Docker Containers & ECS

Question 1

What is a Container?

Answer 1

Lightweight, isolated, & portable software package that bundles application & all dependencies (code, runtime, system tools, libraries, & settings) into single, consistent unit.

Question 2

What does ever VM/instanse needs?

Answer 2

Operating System

Uses significant resources

Question 3

What are features of Docker Containers?

Answer 3

• Utilize containerization to package application & dependenices into 1 container image
• Provides Docker Hub (cloud-based registry service for sharing container images & automating workflows)
• lightweight b/c share host system’s kernel
• Ideal for microservices architectures & building cloud-native applications

Question 4

What are Cloud-Native Applications?

Answer 4

Software built to run in cloud leveraging features s/a:
- scalability
- elasticity
- resilience to enable rapid development, deployment, & updates

Question 5

What is Microservices Architecture?

Answer 5

• Applications structured as loosely coupled, independently deployable services, each running own process
• Code runs in Docker containers & Lambda functions for:
  
  • isolation
  • elasticity
  • cost-efficiency

Question 6

What are Attributes to Microservices?

Answer 6

• Use of APIs
• Independently deployable code blocks
• Business-oriented architecture
• Flexible use of technologies
• Speed & agility

Question 7

What are Benefits to Microservcies

Answer 7

• Easier integrations b/w application components (assists w/ loose coupling)
• Scalable & maintained independently
• Development organized around business capabilities; (teams maybe cross-functional & services may be reused)
• Each microservice can be written using different technologies (ex: Programming Languages)
• Deploys & updates fast. Easy to include high availability & fault tolerance for each microservice

Question 8

What is an Amazon ECS?

Amazon ECS

Answer 8

Fully managed container orchestration service that simplifies deploying & managing containerized applications on AWS cloud.

Question 9

What is ECS Services?

Amazon ECS

Answer 9

Used to maintain desired count of tasks

Question 10

What is an ECS Task?

Amazon ECS

Answer 10

Running Docker container

Question 11

What can be stored in Amazon ECR?

Amazon ECS

Answer 11

Docker Images

Question 12

What is an ECS Cluster?

Amazon ECS

Answer 12

Logical groupings of tasks & services

Question 13

What is Amazon Elastic Container Registry (ECR)?

Amazon ECS

Answer 13

Fully managed Docker container registry that is easy to store, share, & deploy container images.

Question 14

What are ECS Key Features?

Amazon ECS

Answer 14

• Serverless w/ Fargate: managed & fully scalable
• Fully managed container orchestration - managed controle plane
• Docker Support - run & managed Docker containers w/ Docker Compose CLI integrated
• Windows Container Support - Windows containers supported management
• Elastic Load Balancing Integration - distribute traffic across containers using ALB or NLB
• ECS Anywhere - use of ECS control plane to manage on-premises implementations enabled

Question 15

What are ECS Components?

Amazon ECS

Answer 15

• Cluster - logical grouping of tasks or services
• Container Instance - EC2 instance running ECS agent
• Task Definition - Blueprint that describes how docker container should launch
• Task - Running container using settings in task definition
• Image - Docker image referenced in task definition
• Service - Defines long running tasks - can control task count w/ Auto Scaling & attach ELB

Question 16

What are Features of ECS Images?

Amazon ECS

Answer 16

• Containers created from read-only template (Image) which has instructions for Docker container
• Images built from Dockerfile
• Only Docker containers supported
• Images stored in registry (ex: DockerHub, ECR)
• ECR - secure, scalable & reliable managed AWS Docker registry service
• Supports private Docker repos w/ resource-based permissions using IAM to access repos & images
• Use Docker CLI to push, pull, & manage images

Question 17

What are ECS Tasks & Task Definitions?

Amazon ECS

Answer 17

Task Definition - required to run Docker containers in ECS
- JSON formatted Text File that describes maximum of 10 containers
- use Docker images to launch containers

Question 18

What are EC2 Launch Types?

Amazon ECS

Answer 18

• You explicitly provision EC2 Instances
• Responsible for managing EC2 Instances
• Charged per running EC2 Instances
• EFS, FSX, EBS integration
• Handle cluster optimization
• More granular control over infrastructure

Question 19

What are Fargate Launch Types?

Amazon ECS

Answer 19

• Automatically provision resources
• Provisions & manages compute
• Charged for running tasks
• EFS integration only
• Fargate handles cluster optimization
• Limited Control

Question 20

What are features of ECS & IAM Roles?

Amazon ECS

Answer 20

• container instance - IAM role provides permissions to host
• ECS Task IAM role provides permissions to container

Question 21

What are ECS & IAM roles?

Amazon ECS

Answer 21

• ECS container instance IAM role - used by EC2 & external instances to provide permissions to container agent to call AWS APIs
• Task IAM role - permissions granted in IAM role are assumed by containers running in task
• ECS task execution IAM role - task execution role grants ECS container & Fargate agents permissions to make AWS API calls on your behalf
• ECS infrastructure IAM role - allows ECS to manage infrastructure resources in your clusters on your behalf (ex: EBS volumes)
• ECS Anywhere IAM role - On-premises servers or VMs require an IAM role to communicate w/ AWS APIs
• ECS CodeDeploy IAM Role - CodeDeploy service needs permissions to update ECS when performing blue/green deployments
• ECS EventBridge IAM Role - Use ECS scheduled tasks w/ EventBridge rules & targets, EventBridge service needs permissions

Question 22

What does container instance IAM role do?

Amazon ECS

Answer 22

Provides permissions to host

Question 23

What does ECS task IAM role do?

Answer 23

Provides permissions to container

Question 24

True or False

With Fargate launch type only IAM rask roles can be applied

Amazon ECS

Answer 24

True

Question 25

What are other features of **ECS** & **IAM Roles**? ## Footnote **Amazon ECS**

Answer 25

- Container can only retrieve credentials for IAM role that is defined in task defintion to which it belongs to - Container never has access to credentials that are intended for another container that belongs to another task - Tasks not prevented from accessing credentials supplied to IAM instance role when using EC2 instances.

Question 26

What are types of Auto Scaling for ECS? ## Footnote **Scaling Amazon ECS**

Answer 26

- **Service Auto Scaling** - automatically adjusts desired task count using Application Auto Scaling service - supports target tracking, step, & scheduled scaling policies - **Cluster Auto Scaling** - uses Capacity Provider to scale number of **EC2 cluster** instances using EC2 Auto Scaling

Question 27

What are features of **Service Auto Scaling**? ## Footnote **Scaling Amazon ECS**

Answer 27

- **Target Tracking Scaling Policies** - Change number of tasks that service runs based on target value for specific **CloudWatch** metric - **Step Scaling Policies** - Change number of tasks that service runs in response to **CloudWatch** alarms. - Based on set of scaling adjustments (step adjustments) which vary based on size of alarm breach - **Scheduled Scaling** - Change number of tasks that service runs based on date & time.

Question 28

What is **Capacity Provider Reservation** metric? ## Footnote **Scaling Amazon ECS**

Answer 28

Measures total percentage of cluster resources needed by all ECS workloads in cluster

Question 29

What is **ASG** linked to? ## Footnote **Scaling Amazon ECS**

Answer 29

ECS using **Capacity Provider**

Question 30

What are features of **Cluster Auto Scaling**? ## Footnote **Scaling Amazon ECS**

Answer 30

- Uses **Capacity Provider** - **Capacity Provider** can be associated w/ **EC2 Auto Scaling Group** (ASG) - ASG can automatically scale using: - **Managed Scaling** - w/ automatically-created scaling policy on ASG - **Managed instance termination protection** - enables container- aware termination of instance in ASG when scale-in happens

Question 31

What are rules of **Amazon ECS w/ ALB**? ## Footnote **Amazon ECS with ALB**

Answer 31

- **Dynamic Port** allocated on host - Each **task** running web service on **port 80** - All connections to web sercices coming into **HTTP listener** (port 80) - **NAT gateway** required for tasks in **private subnets** to access internet

Question 32

What is **Amazon Elastic Kubernetes Service (EKS)**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 32

Managed service for running Kubernetes applications in cloud or on-premises

Question 33

What is **Kubernetes**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 33

Open-source system for automating deployment, scaling, & management of containerized applications ## Footnote Use when need to **standardize** container orchestration across multiple enviornments using **managed Kubernetes** implementation

Question 34

What are features of **EKS**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 34

- **Hybrid Deployment** - manage Kubernetes clusters & applications across hybrid enviornments (AWS + On-premises) - **Batch Processing** - run sequential or parallel batch workloads on your EKS cluster using Kubernetes Jobs API. - **Plan**, **Schedule** & **execute** batch workloads - **Machine Learning** - use Kubeflow w/ EKS to model your machine learning workflows & efficiently run distributed training jobs using latest EC2 GPU-powered instances, including Inferentia - **Web Applications** - build web applications that automatically scale & run in highly available configuration across multiple AZs

Question 35

What are two EKS types of Auto-Scaling? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 35

- Vertical Pod Autoscaler - Horizontal Pod Autoscaler

Question 36

What is **Vertical Pod Autoscaler**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 36

Automatically adjusts **CPU** & **Memory** reservations for your pods to help "right size" your applications

Question 37

What is **Horizontal Pod Autoscaler**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 37

Automatically scales number of pods in deployment, replication controller, or replica set based on resource's CPU utlization

Question 38

What types of **Cluster Auto Scaling** products? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 38

- Kubernetes Cluster Autoscaler - Karpenter open source autoscaling projects | Cluster autoscaler uses AWS scaling groups, while Karpenter works direct

Question 39

What are features of **EKS** & **Elastic Load Balancing**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 39

- Supports NLBs & ALBs - AWS Load Balancer Controller manages ELBs for Kubernetes cluster - Install Load Balancer Controller using Helm V3 or later by applying Kubernetes manifest - Controller provisions following resources: - ALB when Kubernetes Ingress created - NLB when Kubernetes service type **LoadBalancer** - W/ Load Balancer Controller version 2.3.0, you can create NLB using either target type

Question 40

What is **Amazon EKS Distro**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 40

Kubernetes distribution w/ same dependencies as Amazon EKS

Question 41

What are features of **Amazon EKS Distro**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 41

- Allows you to manually run Kubernetes clusters anywhere - includes binaries & containers of open-source Kubernetes, etcd, networking, & storage plugins, tested for compatibility - Can securely access releases as open source on **GitHub** or via **S3** & **ECR** - Alleviates need to track updates, determine compatibility, & standarize on common Kubernetes version across distributed teams - Create clusters in AWS on **EC2** & on-premises hardware using your choice of tooling

Question 42

What are features of **Amazon ECS** & **EKS Anywhere**? ## Footnote **Amazon Elastic Kubernetes Service (EKS)**

Answer 42

- Run on customer-managed infrastructure - Customers can run on their own on-premises infrastructure on bare metal services - Can deploy using VMWare vSphere

Question 43

What is **Amazon Elastic Container Registry (ECR)**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 43

Fully-managed container registry

Question 44

What are features of **Amazon Elastic Container Registry (ECR)**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 44

- Integrated w/ **ECS** & **EKS** - Supports **Open Container Initiative** (**OCI**) & **Docker Registry HTTP API V2 standards** - Can use Docker tools & Docker CLI commands s/a: - **push** - **pull** - **list** - **tag** - Accessible from any Docker enviornment: - cloud - on-premises - local machine - Container images & artifacts stored in **S3** - Use **namespaces** to organize repositories - Public repositories allow access to container images - Access control applies to private repositories - **IAM access control** - **Resource-based policies**

Question 45

What is **IAM access control**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 45

Set policies to define access to container images in private repositories

Question 46

What are **Resource-based policies**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 46

Access control down to individual API action s/a: - **create** - **list** - **describe** - **delete** - **get**

Question 47

What are **Amazon ECR Components**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 47

- **Registry** - ECR private registry provided to each AWS account - one or more repositories can be created in registry & images can be stored - **Authorization token** - client must authenticate to ECR registries as AWS user b/f images can be pushed and pulled - **Repository** - contains following: - Docker images - OCI images - OCI compatible artifacts - **Repository policy** - control access to your repositories & images w/in them w/ repository policies - **Image** - Container images can be pushed & pulled to repositories

Question 48

What are features of **ECR**? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 48

- **Lifecycle Policies** - manage lifecycle of images in repos - **Image Scanning** - identify software vulnerabilities in container images - **Cross-Region & Cross-Account Replication** - replicate images across accounts/Region - **Pull through cache rules** - cache repos in remote public registries in private ECR registry

Question 49

What are rules for pushing an Image to Private Repository? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 49

Users must have these IAM permissions: - CompleteLayerUpload - GetAuthorizationToken - UploadLayerPart - InitiativeLayerUpload - BatchCheckLayerAvailability - PutImage ## Footnote **Resource** element can also be used to scope to specific repository ARN

Question 50

What is process to push Image to Private Repository? ## Footnote **Amazon Elastic Container Registry (ECR)**

Answer 50

1. Authenticate Docker client to ECR 2. Tag image w/ ECR registry, repo, & image tag name to use 3. Push image using docker push command

Question 51

What is **AWS App Runner**? ## Footnote **AWS App Runner**

Answer 51

Fully managed service for deploying **containerized** web apps & APIs

Question 52

What type of solution is **App Runner** ## Footnote **AWS App Runner**

Answer 52

**PaaS**