Amazon ECS FAQs
What is Amazon Elastic Container Service (ECS)?
Amazon ECS is a fully managed opinionated container orchestration service that delivers the easiest way for organizations to build, deploy, and manage containerized applications at any scale on AWS, in traditional Amazon Elastic Cloud Compute (EC2) instances or on a serverless compute plane with AWS Fargate. Amazon ECS is fully managed and versionless, providing tooling and built-in support that makes it simple to build and run containerized applications on AWS. For example, Amazon ECS Service Connect simplifies service discovery, connectivity, and traffic observability while Amazon CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs. With Amazon ECS, you do not have to provision or scale servers or clusters or choose the types of severs you want your containers to run on or optimize cluster packing. You retain control of the operating properties of containers with the ability to specify CPU and memory requirements, networking and IAM policies, and launch type and data volumes. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features like security groups, Elastic Load Balancing (ELB), Amazon Elastic Block Store (EBS) volumes, and Identity Access Management (IAM) roles. You can use Amazon ECS to schedule container placement across your cluster based on your resource needs and availability requirements.
Why should I use Amazon ECS?
Amazon ECS is a fully managed container orchestration service makes it easy to use containers to deploy and manage long-running applications, services, and batch processes without needing to install, operate, and scale your own cluster management infrastructure. Amazon ECS maintains application availability and allows you to scale your containers up or down to meet your application's capacity requirements. When used with AWS Fargate, Amazon ECS allows you to deploy applications without needing to provision, manage, or scale compute infrastructure, reducing the time it takes for you to build, deploy, or migrate your containerized applications successfully. Furthermore, Amazon ECS is integrated with familiar features like ELB, Amazon Virtual Private Cloud (VPC), IAM, Application AutoScaling, Amazon CloudWatch, and Amazon Elastic File System (EFS), meaning that you don’t need to build or maintain generalized abstractions.
What role does Amazon ECS play within AWS?
Amazon ECS is a fully managed opinionated container orchestration service that delivers the easiest way for organizations to build, deploy, and manage containerized applications at any scale. Amazon ECS is fully managed and versionless, providing tooling and built-in support that makes it simple to build and run containerized applications on AWS. For example, with Amazon ECS, you do not need to provision or scale servers or clusters or choose the types of severs you want your containers to run on or optimize cluster packing. You retain control of the operating properties of containers with the ability to specify CPU and memory requirements, networking and IAM policies, compute platform (AWS Fargate or Amazon EC2), and data volumes.
With AWS Fargate, Amazon ECS supports serverless container orchestration so you can leverage more of AWS’s operational excellence when it comes to scaling, maintaining availability, and securing your containerized workloads. If you want to modernize your container-based applications with little to no re-factoring, but still enjoy the many advantages of scale, agility, and cost that serverless compute provides, Amazon ECS with AWS Fargate is an ideal compute choice.
Amazon ECS Service Connect simplifies service discovery, connectivity, and traffic observability while Amazon ECS CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs. When you desire more control over the characteristics of how your applications run, Amazon ECS on Amazon EC2 is available, as well as Amazon ECS Anywhere, for when you want to run container workloads on your infrastructure. Collectively, Amazon ECS on AWS Fargate, Amazon ECS on Amazon EC2, and Amazon ECS Anywhere give you the ability to run a wide variety of applications all with the same experience and tooling. Given this, over 65% of all new AWS container customers use Amazon ECS.
With AWS you have a comprehensive choice of serverless compute options including Amazon ECS with AWS Fargate and AWS Lambda, a serverless compute service that runs your code in response to events with Event-Driven Architecture (EDA) and automatically manages the underlying compute resources for you. You can use one or more of these compute choices depending on your use case. Whether it’s Amazon ECS with AWS Fargate or AWS Lambda, AWS serverless choices deliver the advantages of scale, agility, and cost that serverless compute provides.
What is the pricing for Amazon ECS?
There is no additional charge for Amazon ECS. You pay for AWS resources (for example, Amazon EC2 instances, AWS Fargate resources or Amazon EBS volumes) you create to store and run your application. You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments. There are two different charge models for Amazon ECS. Amazon ECS on AWS Outposts follows the same model as Amazon EC2 Launch Type.
- Amazon EC2 Launch Type Model: There is no additional charge for Amazon EC2 launch type. You pay for AWS resources (such as Amazon EC2 instances or Amazon EBS volumes) you create to store and run your application. You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments. See detailed pricing information on the Amazon EC2 pricing page.
- AWS Fargate Launch Type Model: With AWS Fargate, you pay for the amount of vCPU and memory resources that your containerized application requests. vCPU and memory resources are calculated from the time your container images are pulled until the Amazon ECS Task terminates, rounded up to the nearest second. A minimum charge of one minute applies. See detailed pricing information on the AWS Fargate pricing page.
How is Amazon ECS different from AWS Lambda?
Amazon ECS is a highly scalable container orchestration service that allows you to run and manage distributed applications that run in containers. AWS Lambda is an event-driven task compute service that runs your code in response to “events” such as changes in data, website clicks, or messages from other AWS services without you having to manage any compute infrastructure. Many applications use both of these constructs in production, and customers often use both to take advantage of their respective benefits.
Using Amazon ECS
How do I get started using Amazon ECS?
Visit our Getting Started page for more information on how to start using Amazon ECS. Whether you are new to Amazon ECS or you already have a use case in mind, you can choose your own path and follow the curated learning steps to get started.
What is an Amazon ECS task?
Modern application (say Microservices) architecture recommends to split your applications into the individual units, and Amazon ECS is optimized for this pattern. Tasks are the smallest unit of compute in Amazon ECS and allow you to define a set of containers you would like to place together, their properties, and how they may be linked. Tasks include all the information Amazon ECS needs to make the placement decision. To launch a single container, your task definition should only include one container definition.
How do I run applications and services on Amazon ECS?
Yes. The Amazon ECS service scheduler can manage long-running applications and services. The service scheduler helps you maintain application availability and allows you to scale your containers up or down to meet your application's capacity requirements. The service scheduler allows you to distribute traffic across your containers using ELB. Amazon ECS will automatically register and deregister your containers from the associated load balancer. The service scheduler will also automatically recover containers that become unhealthy (i.e., fail ELB health checks) or stop running to ensure you have the desired number of healthy containers supporting your application.
You can scale your application up and down by changing the number of containers you want the service to run. You can update your application by changing its definition or using a new image. The scheduler will automatically start new containers using the new definition and stop containers running the previous version (waiting for the ELB connections to drain if ELB is used).
How does Amazon ECS support autoscaling of applications?
Applications and microservices deployed to Amazon ECS leverage the Application Auto Scaling service to automatically scale based on observed metrics data. Amazon ECS measures service utilization based on CPU and memory resources consumed by the tasks that belong to a service and publishes CloudWatch metrics, namely, ECSServiceAverageCPUUtilization and ECSServiceAverageMemoryUtilization, with this data. Application Auto Scaling can then use these predefined metrics in conjunction with scaling policies to proportionally scale the number of tasks in a service. Additionally, there are use cases where a service’s average CPU and memory usage alone are not reliable indicators of when and to what degree to execute a scaling action. For this, Application Auto Scaling also supports scaling a service based on a custom metric specification that represents a CloudWatch metric of our choosing, which may be better suited. This includes metrics that track other application aspects such as number of HTTP requests received, number of messages retrieved from a queue/topic, and number of database transactions. You can now use CloudWatch metrics or Prometheus metrics of your choosing.
To learn more, please visit: Autoscaling Amazon ECS services based on custom CloudWatch and Prometheus metrics
What compute options are available with Amazon ECS?
Amazon ECS enables you to run a wide variety of applications with the same experience and tooling across a diverse set of compute options:
- AWS Fargate: AWS Fargate is a serverless, pay-as-you-go compute engine. It removes the burden of server provisioning, cluster management, and orchestration. Amazon ECS uses containers provisioned by AWS Fargate to automatically scale, load balance, and manage scheduling of your containers for availability, providing an easier way to build and operate containerized applications.
- Amazon EC2: With Amazon on ECS on EC2, you own the EC2 instances and have complete control over all aspects of infrastructure management. For instance, you can select specific EC2 instance types or customize the underlying operating system. You can use Auto Scaling Group Capacity Providers to manage the scaling of EC2 instances.
- On-premises virtual machines (VM) or servers:
- Amazon ECS Anywhere provides support for registering an external instance such as an on-premises server or virtual machine (VM), to your Amazon ECS cluster.
- The capacity can be located in any of the following AWS resources:
- Availability Zones
- Local Zones
- Wavelength Zones
- AWS Regions
- AWS Outposts
Does Amazon ECS support the autoscaling of compute infrastructure?
Yes. Amazon ECS supports autoscaling compute infrastructure for both AWS Fargate and Amazon EC2, so that you can focus on building and scaling your applications rather than the underlying infrastructure.
Amazon ECS with AWS Fargate provides you a serverless experience, as AWS Fargate automatically provisions, scales, and updates the compute infrastructure needed for your applications.
For your applications that require Amazon EC2 capacity, Amazon ECS provides Auto Scaling Group Capacity Providers which automatically scale Amazon EC2 instances in response to the capacity requirement of your applications. You can create an Amazon EC2 Auto Scaling Group (ASG) with your desired configuration for Amazon EC2 instance types, Amazon Machine Image (AMI), network settings, etc. and create a Capacity Provider to automatically scale Amazon EC2 instances in that ASG based on the scheduling needs and load for your applications. manages the scale-in and scale-out actions of the ASG based on the load your tasks.
What are Amazon ECS Capacity Providers?
Amazon ECS capacity providers are the interface through which you can define the capacity needs for your applications. Capacity providers allow you to define flexible rules for how your applications run on different types of compute capacity, and manage the scaling of the capacity. Capacity Providers work with both Amazon EC2 and AWS Fargate. Amazon ECS provides predefined capacity providers for AWS Fargate and Fargate-Spot capacities for every cluster. For Amazon EC2, you can create your own ASG capacity providers to manage scaling of an Amazon EC2 Auto Scaling Group. When running Amazon ECS tasks and services, you can split them across multiple capacity providers, for instance to run a service in a predefined split percentage across AWS Fargate and Fargate Spot capacities.
Does Amazon ECS support batch jobs?
Yes. You can use Amazon ECS Run task to run one or more tasks once. Run task starts the task on an instance that meets the task’s requirements including CPU, memory, and ports. You can also use AWS Batch to plan, schedule, and execute your batch computing workloads using on Amazon ECS, so you can focus on analyzing results and solving problems.
Can I use my own Amazon Machine Image (AMI)?
Yes. You can use any AMI that meets the Amazon ECS AMI specification. We recommend starting from the Amazon ECS-enabled Amazon Linux AMI. Partner AMIs compatible with Amazon ECS are also available. You can review the Amazon ECS AMI specification in the documentation.
How can I configure my container instances to pull from Amazon Elastic Container Registry (ECR)?
Amazon ECR is integrated with Amazon ECS allowing you to easily store, run, and manage container images for applications running on Amazon ECS. All you need to do is specify the Amazon ECR repository in your task Definition and attach the AmazonEC2ContainerServiceforEC2Role to your instances. Then Amazon ECS will retrieve the appropriate images for your applications.
When should I use Amazon ECS with AWS Fargate?
AWS Fargate offers serverless compute to run containers with Amazon ECS. AWS Fargate allows customers to launch their containers without having to provision or manage Amazon EC2 instances. AWS Fargate is the easiest way to launch and run containers on AWS. Customers requiring greater control of their EC2 instances (to support compliance and governance requirements or broader customization options) can choose to use Amazon ECS with Amazon EC2 instances.
What networking options does Amazon ECS support?
Amazon ECS supports Docker networking and integrates with Amazon VPC to provide isolation for containers. This gives you control over how containers connect with other services and external traffic. With Amazon ECS, you can choose between four networking modes for your containers that cater towards different use cases:
- VPC Mode: This mode assigns each running Amazon ECS task a dedicated elastic networking interface, allowing containers full networking features in a VPC, just like Amazon EC2 instances.
- Bridge Mode: This mode creates a Linux bridge that connects all containers running on the host in a local virtual network, which can be accessed through the host's default network connection.
- Host Mode: This mode adds containers directly to the host’s network stack, exposing containers on the host's network with no isolation.
- None: This mode disables external networking for containers.
How does Amazon ECS support service-to-service communication?
- Service Connect: Amazon ECS Service Connect simplifies service discovery, connectivity, and traffic observability for Amazon ECS. It helps you build applications faster by letting you focus on the application code and not on your networking infrastructure. You can use Amazon ECS Service Connect to define logical names for your service endpoints and use them in your client applications to connect to dependencies. Amazon ECS Service Connect helps send your traffic to healthy endpoints and provides rich traffic telemetry in the Amazon ECS console and in Amazon CloudWatch. Native Amazon ECS deployments are more robust with Amazon ECS Service Connect, as it supports automatic connection draining that helps your client applications switch to a new version of the service endpoint without encountering traffic errors. With Amazon ECS Service Connect, you can:
- Set the way client applications connect to their dependencies in just one step
- Write and operate resilient distributed applications with logical naming
- Monitor and distribute traffic between Amazon ECS tasks without deploying and configuring load balancers
- Deploy services faster and deliver seamless integration of Amazon ECS microservices comprising an application
- Service Discovery: Amazon ECS is integrated with AWS Cloud Map to make it easy for your containerized services to discover and connect with each other. AWS Cloud Map is a cloud resource discovery service that lets you define custom names for your application resources. It increases your application availability because your web service will always discover the most up-to-date locations of these dynamically changing resources.
How does Amazon ECS provide observability for applications?
- You can monitor your Amazon ECS resources using Amazon CloudWatch, which collects and processes raw data from Amazon ECS into readable, near real-time metrics. These statistics are recorded for a period of two weeks so that you can access historical information and gain a better perspective on how your clusters or services are performing. There is no additional charge for this. To learn more, please visit, Amazon ECS CloudWatch metrics.
- For enhanced metrics, use CloudWatch Container Insights to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices, available for your Amazon ECS clusters running on Amazon EC2 and AWS Fargate. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. For Amazon ECS, Container Insights collects metrics at the cluster, task and service levels on both Linux and Windows Server instances. It can collect metrics at the instance-level only on Linux instances.Network metrics are available only for containers in bridge network mode and awsvpc network mode. They are not available for containers in host network mode. To learn more, please visit, Using Container Insights.
- Amazon ECS allows you to record all your Amazon ECS API calls and have the log files delivered to you through AWS CloudTrail. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by Amazon ECS. CloudTrail provides you a history of API calls made from the AWS Management Console, AWS SDKs, and AWS CLI. It enables security analysis, resource change tracking, and compliance auditing.
- AWS Config
- AWS Config integrates with Amazon ECS to provide you visibility into your configuration of AWS resources in your AWS account. AWS Config allows users to monitor and track how resources were configured, how they relate to one another, and how the configurations and relationships change over time. AWS Config enables you to simplify compliance and security, operational troubleshooting, and resource administration.
- Third Party
- Amazon ECS supports an entire ecosystem of third-party observability vendors by embracing open container standards. For more information view the Amazon ECS Partners page.
How can I monitor cost information for my Amazon ECS tasks running on AWS Fargate?
Costs for Amazon ECS tasks running on AWS Fargate are available in AWS Cost and Usage Reports (CUR) and AWS Cost Explorer automatically. You can use managed as well as user-added tags to aggregate and allocate costs to new and existing business units, teams, or applications for your Amazon ECS tasks.
How can I monitor cost information for my Amazon ECS tasks running on Amazon EC2 instances?
You can access cost and usage information for Amazon ECS tasks running on Amazon EC2 instances in AWS Cost and Usage Reports (CUR) by opting into Split Cost Allocation Data for Amazon ECS. Split Cost Allocation Data generates task-level costs for Amazon ECS tasks running on Amazon EC2 instances by analyzing each task’s resource consumption based on the price of the instance, and the percentage of CPU and memory resources consumed by the containers running on the instance. Split Cost Allocation Data automatically ingests managed and user-added tags for your Amazon ECS tasks, allowing you to aggregate and allocate costs to new and existing business units, teams, or applications. You can opt into Split Cost Allocation Data for Amazon ECS from the AWS Cost Management console preferences. Then you can opt into Split Cost Allocation Data for your individual CUR reports from the CUR reporting preferences in AWS Billing console.
Learn more about enabling split cost allocation data.
Security and Compliance
How does Amazon ECS isolate containers belonging to different customers?
Amazon ECS schedules containers for execution on customer-controlled Amazon EC2 instances or with AWS Fargate and builds on the same isolation controls and compliance settings available for Amazon EC2 customers. Your compute instances are located in a Virtual Private Cloud (VPC) with an IP range that you specify. You decide which instances are exposed to the Internet and which remain private.
- Your Amazon EC2 instances use an IAM role to access the Amazon ECS service.
- Your Amazon ECS tasks use an IAM role to access services and resources.
- Your Amazon ECS tasks running on AWS Fargate run in isolated virtual machines.
- Security Groups and networks ACLs allow you to control inbound and outbound network access to and from your instances.
- You can connect your existing IT infrastructure to resources in your VPC using industry-standard encrypted IPsec VPN connections.
- You can provision your Amazon EC2 resources as Dedicated Instances. Dedicated Instances are Amazon EC2 Instances that run on hardware dedicated to a single customer for additional isolation.
Can I apply additional security configuration and isolation frameworks to my container instances?
Yes. As an Amazon EC2 customer, you have root access to the operating system (OS) of your container instances. You can take ownership of the OS security settings, as well as configure additional software components for security capabilities such as monitoring, patch management, log management, and host intrusion detection.
Using Amazon ECS with AWS Fargate drives high levels of security with the ability to assign granular permissions to each task, giving you a higher degree isolation, network access control, and IAM control when building applications. With AWS Fargate, every task runs in a separate virtual machine (VM), providing more isolation than two tasks sharing the same host. Each task also has its own network interface allowing the security group to be applied to each task, with control over the incoming and outgoing traffic.
Does Amazon ECS support retrieving container images from a private or internal source?
Yes. Customers can configure their container instances to access a private container image registry within a VPC or a registry that’s accessible outside a VPC such as Amazon ECR.
How do I configure IAM roles for Amazon ECS tasks?
You first need to create an IAM role for your task, using the 'Amazon EC2 Container Service Task Role’ service role and attaching a policy with the required permissions. When you create a new task definition or a task definition revision, you can then specify a role by selecting it from the ’Task Role’ drop-down or using the ‘taskRoleArn’ filed in the JSON format.
With which compliance programs does Amazon ECS conform?
Amazon ECS meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and HIPAA eligibility.
For more information, visit our compliance pages.
Can I use Amazon ECS for Protected Health Information (PHI) and other HIPAA-regulated workloads?
Yes. Amazon ECS is HIPAA-eligible. If you have an executed Business Associate Addendum (BAA) with AWS, you can use Amazon ECS to process encrypted Protected Health Information (PHI) using containers deployed onto the AWS Fargate launch-type or Amazon EC2 compute instances.
Can I use Amazon ECS for US Government-regulated workloads or processing sensitive Controlled Unclassified Information (CUI)?
Yes. By using the AWS GovCloud (US) region, containers and clusters managed by Amazon ECS can meet the requirements to sensitive data and regulated workloads with your containers. For more information, visit our page on AWS GovCloud.
Customers can also deploy their workloads on Amazon ECS using AWS Fargate in a manner compliant with Federal Information Processing Standard (FIPS) 140-2. FIPS is a U.S. and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information.
Service Level Agreement
What does the Amazon ECS SLA guarantee?
Our Compute SLA guarantees a Monthly Uptime Percentage of at least 99.99% for Amazon ECS. AWS makes two SLA commitments for Amazon ECS and AWS Fargate: (1) a Multi-AZ Included Container Service SLA that governs Included Container Services deployed across multiple AZs; and (2) a Single Task/Pod SLA that governs Included Container Service tasks and pods individually. Please see the AWS Fargate and Amazon Elastic Container Service SLA page.
How do I know if I qualify for a SLA Service Credit?
You are eligible for an SLA credit for Amazon ECS under the Compute SLA if more than one Availability Zone in which you are running a task, within the same region has a Monthly Uptime Percentage of less than 99.99% during any monthly billing cycle.
For full details on all of the terms and conditions of the SLA, as well as details on how to submit a claim, please see the Compute SLA details page.