1. Introduction
Hello! We are a writer team from Definer Inc.
In this issue, you are wondering about the use of the VPC endpoint configuration required for Fargate v1.4.
Let's take a look at the actual screens and resources to explain in detail.
2. Purpose/Use Cases
First, a brief review of Fargate.
AWS ECS Fargate is a serverless container execution service.
While running containers on EC2 requires EC2 design and maintenance, Fargate allows you to use ECS containers without having to worry about maintaining the server part.
AWS Fargate platform versions are used to refer to a specific runtime environment for Fargate task infrastructure. It is a combination of the kernel and container runtime versions. You select a platform version when you run a task or when you create a service to maintain a number of identical tasks.
New revisions of platform versions are released as the runtime environment evolves, for example, if there are kernel or operating system updates, new features, bug fixes, or security updates. A Fargate platform version is updated by making a new platform version revision. Each task runs on one platform version revision during its lifecycle. If you want to use the latest platform version revision, then you must start a new task. A new task that runs on Fargate always runs on the latest revision of a platform version, ensuring that tasks are always started on secure and patched infrastructure.
AWS Fargate platform version 1.4.0 is now the LATEST version. All new Amazon Elastic Container Service (Amazon ECS) Tasks or ECS Services that use the Fargate launch type and have the platformVersion parameter set to LATEST or not specified will run on platform version 1.4.0. The new version has features such as Amazon Elastic File System support and Amazon ECS Exec.
This article provides a list of information and practices that you may find helpful when you want to organize your VPC endpoint configuration for Fargate v1.4.
3. Changes in Fargate v1.4
AWS ECS Fargate has been updated to version 1.4 with many changes:
・EFS (shared disk) can now be used with Fargate
Starting today, the ECS task definitions (for both EC2 and Fargate) support the new EFSVolumeConfiguration parameter. This means that:
- ECS customers using the EC2 launch type no longer need to take care of the heavy lifting of configuring and automating storage on EC2 container instances.
- AWS Fargate customers can now start running stateful workloads inside Fargate tasks, something that they couldn’t do before.
・Temporary local volume is now 20GB
With platform version
1.4.0, we are unifying these volumes into a single 20GB volume. Not only does this increase the total storage available but it also provides more flexibility for the users to consume this capacity as they prefer.
・Task elastic network interface (ENI) now runs additional traffic flows
Fargate tasks run on a fleet of virtual machines that AWS manages on behalf of the customer. These VMs are connected to AWS owned VPCs via so called “Fargate ENIs”. When a user launches a task on Fargate, the task is assigned an ENI and this ENI is connected to the customer owned VPC. We call this ENI the “Task ENI.”
・Network metrics can now be checked in CloudWatch Container Insights
With Fargate platform version 1.4.0, we are shipping a revised stack (including the new Fargate agent) that enables tasks to report network performance metrics to Container Insights.
There is nothing that customers need to do other than start their Fargate tasks with this new platform version on an ECS cluster that has been enabled to use Container Insights. You now have full access to CPU, memory, disk, and network metrics for your AWS Fargate tasks provided you are running platform version 1.4.0.
・The execution engine Agent has been optimized for Fargate
Up until platform version 1.3.0, the agent that Fargate was using was the standard ECS agent. With the availability of the 1.4.0 platform version, we are introducing a new agent that’s purpose-built for the Fargate environment and will allow us to drive innovation faster for customers. The combination of containerd and this new agent will also enable the new architecture based on Firecracker.
Read more in AWS Fargate platform version 1.4 4. VPC Endpoint required for Fargate v1.4
Here's the main issue.
With the update to Fargate v1.4, container execution now requires the VCP endpoint of the ECR API.
Please be especially careful if you are already running Fargate and are considering updating to version 1.4.
【Endpoints required for Fargate v1.4 or later】
・ecr dkr
・ecr api
・s3
・logs
【Previously required endpoints】
・ecr dkr
・s3
・logs
If you are using Fargate v1.4 or later, please do not forget to create ECR API endpoints.
So, what is VPC endpoint?
VPC endpoints are AWS components that allow a VPC to connect to AWS services through private connections. In other words, VPC endpoints allow us to stop using public endpoints to call AWS service. This network isolation allows us to pull docker images from ECR without using the NAT gateway.
Finally, here are the commands for creating ECR API endpoints.
Replace the VPC ID, Subnet ID, and SecurityGroup ID with your own ID to execute.
## Commands for creating ECR API endpoints
aws ec2 create-vpc-endpoint \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.ap-northeast-1.ecr.api \
--vpc-id ${VPC ID} \
--subnet-id ${subnet ID} \
--security-group-id ${SecurityGroup ID}
If the command execution is successful, the following Json is displayed.
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-xxxxx",
"VpcEndpointType": "Interface",
"VpcId": "vpc-xxxxxxx",
"ServiceName": "com.amazonaws.ap-northeast-1.ecr.api",
"State": "pending",
"RouteTableIds": [],
"SubnetIds": [
"subnet-xxxxxxx"
],
"Groups": [
{
"GroupId": "sg-xxxx",
"GroupName": "sg_for_ecr_endpoint"
}
],
"IpAddressType": "ipv4",
"DnsOptions": {
"DnsRecordIpType": "ipv4"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-xxxxxx"
],
"DnsEntries": [
{
"DnsName": "vpce-xxxxxxxxi.api.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "xxxxxxW"
},
{
"DnsName": "vpce-xxxxxxxxxxi-ap-northeast-1a.api.ecr.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "xxxxx"
},
{
"DnsName": "api.ecr.ap-northeast-1.amazonaws.com",
"HostedZoneId": "xxxxxxx"
}
],
"CreationTimestamp": "202X-XX-02T00:47:40.169000+00:00",
"OwnerId": "xxxxxxxxx"
}
} 5. Cited/Referenced Articles
6. About the proprietary solution "PrismScaler"
・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation.
・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation.
・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.
7. Contact us
This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".
8. Regarding Definer
・Definer Inc. provides one-stop solutions from upstream to downstream of IT.
・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation.
・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation.
・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.