How to deploy an application to AWS ECS
This how-to assumes:
- Basic familiarity with System Initiative
- You have completed the build an AWS VPC with System Initiative tutorial (and not deleted the resulting resources)
It will teach you how to create an AWS ECS cluster and deploy an application to it with System Initiative.
We will cover:
- The creation of an ECS cluster with a deployed service
- An AWS Application Load Balancer
- The networking required to allow the ECS service to service traffic to the load balancer
Setup
All activities in this how-to happen within a configured VPC, AWS Region and AWS Credential.
Start in a Change Set named ECS How-to
.
Walkthrough
What it will look like
When you are through with this guide, you should have Components that look like this in your Diagram:
Create a Loadbalancer Component
Add a AWS::ElasticLoadBalancingV2::LoadBalancer
to your VPC How-to
vpc frame.
Set the Component type to Down Frame
.
Set the Component name to application-alb
.
Set the IpAddressType
to ipv4
.
Set the Name
to application-alb
.
Set the Scheme
to internet-facing
.
Set the Type
to application
.
Connect the Subnet Id
Output Socket of each of the public subnet Components to the Subnets
Input Socket of the application-alb
Component.
Create a Security Group Component for the Loadbalancer
Add a AWS::EC2::SecurityGroup
to your VPC How-to
vpc frame.
Set the Component name to alb-sg
.
Set the GroupDescription
to be Security Group to allow access to the Loadbalancer
Set the GroupName
to alb-sg
.
Connect the Group Id
Output Socket of alb-sg
Component to the Security Groups
Input Socket of the application-alb
frame.
Create a Security Group Ingress Rule Component
Add a AWS::EC2::SecurityGroupIngress
Component to your VPC How-to
vpc frame.
Set the Component name to alb-80-ingress
.
Set the IpProtocol
to TCP
.
Set CidrIp
to be 0.0.0.0/0
.
Set the Description
to Ingress to allow 80 from the world
.
Set FromPort
to be 80
.
Set ToPort
to be 80
.
Connect the Group Id
Output Socket of alb-sg
Component to the Group Id
Input Socket of this alb-80-ingress
Component.
Create a Listener Component
Add a AWS::ElasticLoadBalancingV2::Listener
Component to your application-alb
loadbalancer frame.
Set the Component type to Down Frame
.
Set the Component name to HTTP:80
.
Set the Port
to be 80
.
Set the Protocol
to be HTTP
.
Resize the frame to be large enough to fit another Component.
Create a Target Group
Add a AWS::ElasticLoadBalancingV2::TargetGroup
Component to your Listener
frame.
Set the Component name to app-tg
.
Set HealthCheckEnabled
to TRUE
.
Set HealthCheckIntervalSeconds
to 30
seconds.
Set HealthCheckPath
to /
.
Set HealthCheckPort
to 8080
.
Set HealthCheckProtocol
to HTTP
.
Set HealthCheckTimeoutSeconds
to 5
.
Set HealthyThresholdCount
to 5
.
Set IpAddressType
to ipv4
Set Name
to be app-tg
.
Set Port
to 8080
.
Set Protocol
to HTTP
.
Set ProtocolVersion
to HTTP1
Set TargetType
to ip
.
Set UnhealthyThresholdCount
to be 2
.
Set HttpCode
to 200
.
Create a Listener Default Action
Add a Listener DefaultActions
Component to your Listener
frame.
Set the Component name to listener-actions
.
Set Type
to forward
.
Connect the Target Group Arn
Output Socket of the app-tg
Component to the Target Group Arn
Input Socket of the listener-actions
Component.
Connect the Default Actions
Output Socket of the listener-actions
Component to the Default Actions
Input Socket of the HTTP:80
Listener Component.
Create an IAM Role
Add an AWS::IAM::Role
Component to your VPC How-to
vpc frame.
Set the Component name to ecs-tasks-service
.
Set the RoleName
to ecs-tasks-service
.
Set the Path
to /si-tutorial/
.
Set the Description
to IAM Role to allow ECS to spawn tasks
.
Create an AWS IAM Policy Statement
Add an AWS::IAM::PolicyStatement
within the ecs-tasks-service
AWS IAM Role frame.
Set the Component name to ecs-tasks-assume-role-policy
.
Add an array item to the Action
array.
Set the [0]
value for the Action
array to sts:AssumeRole
.
Set the Effect
to Allow
.
Create an AWS IAM Service Principal
Add an AWS::IAM::ServicePrincipal
within the ecs-tasks-service
AWS IAM Role frame.
Set the Component name to ecs-tasks.amazonaws.com
.
Set the Service
to ecs-tasks.amazonaws.com
.
Connect the Principal
Output Socket of the ecs-tasks.amazonaws.com
AWS IAM Service Principal to the Principal
Input Socket of your ecs-tasks-assume-role-policy
AWS IAM Policy Statement.
Create a Security Group Component for the Application
Add a AWS::EC2::SecurityGroup
to your VPC How-to
vpc frame.
Set the Component name to container-sg
Set the GroupDescription
to be Container Security Group
Set the GroupName
to container-sg
.
Create an Ingress Rule Component for the Application
Add a AWS::EC2::SecurityGroupIngress
to your VPC How-to
vpc frame.
Set the Component name to be container-80-ingress
.
Set the IpProtocol
to TCP
.
Set the Description
to be Ingress to allow access to port 80
.
Set FromPort
to be 8080
.
Set ToPort
to be 8080
.
Connect the Group Id
Output Socket of container-sg
Component to the Group Id
Input Socket of thiscontainer-80-ingress
Component.
Connect the Group Id
Output Socket of alb-sg
Component to the SourceSecurityGroupId
Input Socket of this container-80-ingress
Component.
Create an ECS Cluster
Add an AWS::ECS::Cluster
to your VPC How-to
vpc frame.
Set the Component type to be Down Frame
.
Set the Component name to application-cluster
.
Set the ClusterName
to application-cluster
.
Create a ECS Capacity Provider Strategy
Add a ECS CapacityProviderStrategy
component to the application-cluster
frame.
Set the Component name to ecs-capacity-strategy
.
Set Base
to 0
.
Set CapacityProvider
to FARGATE
.
Set Weight
to 1
.
Create a ECS Cluster Capacity Provider Association
Add an AWS::ECS::ClusterCapacityProviderAssociations
Component to the application-cluster
frame.
Set the Component name to ecs-capacity-associations
.
Add two array items to the CapacityProviders
array.
Set the [0]
value for the CapacityProviders
array to FARGATE
.
Set the [1]
value for the CapacityProviders
array to FARGATE_SPOT
.
Connect the Default Capacity Provider Strategy
Output Socket of the ecs-capacity-strategy
Component to the Default Capacity Provider Strategy
Input Socket of this ecs-capacity-associations
Component.
Create an ECS Service
Add an AWS::ECS::Service
to your application-cluster
cluster frame.
Set the Component type to be Up Frame
.
Set the Component name to demo-service
.
Set the DesiredCount
to be 1
.
Set the LaunchType
to FARGATE
.
Set the ServiceName
to demo-service
.
Connect the Subnet ID
Output Socket of each of the private subnet Components to the Network Awsvpc Security Groups
Input Socket of this demo-service
Component.
Connect the Id
Output Socket of container-sg
Component to the Network Awsvpc Security Groups
Input Socket of this demo-service
Component.
Create an ECS Task Definition
Add an AWS::ECS::TaskDefinition
to your demo-service
service frame.
Set the Component type to be Frame Up
.
Set the Component name to demo-app
.
Set Cpu
to be 256
.
Set the Family
to be demo-app
.
Set Memory
to be 512
.
Set NetworkMode
to be awsvpc
.
Click set: manually
on RequiresCompatibilities
, then Add array item
.
In item [0] add the value FARGATE
.
Connect the Task Definition Arn
Output Socket of the TaskDefition to the Task Defition
input Socket of the ECS Service.
Connect the ARN
Output Socket of the ecs-tasks-service
AWS IAM Role to the Task Role ARN
Input Socket of your demo-app
ECS Task Definition.
Create a Container Definition
Add a TaskDefinition ContainerDefinitions
Component to your demo-app
frame.
Set the Component name to hello-world
.
Set Name
to hello-world
.
Set Essential
to TRUE
.
Create a Docker Image
Add a Docker Image
Component to your demo-app
frame.
Set the Component name to tutum/hello-world
.
Set image
to be tutum/hello-world
.
Connect the Image Name
Output Socket of this tutum/hello-world
Docker Image to the Image
Input Socket of the hello-world
Container Defintion.
Create an ECS Container Definition Port Mapping
Add a ContainerDefinitions PortMappings
Component to the demo-app
frame.
Set the Component name to be http
.
Set the ContainerPort
to be 8080
.
Set the HostPort
to be 8080
.
Set the Name
to be http
.
Set the Protocol
to be tcp
.
Connect the Port Mappings
Output Socket of this http
ECS ContainerDefintions PortMappings Component to the Port Mappings
Input Socket of the hello-world
TeskDefinition ContainerDefintions Component.
Create a ECS Load Balancer Configuration
Add a Service LoadBalancers
Component to the demo-service
frame.
Set the Component name to be lb-config
.
Set the ContainerName
to be hello-world-demo
.
Set the ContainerPort
to 8080
.
Connect the Target Group Arn
Output Socket of the app-tg
Target Group to the Target Group Arn
Input Socket of this lb-config
Component.
Apply your Change Set
Press Escape
or click anywhere on the canvas background to select the Workspace.
Click the Apply Change Set
button.
Click the Request Approval
button.
Click the Approve Request
button.
Click Apply Change Set
to:
- Create 2 Security Groups and associated ingress rules
- Create an application load balancer, a listener and a target group
- Create an IAM Role and IAM Instance Profile
- Create an ECS Cluser and the associated service with a running task
Explore your resources
Review the completed AWS resources by clicking the Resource
sub-panel for each of your new resources.
Clean Up
Create a new Change Set called Clean up How-to
Delete your VPC How-to
VPC frame. All of the Components inside will be marked for deletion.
Click Apply Change Set
.
All your new resources should be deleted from your AWS account.
Vocabulary
In this guide bits of System Initiative Vocabulary will be shown with a capital letter. All definitions for these can be found here: System Initative - Vocabulary