Amazon Elastic Container Service (ECS) is a fully managed container orchestration service that makes it easy to deploy, manage, and scale containerized applications. You will learn how to deploy a simple application to ECS and run it on a Fargate cluster. Fargate is a serverless service so you don’t need to worry about provisioning or maintaining EC2 instances (virtual machines). Fargate supports AWS Graviton processors so you can run containers for the Arm architecture. You will also learn how to create and configure the necessary Identity and Access Management (IAM) user and role permissions.
You should have the prerequisite tools installed before starting the Learning Path.
Any computer which has the required tools installed can be used for this section. The computer can be your desktop or laptop computer or a virtual machine.
You will need an AWS account to complete this Learning Path. Create an account if you don’t have one.
Login to your AWS account as the root user and search for IAM.
From the IAM dashboard select
Users from the left menu and click on
Add user from the top of the page.
Add user screen enter a username and select the check box before
Provide user access to the AWS Management Console. Then select
I want to create an IAM user and click
You will need access to the Amazon Elastic Container Registry (ECR) to store container images. You can create a new policy to attach to the IAM user.
To do so, select
Elastic Container Registry.
All Elastic Container Registry actions (ecr:*) under
Add ARN. Here you can select the
region and select
Any for Repository name under
This account and click on
Skip the tags by clicking
Fill in an appropriate policy name. You can use
ECR_FullAccess and select
ECS requires permissions for services such as creating ECS clusters and launching containers.
The best way to add permissions to the new IAM user is to use an Amazon managed policy to grant access.
Attach existing policies directly under
Set permissions and search for
Select the checkbox next to the policies.
Next to review and then
When you create the user you will see a confirmation screen.
Save the information in safe place. You will need it to deploy containers.
A new user is now visible on the
IAM > Users page. Click on the user and go to the
Security credentials section.
Create access key
Command Line Interface (CLI) and click on
Add a description and click
Create access key
Access key and
Secret access key, you will need them to configure the AWS CLI.
You can create a repository in ECR to store container images.
You will need the Amazon Resource Name (ARN), a unique identifier for all AWS resources, of the repository to properly tag and upload a container image.
Log in to the AWS console with the
test_user credentials you created earlier.
AWS will ask for your
Change your password when prompted.
Once you log in, search for Elastic Container Registry.
From there fill in the name of the repository as
myapp and leave the defaults for everything else.
Create Repository in the lower right of the page and your repository will be created.
You will see your repository in the list, and the ARN (here it is called a URI for universal resource identifier) which you will need to push your container image to ECR.
Copy the URI for the next step.
You can use the Nginx web server as a test application.
You can either pull the image from Docker Hub or build it from source files. The instructions below use the container image from Docker Hub.
Download the Nginx image for Arm64 platform using the below command.
docker pull arm64v8/nginx
Tag the image with the ECR URI so it can be saved to the newly created ECR repository.
docker tag arm64v8/nginx [uri]
[uri] with your respective URI
Configure CLI access to your AWS account using the access key and secret access key you saved.
Run the command below to configure the AWS CLI:
configure command will ask for the access key and secret access key you saved while creating the IAM user.
Next, generate an ECR log in token for Docker.
The ECR log in token is piped to
docker login so you can push the container image to ECR using the Docker CLI.
Make sure to replace
[your account number] with your account number.
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin [your account number].dkr.ecr.us-east-2.amazonaws.com
If the command succeeds, you will see a
Login Succeeded message.
Use below command to push the image to the ECR repository.
docker push [your account number].dkr.ecr.us-east-2.amazonaws.com/myapp
[your account number] with your AWS account number.
Elastic Container Service and select
Elastic Container Service
From the left menu select
Clusters and then select
Name the cluster and the leave the other options with the default values.
A cluster will be created as shown below:
An ECS Task is the action that takes your container image and deploys it as a running container.
To create an ECS Task do the following:
Task Definitions from the left menu. Then select
Create new Task Definition
Enter the name of the
Task definition family in
Task definition configuration
Enter the name of your container and ARN of our image in the Image box.
You can copy this from the ECR dashboard if you haven’t already. Leave everything else with default values.
Under Environment Section, select
Operating system/Architecture as
Linux/ARM64 and leave everything else as default values.
Next in the lower right corner of the dialog.
Review everything and click on
Go to the ECS page, select Task Definitions and you should see the new task with a status of ACTIVE.
Select the task in the task definition list.
Deploy and select
Select your cluster from drop down menu of
In Networking section, select a virtual private cloud (VPC) from the list. If you are building a custom app this should be the VPC assigned to any other AWS services you will need to access from your application. For Nginx, any VPC works. Add at least one subnet.
Edit the security group. Because
Nginx runs on port 80 by default, and port 80 is open for the container, you also need to open port 80 in the security group.
Create a new security group and enter a Security group name and security group description and add a Custom TCP inbound rule that opens port 80.
Auto-assign public IP should be set to ENABLED.
With everything set up, run the task by clicking
Create in the lower right corner.
After you run the task, you will be forwarded to the Fargate-cluster page.
Last status`` of your cluster changes to RUNNING`, your app is up and running.
You may have to refresh the table a couple of times before the status is
Click on the link in the Task column and find the Public IP address in the
Configuration section of the Task page.
Enter the public IP address in your browser to see your app running.
When you are done, you’ll want to shut down your Nginx application to avoid charges.
From the ECS page select
Clusters from the left menu and select your cluster from the list of clusters.
From the table at the bottom of the page select
Check the box next to the running task and select
Stop from the dropdown menu at the top of the table.