Elastic Container Service - Lexicon from AWS Console

The Lexicon is an open source project available on GitHub, the steps below setup the infrastructure in AWS using the AWS Console for launch type EC2. There is a stack overview here that shows how the infrastructure works together. Alternatively this can also be done from the CLI where I used the launch type fargate.

Cluster

Login to the Console and search for ECS and select create new cluster.

Instance configuration

AWS Fargate type is a compute engine that allows you to run containers without having to manage servers or clusters. For the steps below I used EC2 Linux + Networking. (for reasons :D)

1
Type:                            EC2 Linux + Networking

This will also create the following resources:

  • Cluster
  • VPC
  • Subnets
  • Auto Scaling group with Linux AMI
1
2
Cluster name:                    lexicon-cluster
Provisioning Model: On-Demand Instance

With On-Demand Instances, you pay for compute capacity by the hour, with no long-term commitments or upfront payments.

1
2
3
4
5
6
EC2 instance type:               m5.large
Instances: 1
EC2 Ami Id: Amazon Linux 2 AMI [ami-0e18747114eff8bce]
(ECS-optimized AMI)
EBS storage (GiB): 22
Key pair: *select if setup on EC2

ami-0e18747114eff8bce is the Amazon Linux AMI 2.0.20190913 x86_64 ECS HVM GP2 Linux Image used for the virtual machine. AMI stands for Amazon Machine Image.

Networking

Configure the VPC for your container instances to use. A VPC is an isolated portion of the AWS cloud populated by AWS objects, such as Amazon EC2 instances. You can choose an existing VPC, or create a new one with this wizard.

1
2
3
4
5
6
VPC:                             *create new
CIDR block: 10.0.0.0/16
Subnet 1: 10.0.0.0/24
Subnet 2: 10.0.1.0/24
Security group: *create new
Security group inbound rules: 0.0.0.0/0:80

Container instance IAM role

The Amazon ECS container agent makes calls to the Amazon ECS API actions on your behalf, so container instances that run the agent require the ecsInstanceRole IAM policy and role for the service to know that the agent belongs to you. If you do not have the ecsInstanceRole already, we can create one for you.

1
Container instance IAM role:     ecsInstanceRole

Tags

These are key value

1
Description:lexicon

CloudWatch Container Insights

CloudWatch Container Insights is a monitoring and troubleshooting solution for containerized applications and microservices. It collects, aggregates, and summarizes compute utilization such as CPU, memory, disk, and network; and diagnostic information such as container restart failures to help you isolate issues with your clusters and resolve them quickly.

1
CloudWatch Container Insights:    [X] Enable Container Insights

Clicking create will then create all of the following resources

  • ECS cluster as lexicon-cluster
  • ECS Instance IAM Policy - IAM Policy for the role ecsInstanceRole is attached
  • CloudFormation Stack - EC2ContainerService-lexicon-cluster

Cluster resources

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ECS AMI ID                           ami-0e18747114eff8bce
VPC vpc-0c0c0c0000c00c0cc
Subnet 1 subnet-0c0c0c0000c00c0cc
Subnet 1 route table association rtbassoc-0c0c0c0000c00c0cc
Subnet 2 subnet-0c0c0c0000c00c0cc
Subnet 2 route table association rtbassoc-0c0c0c0000c00c0cc
VPC Availability Zones ap-southeast-2a, ap-southeast-2b, ap-southeast-2c
Security group sg-0c0c0c0000c00c0cc
Internet gateway igw-0c0c0c0000c00c0cc
Route table rtb-0c0c0c0000c00c0cc
Amazon EC2 route EC2Co-Publi-000000000000
Virtual private gateway attachment EC2Co-Attac-00000000000
Launch configuration EC2ContainerService-lexicon-cluster-EcsInstanceLc-0c0c0c0000c00c0cc
Auto Scaling group EC2ContainerService-lexicon-cluster-EcsInstanceAsg-0c0c0c0000c00c0cc

Task Definitions

From Task Definitions select Create new Task Definition

1
2
3
4
5
Launch type: EC2 
Task Definition Name: lexicon-definition:6
Requires Compatibilities: EC2
Task Role: ecsTaskExecutionRole
Network Mode: default

If you choose , ECS will start your container using Docker’s default networking mode, which is Bridge on Linux and NAT on Windows. is the only supported mode on Windows.

  • For bridge (FARGATE will only have awsvpc)

Task execution IAM role

This role is required by tasks to pull container images and publish container logs to Amazon CloudWatch on your behalf. If you do not have the ecsTaskExecutionRole already, we can create one for you.

1
Task execution role:              ecsTaskExecutionRole

Task size

The task size allows you to specify a fixed size for your task. Task size is required for tasks using the Fargate launch type and is optional for the EC2 launch type. Container level memory settings are optional when task size is set. Task size is not supported for Windows containers.

1
Task memory (GB):                 4096

The amount of memory (in MiB) used by the task. It can be expressed as an integer using MiB, for example 1024, or as a string using GB, for example ‘1GB’ or ‘1 gb’.

1
Task CPU (vCPU):                  2048   (512 = 0.5 vCPU, 1024 = 1 vCPU, 2048 = 2 vCPU)

The number of CPU units used by the task. It can be expressed as an integer using CPU units, for example 1024, or as a string using vCPUs, for example ‘1 vCPU’ or ‘1 vcpu’.

Add Container (WEB)

This is the ASP.NET MVC web application.

Standard
1
2
3
4
Container name:          lexicon-web
Image: 000000000000.dkr.ecr.ap-southeast-2.amazonaws.com/lexicon-test
Memory Limits (MiB): soft 512
Port mappings: 80 -> 80

Port mappings: 0 -> 80 means any from the host to the container on 80. This will however then assign a random port like 32722 which would probably not be open in the security group.

1
2
3
4
5
6
7
Environment variables:   

LEXICON_SQL_CONNECTION=Server=@@MACHINE_NAME@@,1433;Database=lexicon;User Id=sa;Password=Password123;

~ these just check for null, so just set the one you want it to use to `yes`
SUBSTITUTE_LOCAL_IP=
SUBSTITUTE_PUBLIC_IP=yes
Advanced container configuration
1
2
Essential:               un-check 
Log configuration: [x] Auto-configure CloudWatch Logs

Essential, if you check this and your process exits, then the entire task is shut down as well. At least one of your containers HAS to have this checked.

Add Container (SQL)

1
2
3
4
Container name:          lexicon-sql
Image: microsoft/mssql-server-linux:2017-CU13
Memory Limits (MiB): soft 2048
Port mappings: 1433 -> 1433
1
2
3
4
Environment variables:   

ACCEPT_EULA=Y
SA_PASSWORD=Password123

You may also designate AWS Systems Manager Parameter Store keys or ARNs using the ‘valueFrom’ field. ECS will inject the value into containers at run-time.

1
2
Essential:               check
Log configuration: [x] Auto-configure CloudWatch Logs

Task (run once off)

  • Clusters -> lexicon-cluster -> tasks -> run new task
1
2
3
4
Launch type:             EC2
Task Definition: lexicon-definition:6
Cluster: lexicon-cluster
Number of tasks: 1

Then hit Run Task and wait for the status to change to RUNNING

  • Clusters -> select task -> expand container -> Click external link

Service

You can start from task definition and keep it running as apposed to running the task as once off.

References