AWS certified developer associate hints. ECS, ECR, Fargate, Cloud formation, Beanstalk, SAM (part V)
Amazon ECS
EC2 Launch Type:
- Launch docker containers on aws = launch ecs tasks on ECS cluster
- EC2 Launch type: you must provision and maintain the infra
- Each EC2 instance must run ECS Agent to register in the ECS Cluster
Fargate:
- You do not provision EC2 instances
- It’s all severless
- You just create task definition
- AWS just runs ECS Tasks for you based on CPU/RAM we need
IAM Roles for ECS:
- EC2 instance profile (EC2 launch type only)
- ECS Task role (valid for both)
Data volumes:
- Mount EFS system onto ECS tasks work for both EC2 and Fargate launch types
- Tasks running in any AZ with share same data
- Fargate + EFS = Serverless
ECS Service Auto Scaling
Amazon ECS Auto Scaling uses AWS application auto scaling:
- ECS service average CPU
- ECS service average memory utilization RAM
- ALB request count per target
- Target Tracking - scale based on target value for a specific CloudWatch metric
- Step Scaling - scaling based on a specific CloudWatch Alarm
- Scheduled Scaling - scale based on a specific date/time
EC2 Launch type - auto scaling EC2 instances
- Accommodate ECS services scaling by adding underlying EC2 instances
- Auto Scaling Group Scaling (based on CPU)
- EC2 cluster capacity provider (automatically scale infra for your ECS tasks)
ECS Rolling update
- Minimum healthy and maximum healthy percent
Amazon ECS - Task Definition
Task definition are metadata in JSON.
Task definition contains:
- Image name
- Port binding for container and host
- Memory and CPU required
- Env variables
- Networking information
- IAM role
- Logging configuration
Amazon ECS - load balancing (EC2 launch type)
- We get a dynamic host port mapping if you define only the container port in the task definition (container port = 80, host port = 0)
- ALB finds correct dynamic port of a container
- You must allow on the EC2 instance security group any port from the ALB’s security group
Amazon ECS - load balancing (Fargate)
- Each task has a unique private IP
- Only define the container port (host port is not applicable)
- ENI is created for each
- One IAM Role per Task Definition
Amazon ECS - Env variables
- Hardcode
- SSM parameter store
- Secure manager
- S3 bulk env variable
Amazon ECS - Data volumes (Bind Mounts)
- Share data between multiple containers in the same task definition
- Works for both EC2 launch type and Fargate
- EC2 launch type tasks - using EC2 instance storage
- Fagraste tasks - using ephemeral storage (20-200 GiB)
ECS Taks Placement only EC2 launch type
When Amazon ECS places tasks, it uses the following process to select container instances:
- identify the instances that satisfy the CPU, memory and port requirements in the task definition
- Identify task placement constrains
- Identify task placement strategy
- Select the instance
Task pacement Strategies
- Binpack, places tasks based on the least available amount of CPU or memory (cost saving)
- Random
- Spread (instance id or AZ)
Task placement Constraints
- Distinct instance
- MemberOf (cluster query language)
Amazon ECR - Elastic container registry
- Store and manage docker images on AWS
- Private and public
- Fully integrated with ECS
- Protected by IAM
- Support vulnerability scanning , versioning, tags, image lifecycle
- Login to docker
aws ecr get-login-password —region region | docker login --username AWS — password-stdin aws_acc_id.dkr.ecr.region.amazonaws.com
- Pull/push
docker pull aws_acc_id.dkr.ecr.region.amazonaws.com/demo:latest
AWS Copilot
- CLI tool to build, release and operate production ready containerized apps
- Run your apps on AppRunner, ECS and Fargate
- Helps you focus on building apps rather than setting the infra
- Provision the infra
- Automated deployment with one command using CodePipeline
- Deploy to multiple env
- Troubleshooting, logs
Amazon EKS
- Amazon elastic kubernetes service
- Launch managed Kubernetes cluster on AWS
- Alternative to ECS
- EKS supports EC2 if you want to deploy worker nodes and Fargate to deploy server
Node Types:
- Managed node groups
- Self managed nodes
- AWS Fargate
Amazon EKS - data volumes:
- Need to specify StorageClass manifest on your EKS cluster
- Leverages a Container Storage Intefaces (CSI) complaint driver
AWS CloudFormation
Benefints:
- Infrastructure as code
- No resources are created manually
- Can be versioned using git
- Changes to infra are reviewed as code
Productivity:
- Ability to create and destroy your infrastructure
- Automated generation of diagram for your templates
- Declarative programming
Cloudformation building blocks
- Resources: AWS resources (MANDATORY)
- Parameters: dynamic inputs
- Mappings: static variables for your template
- Outputs: references for created resources
- Conditionals: list of conditions to do a resource creation
- Metadata
CloudFormation parameters
We use parameters for everything that is suppose to change in the future.
Types:
- String
- Number
- Comma delimited list
- List
- AWS Parameter
To reference the parameter you need to use Fn::Ref or !Ref
.
It’s possible to reference what’s defined in parameter declaration block and also resources from template.
Also it’s possible to use pseudo parameters, like AWS::AccountId, AWS::Region
.
CloudFormation Mappings
- Fixed variables in your CloudFormation template
- Useful to different from different env (stage, dev), or regions
Mapping:
Mapping0:
Key0:
Name: value
Key1:
Name: value
To access the mapping we need to use function Fn::FindInMap or !FindInMap [MapName, TopLevelKey, SecondLevelKey]
.
CloudFormation Outputs
Output value that we can import in another section, you need to export them first.
Enable cross stack collaboration, it’s not possible to delete the stack if the output is used in other template.
Outputs:
StackSSHSecGroup
Description: Stack ssh
Value: !Ref CreatedSSHSecrityGroup
Export:
Name: SSHSecGroup
To use it in another template we use function Fn::ImportValue or !ImportValue
.
SecurityGroup:
!ImportValue: SSHSecGroup
CloudFormation Conditions
Conditions allow to create, or not create resources based on value.
Conditions:
CreateProd: !Equals [!Ref EnvType, prod]
Fn::And
Fn::Equals
Fn::If
Fn::Not
Fn::Or
Resources:
MountPoint:
Type: AWS::EC2::VolumeAttachment
Condition:: CreateProd
CloudFomration important functions
- Fn::Ref - reference params and resources
- Fn::GetAtt - gives a list of all attributes of a resource
- Fn::FindInMap - find in mapping
- Fn::ImportValue - import value that being exported from another template
- Fn::Join - join value with a delimiter
- Fn::Sub - substitute
CloudFomration rollback
- If stack creation fails, default = rollback, but there is an option to disable rollback
- Rollback is done to the previous working state
CloudFormation notification
Can be done to SNS topic and from it to Email, Lambda and so on.
Possible to enable SNS notification and filter them by lambda function after that send to another SNS notification queue.
CloudFormation ChangeSets, Nested Stacks & StackSet
ChangeSets - gives a way to understand what changes will happen without executing the change.
NestedStack - stacks as a part of other stack, update and isolate repeated patterns and call them from other stacks.
Cross Stacks are using imports and exports, nested stacks are being reused.
StackSet - create update or delete stack through different accounts and organizations with a single operation, if you update it, all the regions/accounts/instances will be updated.
CloudFormation Drift
If something is deleted from CloudFormation resources manually (from other services) it’s possible to detect drift, by checking in CloudFormation configuration (stack actions => view drift).
It show the different between our old configuration and changes.
CloudFormation Stack Policies
Gives a way to prevent CloudFormation resources updates.
By default it’s possible to change everything.
Amazon Elastic beanstalk
Elastic beanstalk overview:
- Elastic beanstalk is a developer centric view of deploying an application on AWS
- It uses all the components like EC2, ASG, ELB, RDS
- Managed service, automatically handles capacity provisioning, load balancing, scaling, application health monitoring, instance configuration
- We still have full control over the configuration
- Beanstalk is free but we pay for the underlying instances
Elastic beanstalk components
- Application: collection of beanstalk components (environments , versions, configurations)
- Application version: an iteration of your application code
- Environment: collection of AWS resources running an application version
Supported languages
- Go
- Java
- .net
- Nodes
- Php
- Python
- Ruby
- Packer builder
- Single docker container
- Multi-docker container
- Preconfigured Docker
- Custom platform
Elastic Beanstalk deployment modes
- Single instance
- High availability with load balancer
Beanstalk deployment options for Updates
- All at once - fastest, but instances aren’t available to serve traffic for a bit
- Rolling: update a few instances at the time, and then move onto the next bucket once the first bucket is healthy
- Rolling with additional batches:like rolling but spins up new instances to move the batch
- Immutable: spins up the new instances in a new ASG, deploys version to these instances, and then swap all the instances when everything is healthy
- Blue green: create a new environment and switch over when ready
- Traffic splitting: canary deployment
Elastic Beanstalk CLI
Deployment process:
- Describe dependencies
- Package code as zip and describe dependencies
- Upload zip file or create a new app version using CLI and then deploy
- Elastic beanstalk will deploy the zip on each EC2 instance, resolve dependencies and start application
Beanstalk lifecycle policy
- Elastic beanstalk can store at most 1000 application versions
- If you don’t remove old versions you won’t be able to deploy anymore
- To phase out old application versions use a lifecycle policy (based on time or space)
- Versions that are currently used won’t be deleted
- Option not to delete the source bundle in S3 to prevent data loss
Elastic beanstalk extensions
- A zip file containing our code must be deployed to Elastic Beanstalk
- All the parameters set in UI can be configured with code using files
- In the .ebextensions/ directory in the root of source code
- YAML or JSON
- .config extensions
- Able to modify some defaults settings using option_settings
- Ability to add resources such as RDS, ElastiCache, DynamoDB
- Resources ranged by .ebextensions deleted if the environment goes away
Elastic Beanstalk Cloning
- Clone an environment with the exact same configurations
- Useful for deploying a “test” version of your application
- All resources and configuration are preserved
- After cloning possible to edit
Elastic Beanstalk Migration
Load balancer:
- After creating an Elastic beanstalk environment, you cannot change the Elastic Load balancer type only config
- create a new env with same configuration except LB
- deploy app to the new env
- shift traffic using AWS Route 53
RDS:
- RDS can be provisioned with Beanstalk, which is great for dev/test,
- this is not great for prod as the database lifecycle is tied to the Beanstalk env lifecycle
- To migrate we need to create a snapshot of RDS
- Go to the RDS and protect it from deletion
- Create a new Beanstalk env without RDS, point your application existing RDS
- Perform route 53 CNAME swap
- Terminate the old env
- Delete cloud formation stack manually
Elastic Beanstalk Single Docker
Run your application as a single docker container.
Either provide:
- Dockerfile: Elastic Beanstalk will build and run the Docker container
Or:
- Dockerrun.aws.json(v1): Describe where already build Docker image is
- Image, ports, volumes, logging
- Beanstalk in Single Docker container does not use ECS
Elastic Beanstalk Multi Docker container
- Multi docker helps run multiple containers per EC2 instance in EB
- This will create for you ECS cluster, EC2 isntances, configured to use the ECS cluster, Load Balancer
- Requires a config Dockerrun.aws.json(v2) at the root of source code
- Dockerrun.aws.json is used to generate the ECS task definition
- Your Docker images must be pre-build and stored n ECR for example
Elastic beanstalk and HTTPS
- idea: load the SSL certification onto the load balancer
- Can be done from the console (EB console, load balancer configuration)
- Can be done from the code: .ebextensions/securelisterer-alb.config
- SSL certificate can be provisioned using ACS or CLI
- Must configure a security group rule to allow incoming port 443
- Configure your instance to redirect HTTP to HTTPS
- Or configure the application load balancer
- Make sure health checks are not redirected
Web server vs Worker environment
- If you application performs tasks that are long to complete, offload these tasks to a dedicated work environment
- Decoupling your application into two tiers is common
- Example: Processing a video, zip
- You can define periodic tasks in file cron.yaml
AWS SAM Framework
- Framework for developing and deploying serverless applications
- All the configurations is YAML code
- Generate complex CloudFormation from simple SAM YAML file
- Support anything from CloudFormation
- Only two commands to deploy to AWS
- SAM can use CodeDeploy to deploy Lambda functions
SAM example
Transform header indicates it’s a SAM template:
- Transform: ‘AWS::Serverless-2016-10-31’
Write Code:
- AWS::Serverless::Function
- AWS::Serverless::Api
- AWS::Serverless:SimpleTable
Package and deploy:
aws cloudformation package / sam package
aws cloudformation deploy / sam deploy
SAM Policy Templates
- List of templates to apply permissions to your Lambda Functions
- Important examples:
S3ReadPloicy, SQSPollerPolicy, DynamoDBCrudPolicy
- SAM policy becomes IAM role
SAM CodeDeploy
- SAM framework natively uses CodeDeploy to update Lambda functions
- Traffic Shifting feature
- Pre and Post traffic hooks feature to validate deployment
- Easy & automated rollback using CloudWatch Alarams
SAM Local capabilities
Locally start an API Gateway endpoint:
sam local start-api
- Starts a local HTTP server that hosts all your functions
- Change to functions are automatically reloaded
Generate AWS events for lambda functions:
sam local generate-event
- Generate sample payloads for events sources
- S3, API Gateway, SNS, Kinesis, DynamoDB
Serverless application repository
- Managed repository for server less applications
- The applications are packaged using SAM
- Build and publish applications that can be re-used by organizations