3.1.7 Container Services (ECS, EKS, ECR)
Container Services cho Developer
ECS vs EKS
| Feature | ECS | EKS |
|---|
| Orchestrator | AWS proprietary | Kubernetes |
| Learning curve | Thấp | Cao |
| Portability | AWS only | Multi-cloud, on-premises |
| Launch types | Fargate, EC2 | Fargate, EC2, Outposts |
| Service mesh | App Mesh | App Mesh, Istio |
| Logging | CloudWatch (native) | CloudWatch, Fluentd, Fluent Bit |
| Exam focus | Cao (task definitions, services) | Thấp (high-level concepts) |
Amazon ECS — Key Concepts
Cluster → Service → Task (running container)
↑
Task Definition (blueprint)
├── Container image (ECR)
├── CPU / Memory
├── Port mappings
├── Environment variables
├── IAM Task Role
└── Log configuration
Launch Types
| Fargate | EC2 |
|---|
| Server management | ❌ Serverless | ✅ You manage |
| Pricing | Per vCPU + memory per second | EC2 instance cost |
| Scaling | Task-level | Instance + task level |
| GPU support | ❌ | ✅ |
| Best for | Most workloads | GPU, specific instance types |
ECS + CodeDeploy (Blue/Green)
# appspec.yaml cho ECS Blue/Green
version: 0.0
Resources:
- TargetService:
Type: AWS::ECS::Service
Properties:
TaskDefinition: "arn:aws:ecs:us-east-1:123:task-definition/my-app:2"
LoadBalancerInfo:
ContainerName: "my-app"
ContainerPort: 8080
Amazon EKS — Key Concepts
EKS Cluster → Node Group → Pods (running containers)
├── Managed Node Group (EC2)
├── Self-managed Nodes (EC2)
└── Fargate Profile (serverless)
EKS cho Developer
| Concept | Mô tả |
|---|
| Pod | Smallest deployable unit (1+ containers) |
| Deployment | Manages ReplicaSets, rolling updates |
| Service | Stable network endpoint cho Pods |
| ConfigMap | Configuration data (non-sensitive) |
| Secret | Sensitive data (base64 encoded) |
| Ingress | HTTP/HTTPS routing (ALB Ingress Controller) |
EKS + AWS Integration
| AWS Service | EKS Integration |
|---|
| IAM | IAM Roles for Service Accounts (IRSA) |
| ALB | AWS Load Balancer Controller |
| CloudWatch | Container Insights, Fluent Bit |
| X-Ray | Sidecar daemon container |
| Secrets Manager | CSI Secrets Store Driver |
| EFS | EFS CSI Driver |
| ECR | Pull images natively |
Health Checks (EKS)
# Kubernetes deployment with health checks
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 15
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
- Liveness probe: Restart container nếu unhealthy
- Readiness probe: Remove từ service nếu not ready
Amazon ECR — Container Registry
| Feature | Mô tả |
|---|
| Image scanning | Basic (on push) + Enhanced (Inspector) |
| Lifecycle policies | Auto-delete old/untagged images |
| Cross-region replication | Replicate images across regions |
| Immutable tags | Prevent image tag overwrite |
| Pull-through cache | Cache public registry images |
# Lifecycle policy — keep only last 10 images
aws ecr put-lifecycle-policy --repository-name my-app \
--lifecycle-policy-text '{
"rules": [{
"rulePriority": 1,
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 10
},
"action": {"type": "expire"}
}]
}'
Exam Tip: ECS = AWS-native, simpler. EKS = Kubernetes, portable. Fargate = serverless cho cả ECS và EKS. ECR lifecycle policies để manage image storage. ECS Task Role = container-level IAM permissions. EKS IRSA = pod-level IAM permissions.