🐳 Elastic Container Service (ECS)
A fully managed container orchestration service for running Docker containers.
ALB integration & Dynamic Port Mapping
- ECS integrates natively with Application Load Balancer (ALB)
- Dynamic Port Mapping allows multiple tasks on the same EC2 instance (or Fargate host) to use the same container port by automatically assigning ephemeral host ports.
- The ALB target group automatically registers each task's dynamic port via ECS Service Discovery.
Security & Networking
- ECS tasks run inside VPC network boundaries.
- Use security groups and IAM Task Roles to control access to AWS resources.
- Sensitive data (DB credentials, API keys) should be injected via :
- AWS Secrets Manager
- AWS Systems Manager Parameter Store
- Then exposed to containers as environment variables (ENV).
Service Auto Scaling
| Type | Description | Trigger |
| Target Tracking | Keeps a metric (e.g., CPU Utilization = 50%) around a target value. | Uses CloudWatch metrics |
| Step Scaling | Scales up/down in predefined steps | Based on CloudWatch alarms |
| Scheduled Scaling | Scales at specific times or dates | Useful for predictable workloads. |
Spot Instances
- ECS on EC2 supports EC2 Spot Instances to reduce cose.
- ECS Capacity Provider Strategy can combine On-Demand + Spot instances.
- Tasks are automatically placed on available capacity according to weighting.
Fargate Launch Type
- Serverless compute engine for containers -- no need to provision or manage EC2 instances.
- You define CPU & memory per task; AWS manages the infrastructure.
- Each task gets its own elastic network interface (ENI).
- Use when you want no infrastructure management, predictable pricing, and isolation.
📦 Elastic Container Registry (ECR)
A managed Docker image registry for storing and versioning container images.
Access Control
- Use IAM permissions for push/pull (login via `aws ecr get-login-password`).
- Private by default; supports Cross-Region and Cross-Account replication.
Image Scanning
| Mode | Description | Source |
| Basic Scanning | scans on image push for CVE vulnerabilities | Built-in |
| Enhanced Scanning | Uses Amazon Inspector v2 for continuous scanning & deeper package analysis | Optional upgrade |
☸️ Elastic Kubernetes Service (EKS)
Managed Kubernetes control plance service.
Node types
| Type | Description |
| Managed Node Group | AWS creates & manages EC2 instances (part of an Auto Scaling Group). Supports On-Demand and Spot Instances. |
| Self-Managed Nodes | You manually provision EC2 instances and join them to the cluster. |
| Fargate Profiles | Run Kubernetes Pods on AWS Fargate (serverless) -- no EC2 nodes. |
Storage Integration
EKS supports persistent storage via Container Storage Interface (CSI) drivers.
- Supported backends:
- Amazon EBS CSI Driver : block storage per Pod (AZ-scoped)
- Amazon EFS CSI Driver : shared file system accross Pods
- Amazon FSx CSI Driver : high-performance Lustre/Windows FS
- Define storage using Kubernetes manifests
- `StorageClass` > `PersistentVolume` > `PersistentVolumeClaim`
[StorageClass] --> defines provisioner, parameters
↓
(creates)
[PersistentVolume] --> actual disk resource (EBS/EFS/FSx)
↑
(binds to)
[PersistentVolumeClaim] --> Pod’s request for storage
↑
[Pod] --> uses PVC as a mounted volume더보기
1. StorageClass (SC) -- defines "how" storage is provisioned
- Describes the type of storage (e.g., EBS, EFS, FSx) and parameters for provisioning.
2. PersistentVolume (PV) -- the actual storage resource
- Represents a piece of storage in the cluster.
- Could be dynamically created (via StorageClass) or statically defined.
3. PersistentVolumeClaim (PVC) -- the request for storage
- Acts as a "claim ticket" for Pods -- they request storage by size, access mode, and StorageClass.
ECS vs. EKS Quick Comparison
| Feature | ECS | EKS |
| Control Plane | Managed by AWS | Managed Kubernetes API (AWS-managed control plane) |
| Launch Modes | EC2 or Fargate | EC2 nodes, Fargate profiles |
| Complexity | Simple, AWS-native | More flexible, Kubernetes-standard |
| Networking | AWSVPC mode (ENI per task) | CNI Plugin (ENI per Pod) |
| Use Case | AWS-only workloads | Hybrid / multi-cloud / K8S migration |
'클라우드 > AWS' 카테고리의 다른 글
| [AWS] IAM User/Role/Policy & Service Role (0) | 2025.11.11 |
|---|---|
| [AWS] App Runner, ECS/EKS Anywhere (0) | 2025.11.05 |
| [SAP] Amazon API Gateway - REST API (0) | 2025.09.08 |
| [AWS] Networking(VPC) (0) | 2024.08.31 |
| [AWS] Security and Compliance for SysOps (1) | 2024.08.23 |
