ECS, ECR & Fargate - Docker in AWS

Question 1

How is Docker different from a Virtual Machine?

Answer 1

Resources are shared with the host -> many containers on one server

Question 2

How does the EC2 Launch type work?

Answer 2

You must provision & maintain the infrastructure - the EC2 instances
- Each EC2 instance must run the ECS agent to register in the ECS cluster
- AWS starts/stops docker containers on the provisioned instances.

Question 3

How does ECS Fargate Launch type differ from EC2 Launch type?

Answer 3

You do not provision the infrastructure - no EC2 instances to manage.
- Serverless launch type

Question 4

What is the EC2 Instance Profile used by and for?

Answer 4

EC2 Launch Type only:
- Used by the ECS agent
- Makes API calls to the ECS service
- Send container logs to CloudWatch logs
- Pull Docker image from ECR
- Reference sensitive data in Secrets Manager or SSM Parameter Store

Question 5

What is the ECS Task Role?

Answer 5

• Allows each task to have a specific role (e.g., one task might fetch from S3, another from DynamoDB

Question 6

If you were to integrate ECS with a load balancer, which would be recommended out of ALB, NLB and Elastic Load Balancer and why?

Answer 6

ALB - works for most use cases
NLB - recommended only for high throughput / performance use cases, or to pair it with AWS Private Link
ELB - no advanced features, no Fargate

Question 7

What does EFS stand for?

Answer 7

Elastic File System

Question 8

What is a use case for EFS, and why not S3?

Answer 8

Persistent multi-AZ shared storage for your containers - mount the EFS onto ECS tasks (works for both launch types), and any AZ will share the same data in the file system
- S3 cannot be mounted as a file system

Question 9

What options can you scale on for ECS Application Auto Scaling?

Answer 9

• ECS service average CPU utilization
• ECS service average memory utilization (RAM)
• ALB Request count per target (metric from the ALB)

Question 10

What is Target Tracking?

Answer 10

Scale based on a target value for a Cloudwatch metric

Question 11

What is Step Scaling?

Answer 11

Scale based on a specific Cloudwatch alarm

Question 12

What is Scheduled Scaling?

Answer 12

Scale based on a specified data/time (predictable changes)

Question 13

What is the difference between ECS Service Auto Scaling and EC2 Auto Scaling?

Answer 13

ECS Service Auto Scaling - Fargate scales the number of taskst
EC2 Auto Scaling - EC2 scales the number of instances

Question 14

Describe two ways of Auto Scaling EC2 Instances

Answer 14

Auto Scaling Group Scaling:
- Scale your ASG based on CPU Utilization
- Add EC2 instances over time

ECS Cluster Capacity Provider
- Automatically provision and scale the infrastructure for you ECS tasks
- Capacity Provide is paired with an ASG
- Add EC2 instances when you’re missing capacity (CPU, RAM)

Question 15

What is ECS Rolling Update?

Answer 15

Update from V1 to V2
Set min and max percentage of healthy tasks
- ECS will scale to provide new V2 tasks
- Terminate some V1 tasks, ECS will again scale to provide new V2 tasks
- Repeat until all tasks at V2

Question 16

What are Task Definitions?

Answer 16

Metadata in JSON form to tell ECS how to run a docker container.

Question 17

What information is listed in a Task Definition?

Answer 17

• Image name
• Port Binding for Container and Host
• Memory and CPU required
• Environment variables
• Networking information
• IAM role
• Logging configuration (e.g., Cloudwatch)

Question 18

Describe how you would set up ECS for Dynamic Host Port Mapping

Answer 18

• EC2 Launch Type, ALB as Load Balancer
• Within the Task Definition, only define the container port (not the host port)
• Allow on the EC2 instance Security Group ANY PORT from the ALB’s Security Group
• ALB will find the right port on the EC2 instances

Question 19

How does Fargate manage Load balancing?

Answer 19

• Each task has a unique private IP
• Only define the container port (not host port)
• Fargate will expose that port on the private IP of each ECS task.
• ECS ENI (Elastic Network Interface) Security group needs to allow the defined port from the ALB
• ALB Security Group needs to allow 80/443 from the web.

Question 20

How do IAM Roles work with Task Definitions?

Answer 20

• One IAM Role per Task Definition
• Role is defined at the Task Definition level, not at the Service level.

Question 21

How could you provide a public URL to a Task Definition?

Answer 21

Hardcode the URL as an Environment Variable

Question 22

How could you provide sensitive data to a Task Definition?

Answer 22

SSM Parameter Store - sensitive variables (e.g., API keys, shared configs)
Secrets Manager - sensitive variables (e.g., DB passwords)

Question 23

How could you load many environment variables from a file to a Task Definition?

Answer 23

Load environment variables from an S3 bucket - bulk environment variables loading

Question 24

What is a Bind Mount?

Answer 24

A Data Volume mounted within the ECS task, allowing multiple containers in the same task definition to share data

Question 25

What Bind Mount do EC2 tasks use, and how is the data tied?

Answer 25

EC2 instance storage - data is tied to the lifecycle of the EC2 instance

Question 26

What Bind Mount do Fargate tasks use, how much data can you store, and how is the data tied?

Answer 26

Ephemeral storage - 20GiB-> 200GiB, data is tied to the container(s) using them

Question 27

What is a use case for Bind Mounts?

Answer 27

- Share ephemeral data between multiple containers - "Sidecar" container pattern, where the "sidecar" container is used to send metrics/logs to other destinations

Question 28

What is ECS Task Placement, and where is it applicable?

Answer 28

- ECS must determine where to place a new task of type EC2, with the constraints of CPU, memory and available port - The same for when a service scales in -> which task should be terminated. - Only applicable for ECS with EC2, not for Fargate

Question 29

What is the order in which ECS tries to place a task?

Answer 29

1. Identify instances that satisfy the CPU, memory and port requirements found in the task definition 2. Identify instances that satisfy the task placement constraints 3. Identifier instances that satisfy the task placement strategies 4. Select the instances for placement.

Question 30

What is the Binpack placement strategy?

Answer 30

Place tasks based on the least available amount of CPU or memory - Pack as many tasks into as small a number of instances as possible (cost savings)

Question 31

What is the Random placement strategy?

Answer 31

Place the task randomly in the instances.

Question 32

What is the Spread placement strategy?

Answer 32

Place the task evenly based on the specified value, e.g., instanceId, availability-zone (can be used to maximize availability through spreading tasks across difference AZ)

Question 33

What is the distinctInstance placement constraint?

Answer 33

Place each task on a different container instance.

Question 34

What is the memberOf placement constraint?

Answer 34

Places task on instances that satisfy an expression (defined with the Cluster Query Language, e.g., "expression":"attribute:ecs.instance-type =~ t2.*" - place only on instances that are of tier t2.)

Question 35

Where can you store Docker images in AWS?

Answer 35

ECR - Elastic Container Repository

Question 36

Describe at a high level how to log in to ECR via the CLI

Answer 36

Use AWS CLI to get login credentials from ECR, then pass these credentials into a docker login command - this will allow you to run docker commands like pull and push image.

Question 37

What does EKS stand for, and what does it do?

Answer 37

Elastic Kubernetes Service - Allows you to launch managed Kubernetes clusters on AWS.

Question 38

Why might you use EKS over ECS?

Answer 38

Kubernetes is open source, used by many cloud providers (which allows for a level of standardization).

Question 39

What is a use case for EKS?

Answer 39

Company is already using Kubernetes on-premises or in another cloud, and wants to migrate to AWS using Kubernetes

Question 40

Describe what is meant by EKS worker nodes and pods

Answer 40

Worker nodes - can be EC2 instances or Fargate serverless containers (and can be part of an ASG) EKS pods - equivalent to tasks in ECS

Question 41

What is Managed Node Groups?

Answer 41

EKS creates and manages nodes (EC2 instances) for you - Nodes are part of an ASG managed by EKS - Supports On-Demand or Spot Instances

Question 42

What is Self-Managed Nodes?

Answer 42

Nodes created by you and registered to the EKS cluster and managed by an ASH - Can use prebuilt AMI - Amazon EKS Optimized AMI - Supports On-Demand or Spot Instances

Question 43

How would you attach data volumes to an EKS cluster?

Answer 43

Need to specify StorageClass manifest on you EKS cluster - Leverages a Container Storage Interface (CSI) compliant driver