Q: What is Amazon ECS Anywhere?
Amazon ECS Anywhere is a feature of Amazon ECS that enables you to run and manage container-based applications on-premises, including on your own virtual machines (VMs) and bare metal servers. With ECS Anywhere, you do not need to install or operate local container orchestration software, thus reducing operational overhead. ECS Anywhere offers a completely managed solution that enables you to standardize container management across all of your environments.
Q: Why should I use ECS Anywhere?
As a fully managed and highly scalable container orchestration solution, Amazon ECS makes it easy for you to run container-based applications on different types of compute capacity such as AWS Fargate and AWS Graviton2-powered instances as well as servers in your own data centers. ECS Anywhere extends the reach of Amazon ECS to provide you with a single management interface for all of your container-based applications, irrespective of the environment they’re running in. As a result, you have a simple, consistent experience when it comes to cluster management, workload scheduling, and monitoring for both the cloud and on-premises. With ECS Anywhere, you do not need to install and maintain any container orchestration software, thus removing the need for your team to learn specialized knowledge domains and skillsets for disparate tooling. ECS Anywhere makes it easy for you to run your applications in on-premises environments as long as desired and then migrate to the cloud with a single click at any time.
Q: Which platforms and operating systems does ECS Anywhere support?
You can use ECS Anywhere with any VM (e.g., running on VMware, Microsoft Hyper-V, or OpenStack) or bare metal server running a supported operating system (OS). The ECS agent, software that allows a host to connect with the ECS control plane, is supported and tested for the long-term support (LTS) releases of Amazon Linux 2, Bottlerocket, Ubuntu, RHEL, SUSE, Debian, CentOS, and Fedora.
Q: Can I use ECS Anywhere with VMware Cloud on AWS (VMC)?
Yes; you can use ECS Anywhere with VMC. You can use the ECS-optimized Amazon Linux variants of VMware Virtual Machine Disk (VMDK) to launch instances. These ECS-optimized VMDKs are pre-configured with the latest version of the ECS agent, Docker daemon, and Docker runtime dependencies.
Q: How do I connect on-premises compute with AWS to use ECS Anywhere?
- Ensure the VMs/bare metal servers have a stable internet connection.
- Log in to the ECS management console and get an activation key. One key, which is configurable, can be used to register from 1 up to 1,000 VMs or bare metal servers. You can create as many activation keys as you need.
- Install the lightweight open source ECS agent, available on Github, Docker Hub, and Amazon Elastic Container Registry Public, on the VMs/bare metal servers. As part of the installation configuration, provide the activation key along with the AWS region.
Once completed, your servers (or bare metal instances) will be available for use as compute capacity in your ECS cluster and be ready for ECS tasks to be scheduled on them.
Q: Which AWS region should I register my on-premises compute with?
We recommend you register with the AWS region that is geographically closest to your on-premises compute.
Q: How do I ensure the link between my on-premises compute and AWS cloud is secure?
The link between your on-premises compute and AWS cloud is secure by default. The ECS control plane running in the AWS region orchestrates containers by sending instructions to the ECS agent installed on each registered server over a secure link, which is authenticated using the IAM role credentials attached to the instance at the time of the server registration. Hence, you do not need to take any additional actions.
Additionally, the ECS agent uses the AWS Systems Manager Agent to automatically and securely establish trust between the on-premises server and ECS control plane; its connection to AWS is encrypted with Transport Layer Security (TLS).
Q: What type of information flows from the on-premises compute back to the AWS region?
Only information necessary for managing the containers is sent to the ECS control plane running in the AWS region. For example, information about host health, container activity (whether it’s launched or stopped), and container health checks (if configured) may be sent back to the AWS region. This information enables AWS to provide you with alerts on health and capacity and manage ECS tasks running on your on-premises compute infrastructure. The contents of container memory, disk storage, or network traffic are not sent to the control plane.
Q. Can I have on-premises compute, EC2 instances, and Fargate in the same ECS cluster?
Yes. This makes it easy for you to migrate your ECS workloads running on-premises to ECS in an AWS region on Fargate or EC2 in the future if necessary.
Q. Can I use the same ECS task definition for on-premises environments that I use to run ECS tasks on Fargate and/or EC2 instances?
Yes. An ECS task definition is a specification for a group of containers that must run co-located. ECS task definitions can be created so that they are compatible with on-premises compute, Fargate, and EC2, all in a single task definition.
Q. What happens if there is a loss of network connectivity between the on-premises compute and AWS cloud?
In the event of a loss of network connectivity between the ECS agent running on the on-premises compute and the in-region ECS control plane, existing ECS tasks will continue to run as usual. If tasks still have connectivity with other AWS services, they will continue to communicate with them for as long as the task role credentials are active (the default expiration time is 6 hours). Once the credentials expire, tasks will not be able to communicate with other AWS services until the network connectivity with the control plane has been re-established, which will automatically renew the credentials. Additionally, during the period of disconnection, no data plane mutation operations such as scaling tasks up or down would work.
Q. Can I use ECS Anywhere to run containers in air-gapped/disconnected environments?
No. ECS offers a cloud-based and fully managed container orchestration solution that resides in an AWS region. Hence, it requires your on-premises compute to have a stable internet connection to communicate with the in-region ECS control plane.
Q. Which other ECS integrations with AWS services can I use when using ECS Anywhere?
With ECS Anywhere, you can get CloudWatch Metrics for your clusters and services, use the CloudWatch log driver to get your containers’ logs, and access the ECS CloudWatch Event stream to monitor your clusters’ events. You can also use Task IAM Roles and Task Execution Roles to give your containerized applications fine-grained access control to AWS resources.
Q. Which third party solutions can I use when using ECS Anywhere?
ECS Anywhere works with the same tools that ECS in the cloud does, including Terraform, Consul, Datadog, Spinnaker, Jenkins, and many others.
Q. Can I run GPU-based workloads on ECS Anywhere?
Yes. You can enable GPU instances by adding the --enable-gpu flag to the Amazon ECS Anywhere installation script. Once the script is installed, you will be able to assign a number of GPUs to particular containers in the task definition. Amazon ECS uses this as a scheduling mechanism to pin physical GPUs to the desired containers for workload isolation and optimal performance. You can use Nvidia and CUDA drivers with Amazon ECS Anywhere by following the steps to install the drivers as provided here.
Q. How much does ECS Anywhere cost?
You pay $0.01025 per instance-hour for each managed ECS Anywhere external instance. See the pricing page for further information.
Q. What is ECS Anywhere's Service Level Agreement (SLA)?
The ECS Anywhere SLA can be found here.