|YML based configuration file. In other words recipe or blueprint of your containers. We give parameters like Docker Image, CPU, Memory, Network Mode for one or more containers. You can think of it like a Dockerfile.
- Task: An instance based on given Task Definition. This is the Docker container which can contain one or more Task Definitions.
- Service: Allows you to create and maintain a number of tasks (containers) including their lifecycle and deployment properties from same Task Definition.
- ECS Container Agent: A service (docker container) that manages the connection between ECS cluster.
- Cluster: Group for defining container instances. It can be either group of EC2 instances or a Fargate type cluster which is serverless.
Here is the high level architecture for our application
There are 3 different AWS components we will create and configure;
- Elastic Container Service (ECS)
- Elastic Load Balancer (ELB)
- Elastic Container Registry (ECR)
We will create and configure ECS and ELB components, however, I will use ECR to get my own simple docker image. Moreover, here is the high level representation of EC2 instances in ECS cluster.
Creating ECS Cluster
We will create an empty ECS cluster with EC2 type container instance. We have to keep in mind that we should use same subnets for ELB as well, otherwise, the Target Group for ELB won't be healthy and they won't be reachable via ELB. For sake of simplicity I used my default VPC and subnets so that we won't create them in this tutorial. First we will create a security group to use it for ECS cluster;
aws ec2 create-security-group --group-name example-ecs-sg --description example-ecs-sg
Later on, we will allow inbound traffic from another security group we will create for Elastic Load Balancer. On the other hand, allowing ssh connections into this cluster is optional. I am allowing now to show docker containers running in EC2 instances at the end of this tutorial.
aws ec2 authorize-security-group-ingress --group-name example-ecs-sg --protocol tcp --port 22 --cidr 0.0.0.0/0
Here is the ecs-cli command for creating ECS cluster. Hence the fact that
--keypair parameter is optional and I just added to make EC2 instances accessible by ssh.
ecs-cli up --cluster example-ecs-cluster --instance-role ecsInstanceRole --keypair dev.pem --size 1 --security-group sg-087f0cf793164eed3 --subnets subnet-dafc6f93,subnet-6b8f2b30,subnet-eed8a38b,subnet-f38b2bde --vpc vpc-340b1053 --instance-type t2.small --launch-type EC2
A successfull output will look like;
We can also verify the cluster from AWS Console
Creating Task Definition
We want to make ECS cluster to provision and manage our own Docker images into the container instances. I will use an already existing hello world nodejs image from my ECR. Here are Dockerfile and server.js script from my node application looks like;
For the task definition we will expose port 8080 and use the image url from our ECR repository which has our Docker image.
aws ecs register-task-definition --cli-input-json file://task-definition.json
task-definition.json looks like;
We will have a an output like;
We can see the task definition we created from AWS Console
Creating Elastic Load Balancer (ELB) with Target Group
We will create a Target Group which will be used by Elastic Load Balancer. Here is the order of steps we will follow to create an ELB;
- Create a Security Group for ELB and allow ingress traffic from public network.
- Create a Target Group to register it to the Elastic Load Balancer we will create.
- Create an Elastic Load Balancer with the security group and target group we created.
Lets create another security group with name example-elb-sg for our ELB.
aws ec2 create-security-group --group-name example-elb-sg --description example-elb-sg
Now instead of enabling SSH access we will enable inbound network traffic only from port 80 for security group
aws ec2 authorize-security-group-ingress --group-name example-elb-sg --protocol tcp --port 80 --cidr 0.0.0.0/0
Now we have to allow
example-ecs-sg security group to accept ingress traffic from
example-elb-sg security group
aws ec2 authorize-security-group-ingress --group-name example-ecs-sg --source-group example-elb-sg --protocol tcp --port 1-65535
Here is the command for creating Target Group with its output.
aws elbv2 create-target-group --name example-target-group --port 80 --protocol HTTP --target-type instance --vpc-id vpc-340b1053 --health-check-protocol HTTP --health-check-path /hello-world
Now we will create an Elastic Load Balancer to register
aws elbv2 create-load-balancer --name example-elb --subnets subnet-dafc6f93 subnet-6b8f2b30 subnet-eed8a38b subnet-f38b2bde --security-groups sg-0620dc50979b05b24 --scheme internet-facing --type application
Now we have to create a Listener
aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:548754742764:loadbalancer/app/example-elb/3cb7c0ce850338d6 --protocol HTTP --port 80 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:548754742764:targetgroup/example-target-group/73e3f1b663022983
Our Elastic Load Balancer will have an attached Listener that can also verify from AWS Console.
Creating ECS Service
Finally we will create ECS service to run Tasks based on the Task Definition.
aws ecs create-service --cluster example-ecs-cluster --service-name example-ecs-service --task-definition nodejs-task-def --desired-count 1 --launch-type EC2 --load-balancers targetGroupArn=arn:aws:elasticloadbalancing:us-east-1:548754742764:targetgroup/example-target-group/73e3f1b663022983,containerName=node-app,containerPort=8080
Now it is time to validate our ECS cluster is healthy and works for the endpoints we defined. Also, lets go from bottom to top means we will first verify Docker container is deployed on our EC2 instance. After ssh into our EC2 instance we will verify docker is running.
- Verify our ECS instances are registered to the Target Group we defined.
- Verify that docker containers running successfull inside ECS instances.
- Elastic Load Balancer forwards to requests from TCP 80 port to the endpoints we implemented.
Well for the Target Group we can directly check it from AWS Console.
Secondly, we will SSH into our EC2 instance and list docker containers running inside of it.
We see our nodejs application is running and exposing port 8080. There is also another docker container running which is
amazon/amazon-ecs-agent. This is the ECS agent we talked before which deployes and manages the lifecycle docker images on EC2 instances. Well basically if we run
curl localhost:8080/hello-world we should have a successfull output
As the final verification step we will make a REST call to the
/hello-world endpoint from ELB DNS name.
curl example-elb-301999857.us-east-1.elb.amazonaws.com/hello-world should return the same result.
We built our ECS cluster from deploying Docker images from our ECR repository by using EC2 instances.