This is the first part of our article series on Docker on AWS.
AWS provides two different services which help to run and manage Docker containers in the cloud: Amazon EC2 Container Service (ECS) and EC2 Container Registry (ECR). To run Docker containers in AWS, however, these two services are not strictly necessary. It is still possible to manage a Docker environment, by just simply relying on EC2 instances. To achieve this, you would simple need to install Docker directly on an EC2 instance. As soon as you want to manage whole applications shipped as docker containers or in general manage a fleet of docker containers, you would want to rely on tools allowing you to manage a larger number of containers. Besides ECS and ECR, there are of course other orchestration tools available, such as the open source tool Kubernetes or Docker Compose. However, using ECS and ECR also has distinct advantages, especially relating to integration with other Amazon services. First of all, both of these services are integrated with Amazon’s IAM services (Identity and Access Management). Secondly, ECS allows you to run containers behind an Elastic Load Balancer (ELB).
So firstly, we want to describe these two services and the features they offer:
Amazon EC2 Container Service (ECS):
Amazon ECS is a managed service provided by AWS to manage clusters of EC2 instances, all of which run Docker as well as the Amazon ECS container agent (in order to manage the EC2 instances in the cluster). This makes life easier, as container-based applications can be quickly set up via the command line or via the API directly. When starting to use ECS, one challenge is the somewhat different terminology used by AWS. In the following I am going to iterate over the most important concepts used in ECS.
A cluster is a management unit that allows you to manage a group of EC2 instances, that have the ECS agent installed (referred to as a container instance). Whenever you setup a new container instance, you must specify the cluster to which the container instance will be registered. To start working with a cluster, it would already be enough to have a single container instance registered to that cluster. On a cluster, it’s possible to run multiple tasks and thus multiple applications.
This is basically an EC2 instance, which runs Docker and the ECS container agent. Therefore, a container instance is the “host” on which the docker container runs.
Do not confuse a container with a container instance. Whereas the container instance refers to the EC2 instance, which is part of a cluster, a container is a single Docker container that is started via a task.
A task definition is basically a JSON description of an application, which can be run on one or more container instances within a cluster. This includes the Docker images, which are part of the application, along with settings such as the memory and CPU resources assigned to a container, or the ports mapped to a container.
Based on the task definition, a new task can be set up. A task is basically an application running on a container instance, consisting of one or more Docker images. Although several instances of a task definition can run on multiple containers instances, on a single container instance, only one instance of a given task definition can run simultaneously. Another constraint is, that currently all containers of a task need to run on the same container instance.
In ECS, a service consists of a certain number of a particular task. This enables both availability as well as scalability to your application. As an example, imagine a web application, which consists of different instances of the web server running on different container instances. Besides setting up a certain number of tasks, a service also helps with the monitoring of existing tasks. Should one task fail or stop running due to whatever reason, a new task is automatically set up again.
EC2 container registry (ECR)
The second service offered by Amazon to manage a Docker environment, is the EC2 container registry. If you already have experience with Docker, you will most likely know Docker Hub. Both of these act as a registry for Docker container images. In general, a registry is used to host and distribute container images. For running Docker on AWS with ECS, it is not mandatory to use ECR, you could just as well use Docker Hub (both as a public or a private registry). An advantages of ECR is for instance, that it integrates nicely with ECS. Besides, it also allows using IAM (Amazon’s Identity and Access Management service) for authentication and permission managment.