I have been managing web apps for about 10 years. I realized a while ago that if I’m going to sleep and not spend evenings and weekends fighting fires, then three things have to be in place: deployment and rollback are automated; apps can scale based on demand; and we can easily recover from failures. Years ago we used Perl or Bash scripts to automate operations tasks, then Ruby, and then configuration management tools came along that made infrastructure automation much easier. Now we have containers that are isolated, lightweight processes that we can distribute across multiple nodes.
Platforms such as Amazon ECS (Amazon EC2 Container Service), Kubernetes, Nomad and Mesos help manage the life cycle of containers. What’s truly powerful about these platforms is that things such as rolling deployment, load balancing, service discovery and self-healing are first-class primitives. By leveraging these primitives, you can modernize existing apps to deliver a better experience for your customers.
Why use ECS?
Modern software delivery teams are smaller and cross-functional (think two-pizza rule), and ECS is a great fit for these teams since it is fast and simple to get up and running. ECS is a fully managed platform from AWS. Which means, you can focus on actually migrating your app rather than worrying about platform-related issues.
If you’re thinking about vendor lock-in and that you might need to migrate to a different platform or support a multi-cloud strategy with something like Kubernetes, then know that once an app is containerized, it’s relatively easy to switch to a different platform.
In this article, we’ll cover three benefits of ECS and explain how you can start making the transition today.
As I mentioned, containers are lightweight processes. With ECS, you can schedule multiple containers on the same node, allowing you to achieve high density on EC2 (Amazon Elastic Compute Cloud). ECS not only deploys the containers, it also maintains the state of containers, making sure the minimum set of containers are always running based on your requirements. And, it can also distribute them based on CPU, memory or smart metrics such as instance, with the least amount of memory available.
It’s not like you couldn’t do this before ECS. We’ve been doing this for years, using custom automation along with configuration management to build similar functionality. But ECS gives you these features right out of the box, saving you from building them yourself.
Between having better density and plenty of plumbing around automation already done, ECS can be an incredibly cost-efficient solution.
In many organizations, the majority of unplanned work typically comes from environment variations. This type of firefighting leads to frustration because deployments function differently in various environments. The container-based pipeline can help eliminate many of these issues. In fact, one of reasons Docker gained popularity is that it simplifies the process for packaging all of your app dependencies in lightweight containers, and you can easily run the same container in different environments. The lightweight nature also makes it easy to replicate production-like environments on developers laptops. This enables a workflow that brings parity across different environments.
Now we’re seeing newly hired developers able to spin up a local environment and start coding in a matter of hours. What’s more, AWS offers Amazon EC2 Container Registry, which lets developers pull an image running in production and share it with each other to debug issues faster. This type of agile workflow brings predictability and reduces unplanned work related to “it works on my machine” issues that I am sure we’ve all heard before.
In many organizations, security is no more than a checkbox. EC2 Container Registry and ECS combine to help improve the security of your app. Here’s how:
Container registry: You can store container images in Amazon EC2 Container Registry. When you transfer these images, you do it over HTTPS and container registry automatically encrypts your images at rest. You can also configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles.
ECS: One of my favorite features about ECS is that each task can have separate IAM roles. This granular level of control lets you limit access, and respects the “Least Privilege” access principles. As an example, you can have two containers running on the same instance, and grant only one of them access to s3.
It’s also worth mentioning that an agile workflow of building and shipping containers frequently enables continuous security. In traditional environments, building servers was a manual process, which typically took weeks if not months. Where as we build and ship containers all the time. So let’s say we had to respond to OpenSSL vulnerability—which workflow will help you respond faster?
If you’re developing your container orchestration strategy, or maybe you’re stuck on next steps and are looking for more information, check out these resources.
Register for the “5 C’s” webcast series on DevOps.com that includes case studies on containers (plus CI/CD, cloud and culture).
And, if you’re looking for more technical details on ECS scheduler, take a read of this paper and let me know your comments.
About the Author / JT Giri
JT Giri, CEO & Co-founder, nClouds. JT has been solving complex DevOps and cloud challenges for Silicon Valley-based startups and enterprises for more than 10 years. A former DevOps consultant, network engineer, systems architect and sysadmin, he has deep technical skills in cloud infrastructure, cloud platforms, agile methodologies, and popular tools and practices for CI/CD. JT is a co-founder of nClouds, an AWS Advanced Consulting Partner and CIOReview’s “20 Most Promising DevOps Solution Providers – 2017.” Follow him on Twitter or connect with him on LinkedIn.