EKS is AWS's managed service for running Kubernetes applications.
Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service. It is designed for orchestration of Kubernetes-specific workloads in AWS. EKS is ideal for microservices, allowing code reuse, independent team ownership, and easy scaling. Compared to Docker, EKS is more complex and adds operational overhead.
The EKS control plane endpoint can be configured as public (internet accessible) or private (VPC traffic only). EKS supports various node types for compute capacity.
Managed Nodes are EC2 instances for Kubernetes clusters whose provisioning and lifecycle management (updates, scaling, termination) are automated by AWS.
Self-Managed Nodes are EC2 instances where the user retains most of the management responsibilities.
AWS Fargate provides a serverless compute engine for EKS, which eliminates the need to manage underlying infrastructure worries.
EKS clusters can utilize various AWS storage services.
Technical Specs: EBS, EFS, S3, FSx
IRSA is an EKS feature that grants API permissions for AWS services to individual pods within the Kubernetes cluster.
For EKS, cost can be optimized by using specific pricing models for compute. Using Spot Instances in an Amazon EKS Managed Node Group is recommended for stateless, disruption-tolerant containerized applications.
ECS is AWS's managed service for running Docker containers.
Amazon Elastic Container Service (ECS) is a highly scalable, high-performance container orchestration service designed for launching and managing Docker containers on AWS compute. It is ideal for microservices, allowing code reuse, independent team ownership, and easy scaling.
With the EC2 launch type, containers run on EC2 instances that you manage.
AWS Fargate is a serverless compute engine for ECS, which allows you to run containers without having to manage servers or clusters.
ECS integrates with Network Load Balancers (NLBs) and Application Load Balancers (ALBs) to distribute incoming traffic. ALB Target Groups can be configured to target Amazon ECS or AWS Fargate tasks.
ECS services support Auto Scaling to dynamically adjust the number of tasks or instances based on demand.
The Task Role is an IAM role assigned to tasks within containers, enabling applications to perform AWS actions.
The Task Execution Role is an IAM role that grants permissions to the ECS agents and services (e.g., to pull container images from ECR).
Sensitive information can be securely passed to ECS tasks by referencing secrets stored in Secrets Manager or Parameter Store using `valueFrom`.
Technical Specs: `valueFrom` to Secrets Manager or Parameter Store
ECS on AWS Fargate is considered ideal for running containerized applications efficiently while minimizing operational overhead. For applications scaling to 5,000+ users, migration to serverless or ECS is a consideration.
A container-based architecture option can use Amazon ECS Fargate for compute, an Application Load Balancer for load balancing, Amazon RDS PostgreSQL for the database, and Amazon S3 for static assets. This setup uses a VPC with private subnets and a NAT Gateway. For 50 users, Fargate compute could be 2 tasks with 0.25 vCPU and 0.5 GB each.
Technical Specs: Compute: Amazon ECS Fargate (2 tasks × 0.25 vCPU, 0.5 GB)
For 50 users, this architecture can cost $40-90/month, with Fargate at $17.77, ALB at $16.78, RDS at $15.72, and NAT Gateway as the biggest cost at $32.85. Optimized with VPC Endpoints, the cost can be $40-50/month. Pros include a familiar architecture, predictable costs, SQL database flexibility, minimal code changes, and Docker portability. Cons include a higher baseline cost ($40-90/month), the NAT Gateway cost trap, more moving parts (VPC, subnets, security groups), and being over-provisioned for a small scale.
Technical Specs: Cost: $40-90/month (50 users) - Fargate: $17.77, ALB: $16.78, RDS: $15.72, NAT Gateway: $32.85 (biggest cost). Optimized with VPC Endpoints: $40-50/month.
This architecture is suitable when the team is familiar with Docker and PostgreSQL, the budget allows for $40-90/month, there's a plan to scale to 1,000+ users soon, long-running requests (>30 seconds) are needed, and database query flexibility is desired.
ECR is AWS's fully managed Docker container registry.
Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry for storing, managing, and deploying Docker images. It supports both public and private access for image repositories and integrates seamlessly with ECS and EKS for container deployment.
ECR allows the configuration of lifecycle rules to automate the expiration and cleanup of old images, which helps manage storage costs.
The 'Scan on Push' feature enables vulnerability scanning for container images automatically as they are pushed to ECR.
ECR performs vulnerability detection by scanning for known vulnerabilities in operating system packages (like Amazon Linux, Ubuntu, Debian, RHEL) within container images. It also scans for programming languages and package dependencies. Findings are generated for container images running on unsupported or discontinued operating systems. This scanning occurs in real-time as container images are pushed to ECR, and no separate agent is needed.
AWS provides tools to manage containerized applications across hybrid environments and migrate existing applications to containers.
ECS Anywhere extends Amazon ECS to manage container-based applications outside the AWS cloud, standardizing management across diverse environments.
EKS Anywhere allows users to manage Kubernetes clusters on-premise using the same tools and methods as EKS in the cloud.
The EKS Connector provides full lifecycle management for multiple Kubernetes clusters, including those operating independently of AWS.
App2Container (A2C) is a CLI tool designed for lifting and shifting existing applications into containers. It supports deployment to ECS, EKS, and App Runner.
Technical Specs: CLI tool
AWS offers services to enhance the security posture and provide monitoring for containerized applications.
Amazon Inspector is an automated security assessment service that continuously assesses ECR container images for software vulnerabilities and potential network exposures. It can also map ECR container images with running containers across Amazon ECS or EKS.
Amazon FSx for NetApp ONTAP and Amazon FSx for OpenZFS are compatible with EC2, ECS, and EKS, enabling their use with containerized workloads.