Amazon EC2 Container Service (ECS) II

Continued from the introductory post (AWS Amazon EC2 Container Service (ECS)), in this post, we'll create a simple app using json file.

Before following this post, we may need to create an ECS cluster and NLB as pre-requisites.

From this post, we'll learn how to create a task definition and a service. Also, we'll see how to make a revision for an existing application.

1. In the AWS Management Console, on the "Services" menu, click ECS.

2. In the left navigation pane, click Task Definitions.

3. Click "Create new Task Definition"

4. On the Select launch type compatibility page,

Click EC2, and then click "Next step"
5. Scroll to the bottom of the screen, then click "Configure via JSON".

   This option allows us to load a Task Definition from a configuration file rather than manually creating the definition.

6. Delete the code in the JSON panel.

   The following task definition JSON file specifies two containers that are pulled from the Docker Hub repository.

7. Copy and paste the following task definition into the JSON panel:

{
  "family": "ECS-demo",
  "containerDefinitions": [
    {
      "volumesFrom": [],
      "portMappings": [
        {
          "hostPort": 80,
          "containerPort": 80
        }
      ],
      "command": null,
      "environment": [],
      "essential": true,
      "entryPoint": null,
      "links": [],
      "mountPoints": [
        {
          "containerPath": "/usr/local/apache2/htdocs",
          "sourceVolume": "my-vol",
          "readOnly": null
        }
      ],
      "memory": 300,
      "name": "simple-app",
      "cpu": 10,
      "image": "httpd:2.4"
    },
    {
      "volumesFrom": [
        {
          "readOnly": null,
          "sourceContainer": "simple-app"
        }
      ],
      "portMappings": [],
      "command": [
        "/bin/sh -c \"while true; do echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p>' > top; /bin/date > date ; echo '</div></body></html>' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html ; sleep 1; done\""
      ],
      "environment": [],
      "essential": false,
      "entryPoint": [
        "sh",
        "-c"
      ],
      "links": [],
      "mountPoints": [],
      "memory": 200,
      "name": "busybox",
      "cpu": 10,
      "image": "busybox"
    }
  ],
  "volumes": [
    {
      "host": {
        "sourcePath": null
      },
      "name": "my-vol"
    }
  ]
}

8. Click "Save".

   We will notice that the configuration screen has been populated based upon the template.

   
   
9. Scroll to the bottom of the screen, then click "Create"

   This will register the Task Definition in the ECS-demo family.

   
   

In this section, we'll create a service definition.

1. In the left navigation pane, Click Clusters.

   In this post, we assume an "ECS-demo-Cluster" has already been created for us (with 3 t2-medium instances).

   
   

2. Click "ECS-demo-Cluster".

3. On the Services tab, click "Create" then configure:

   1. Launch type: EC2
   2. Service name: "myService"
   3. Number of tasks: "2"

   This is the number of tasks that will be launched and maintained on our cluster.

4. Scroll to the bottom of the screen, then click "Next step"

5. In the Load balancing section, configure:

   1. Load balancer type: Network Load Balancer
   2. Service IAM role: ecsServiceRole.

   This role allows Amazon ECS to register and deregister container instances on the load balancer as tasks are placed on them.

   
   
6. Click "Add to load balancer" then configure:
   1. Producer listener port: 80:TCP
      
   2. Target group name: myTargetGroup



7. In the Service discover (optional) section, for Namespace select MyPrivateDnsNamespace

8. Scroll to the bottom of the screen, then click "Next step"

9. For Set Auto Scaling (optional), click "Next step"

   note: actually, an "AutoScaling group" will be created for us, for example, "EC2ContainerService-ECS-demo-Cluster-EcsInstanceAsg" and of course with a "launch configuration", for example, "EC2ContainerService-ECS-demo-Cluster-EcsInstanceLc".

10. Review our information, then click "Create Service"

11. Click "View Service", then the details of the service we just created will be displayed.

12. Click refresh every 30 seconds until the status for each task displays as RUNNING.

13. Click the Events tab. This shows the progress of the various tasks associated with our service creation request.

14. Click the Refresh button till we get an event indicating that our service has reached a steady state.

    This may take anywhere from 3-5 minutes.

15. Click Details tab.

16. In the Details tab, click the Target Group Name. myTargetGroup should be selected.

17. Click the Targets tab.

    In the Targets tab, we can see all of the registered targets.

18. Click the Description tab.

19. On the Description tab click our load balancer name.
    It should be ECS-demo-LB.

20. Copy the DNS name of our load balancer to our clipboard.




21. Open a new browser tab, then paste the load balancer DNS name and press Enter. If everything has been configured correctly we will see the sample app displayed as shown below:

    
    

Whenever we update the Docker image of an application, we can create a new task definition with that image and deploy it to our service, one task at a time. The service scheduler creates a task with the new task definition (provided there is an available container instance to place it on), and after it reaches the RUNNING state, a task that is using the old task definition is drained and stopped. This process continues until all of the desired tasks in our service are using the new task definition.

1. Keep the sample application browser tab open. We will use it again later.

2. In the AWS Management Console, on the "Services" menu, click ECS.

3. In the left navigation pane, click Task Definitions.

4. Select ECS-demo.

5. Click "Create new revision"

   
   

6. Scroll to the bottom of the screen, then click "Configure via JSON"

7. Delete the code in the JSON pane.

8. Copy and paste the code below into the JSON pane:

   {
     "family": "ECS-demo",
     "containerDefinitions": [
       {
         "volumesFrom": [],
         "portMappings": [
           {
             "hostPort": 80,
             "containerPort": 80
           }
         ],
         "command": null,
         "environment": [],
         "essential": true,
         "entryPoint": null,
         "links": [],
         "mountPoints": [
           {
             "containerPath": "/usr/local/apache2/htdocs",
             "sourceVolume": "my-vol",
             "readOnly": null
           }
         ],
         "memory": 300,
         "name": "simple-app",
         "cpu": 10,
         "image": "httpd:2.4"
       },
       {
         "volumesFrom": [
           {
             "readOnly": null,
             "sourceContainer": "simple-app"
           }
         ],
         "portMappings": [],
         "command": [
           "/bin/sh -c \"while true; do echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Thank You!</h2> <p>Your application is now running on a container in Amazon ECS.</p>' > top; /bin/date > date ; echo '</div></body></html>' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html ; sleep 1; done\""
         ],
         "environment": [],
         "essential": false,
         "entryPoint": [
           "sh",
           "-c"
         ],
         "links": [],
         "mountPoints": [],
         "memory": 200,
         "name": "busybox",
         "cpu": 10,
         "image": "busybox"
       }
     ],
     "volumes": [
       {
         "host": {
           "sourcePath": null
         },
         "name": "my-vol"
       }
     ]
   }
   

9. Click "Save"

10. Click "Create"

    

    This will change the message displayed from Congratulations! to Thank you!.

11. In the left navigation pane, click Clusters.

12. Click "ECS-demo-Cluster".

13. On the Services tab, select "myService".

14. Click "Update" then configure:
    Revision: Select the latest revision

    

    Click "Next Step"

15. On Step 2, click "Next step"

16. On Step 3, click "Next step"

17. Click "Update Service"

    
    
    

18. Click "View Service", and this will deploy a new version of the application.

19. Click the Events tab.

20. Monitor the process of draining connections and stopping tasks.

    We can refresh the events by clicking refresh.

    We might see the message: service myService was unable to place a task because no container instance met all of its requirements.

    Because there are only four instances available this is the expected behavior. The system needs to stop the task on each instance before it can start a new one on each instance.

21. Continue to refresh occasionally until we see service myService has reached a steady state at the top of the Event list.

22. Click the Deployments tab. The Running Count should be the same as the Desired count.

23. Return to our web browser and refresh the Load Balancer's URL (DNS name).

    We should see the new version of the app that says Thank You! changed from the previous message, Congratulations!.

    
    









Update a Running Service

We can update a running service to change the number of tasks that are maintained by the service or which task definition is used by the tasks. If we have an application that needs more capacity, we can scale-up the service to use more of our container instances (if they are available). If we have unused capacity that we would like to scale-down, we can reduce the number of desired tasks in your service and free up resources.

1. In the left navigation pane, click Clusters.

2. Click "ECS-demo-Cluster".

3. On the Services tab, select "myService"

4. Click "Update" then configure:
   Number of Tasks "3"

   
   

   Click "Next step"

5. On Step 2, click "Next step"

6. On Step 3, click "Next step"

7. Review the changes and then click "Update Service"

8. Click "View Service", then the service will add an additional task.

9. Click refresh every 30 seconds until the Running count matches the Desired count.

10. Click the Events tab, then we will see an event that an additional instance was registered to myService.

11. Click the Tasks tab, we should now see 3 tasks lists.
    
    
    
    
    
    
    
    
    
    CLI samples for LB and TG

    In this case, I have a NLB listening on 6514 on TLS protocol and at the backend a logstash fargate container is running with target group TCP protocol:

    

    Pic source: Target groups for your Network Load Balancers

    
    

    Client --> TLS connection (1st connection) --> NLB (TLS offloading done) --> TCP (2nd connection) --> Target Server

    
    

    Unlike CLB and ALB, NLB with TCP listeners forwards all packets directly to its targets by rewriting the packet's destination IP address. This means that performing a telnet on the NLB listener IP address will actually telnet directly to the target.

    For TLS listener with NLB, unlike TCP, we have two two connections. This is because TLS termination on the NLB terminates a TCP connection, a new TCP connection is established between our load balancer and your targets. So, there are two separate connections (client <-> NLB, NLB <-> target) instead of a single connection seen in case of TCP listeners.

    Hence, for TCP listener with NLB, NLB will not manipulate traffic. It just acts as a pass-through.

    
    

    To get NLB's atrributes:

    $ aws elbv2 describe-listeners --region us-west-2 \
    --load-balancer-arn "arn:aws:elasticloadbalancing:us-west-2:876028479052:loadbalancer/net/my-nlb/6dd61c17af2c6324"
    {
        "Listeners": [
            {
                "ListenerArn": "arn:aws:elasticloadbalancing:us-west-2:876028479052:listener/net/my-nlb/6dd61c17af2c6324/c4eba7b60257d00c",
                "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:876028479052:loadbalancer/net/my-nlb/6dd61c17af2c6324",
                "Port": 6514,
                "Protocol": "TLS",
                "Certificates": [
                    {
                        "CertificateArn": "arn:aws:acm:us-west-2:876028479052:certificate/c999d58e-80cc-4154-9d98-031411fb84f8"
                    }
                ],
                "SslPolicy": "ELBSecurityPolicy-2016-08",
                "DefaultActions": [
                    {
                        "Type": "forward",
                        "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:876028479052:targetgroup/my-nlb-TG-tcp/87t7f60bb66ce235",
                        "Order": 1,
                        "ForwardConfig": {
                            "TargetGroups": [
                                {
                                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:876028479052:targetgroup/my-nlb-TG-tcp/87t7f60bb66ce235"
                                }
                            ]
                        }
                    }
                ]
            }
        ]
    }    
    

    
    

    To get the listener's protocol specifically:

    $ aws elbv2 describe-listeners --region us-west-2 --load-balancer-arn "arn:aws:elasticloadbalancing:us-west-2:876028479052:loadbalancer/net/my-nlb/6dd61c17af2c6324" --query 'Listeners[*].Protocol' 
    [
        "TLS"
    ]
    

    
    

    To get the attributes of a target group:

    $ aws elbv2 describe-target-groups \
    --target-group-arns arn:aws:elasticloadbalancing:us-west-2:876028479052:targetgroup/my-nlb-TG-tcp/87t7f60bb66ce235
    {
        "TargetGroups": [
            {
                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:876028479052:targetgroup/my-nlb-TG-tcp/87t7f60bb66ce235",
                "TargetGroupName": "my-nlb-TG-tcp",
                "Protocol": "TCP",
                "Port": 6514,
                "VpcId": "vpc-0f0d9f8si777d89",
                "HealthCheckProtocol": "TCP",
                "HealthCheckPort": "traffic-port",
                "HealthCheckEnabled": true,
                "HealthCheckIntervalSeconds": 30,
                "HealthCheckTimeoutSeconds": 10,
                "HealthyThresholdCount": 3,
                "UnhealthyThresholdCount": 3,
                "LoadBalancerArns": [
                    "arn:aws:elasticloadbalancing:us-west-2:876028479052:loadbalancer/net/my-nlb/6dd61c17af2c6324"
                ],
                "TargetType": "ip"
            }
        ]
    } 
    

    
    

    To get all NLB in a region:

    $ aws elbv2 describe-load-balancers              
            --region us-west-2
            --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'    
    

    
    
    
    
    
    
    
    
    What we get from NLB logs?

    I have two logs from two different sources: one is working but the other one which we're trying to degug shows the received bytes are zero.

    An app that's working:

    tls 2.0 2021-07-02T18:13:43 net/my-nlb/6dd61c17af2c6324 c4eba7b60257d00c 
    4.53.137.4:59997 10.9.1.178:6514 350077 33 57 0 
    - arn:aws:acm:us-west-2:876028479052:certificate/c999d58e-80cc-4154-9d98-031411fb84f8 
    - ECDHE-RSA-AES128-GCM-SHA256 tlsv12 - - - - -    
    

    
    

    Another app that needs to debugging:

    tls 2.0 2021-07-02T18:06:49 net/sl-nlb/6dd61c17af2c6324 c4eba7b60257d00c 
    34.67.106.79:1214 10.9.1.178:6514 231 166 57 0 
    - arn:aws:acm:us-west-2:377028479240:certificate/c999d58e-80cc-4154-9d98-031411fb84f8 
    - ECDHE-RSA-AES128-GCM-SHA256 tlsv12 - sub.mydomain.com - - -    
    

    
    

    Please check Access logs for your Network Load Balancer for access log entries.

    
    
    
    

    AWS (Amazon Web Services)

    1. AWS : EKS (Elastic Container Service for Kubernetes)
    2. AWS : Creating a snapshot (cloning an image)
    3. AWS : Attaching Amazon EBS volume to an instance
    4. AWS : Adding swap space to an attached volume via mkswap and swapon
    5. AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
    6. AWS : Creating an instance to a new region by copying an AMI
    7. AWS : S3 (Simple Storage Service) 1
    8. AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
    9. AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
    10. AWS : S3 (Simple Storage Service) 4 - Uploading a large file
    11. AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
    12. AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
    13. AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
    14. AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
    15. AWS : Creating a CloudFront distribution with an Amazon S3 origin
    16. AWS : Creating VPC with CloudFormation
    17. AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
    18. AWS : CloudWatch & Logs with Lambda Function / S3
    19. AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
    20. AWS : Lambda and SNS - cross account
    21. AWS : CLI (Command Line Interface)
    22. AWS : CLI (ECS with ALB & autoscaling)
    23. AWS : ECS with cloudformation and json task definition
    24. AWS Application Load Balancer (ALB) and ECS with Flask app
    25. AWS : Load Balancing with HAProxy (High Availability Proxy)
    26. AWS : VirtualBox on EC2
    27. AWS : NTP setup on EC2
    28. AWS: jq with AWS
    29. AWS & OpenSSL : Creating / Installing a Server SSL Certificate
    30. AWS : OpenVPN Access Server 2 Install
    31. AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
    32. AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
    33. AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
    34. DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
    35. AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
    36. AWS : Autoscaling group (ASG)
    37. AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
    38. AWS : Adding a SSH User Account on Linux Instance
    39. AWS : Windows Servers - Remote Desktop Connections using RDP
    40. AWS : Scheduled stopping and starting an instance - python & cron
    41. AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
    42. AWS : Elastic Beanstalk with NodeJS
    43. AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
    44. AWS : Identity and Access Management (IAM) Roles for Amazon EC2
    45. AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
    46. AWS : Identity and Access Management (IAM) sts assume role via aws cli2
    47. AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
    48. AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
    49. AWS : Amazon Route 53
    50. AWS : Amazon Route 53 - DNS (Domain Name Server) setup
    51. AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
    52. AWS Amazon Route 53 : Private Hosted Zone
    53. AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
    54. AWS : Lambda with AWS CloudTrail
    55. AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
    56. AWS : Redshift data warehouse
    57. AWS : CloudFormation
    58. AWS : CloudFormation Bootstrap UserData/Metadata
    59. AWS : CloudFormation - Creating an ASG with rolling update
    60. AWS : Cloudformation Cross-stack reference
    61. AWS : OpsWorks
    62. AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
    63. AWS CodeDeploy : Deploy an Application from GitHub
    64. AWS EC2 Container Service (ECS)
    65. AWS EC2 Container Service (ECS) II
    66. AWS Hello World Lambda Function
    67. AWS Lambda Function Q & A
    68. AWS Node.js Lambda Function & API Gateway
    69. AWS API Gateway endpoint invoking Lambda function
    70. AWS API Gateway invoking Lambda function with Terraform
    71. AWS API Gateway invoking Lambda function with Terraform - Lambda Container
    72. Amazon Kinesis Streams
    73. AWS: Kinesis Data Firehose with Lambda and ElasticSearch
    74. Amazon DynamoDB
    75. Amazon DynamoDB with Lambda and CloudWatch
    76. Loading DynamoDB stream to AWS Elasticsearch service with Lambda
    77. Amazon ML (Machine Learning)
    78. Simple Systems Manager (SSM)
    79. AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
    80. AWS : RDS Importing and Exporting SQL Server Data
    81. AWS : RDS PostgreSQL & pgAdmin III
    82. AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
    83. AWS : MySQL Replication : Master-slave
    84. AWS : MySQL backup & restore
    85. AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
    86. AWS : Restoring Postgres on EC2 instance from S3 backup
    87. AWS : Q & A
    88. AWS : Security
    89. AWS : Security groups vs. network ACLs
    90. AWS : Scaling-Up
    91. AWS : Networking
    92. AWS : Single Sign-on (SSO) with Okta
    93. AWS : JIT (Just-in-Time) with Okta