Amazon Elastic Container Service on Amazon Outposts
Amazon Outposts allows native Amazon services, infrastructure, and operating models in on-premises facilities. In Amazon Outposts environments, you can use the same Amazon APIs, tools, and infrastructure that you use in the Amazon Cloud. Amazon ECS on Amazon Outposts is ideal for low-latency workloads that need to be run in close proximity to on-premises data and applications. For more information about Amazon Outposts, see the Amazon Outposts User Guide.
Prerequisites
The following are the prerequisites for using Amazon ECS on Amazon Outposts:
-
You must have installed and configured an Amazon Outposts in your on-premises data center.
-
You must have a reliable network connection between your Amazon Outposts and its Amazon Region.
-
You must have sufficient capacity of instance types available in your Amazon Outposts.
-
All Amazon ECS container instances must have Amazon ECS container agent 1.33.0 or later.
Limitations
The following are the limitations of using Amazon ECS on Amazon Outposts:
-
Amazon Elastic Container Registry, Amazon Identity and Access Management, and Network Load Balancer run in the Amazon Region, not on Amazon Outposts. This will increase latencies between these services and the containers.
-
Amazon Fargate is not available on Amazon Outposts.
Network Connectivity Considerations
The following are network connectivity considerations for Amazon Outposts:
-
If network connectivity between your Amazon Outposts and its Amazon Region is lost, your clusters will continue to run. However, you cannot create new clusters or take new actions on existing clusters until connectivity is restored. In case of instance failures, the instance will not be automatically replaced. The CloudWatch Logs agent will be unable to update logs and event data.
-
We recommend that you provide reliable, highly available, and low latency connectivity between your Amazon Outposts and its Amazon Region.
Creating an Amazon ECS Cluster on an Amazon Outposts
Creating an Amazon ECS cluster on an Amazon Outposts is similar to creating an Amazon ECS cluster in the Amazon Cloud. When you create an Amazon ECS cluster on an Amazon Outposts, you must specify a subnet associated with your Amazon Outposts.
An Amazon Outposts is an extension of an Amazon Region, and you can extend an Amazon VPC in an account to span multiple Availability Zones and any associated Amazon Outposts. When you configure your Amazon Outposts, you associate a subnet with it to extend your Regional VPC environment to your on-premises facility. Instances on an Amazon Outposts appear as part of your Regional VPC, similar to an Availability Zone with associated subnets.
Amazon CLI
To create an Amazon ECS cluster on an Amazon Outposts with the Amazon CLI, specify a security group and a subnet to associate with your Amazon Outposts.
To create a subnet associated with your Amazon Outposts.
aws ec2 create-subnet \ --cidr-block
10.0.3.0/24
\ --vpc-idvpc-xxxxxxxx
\ --outpost-arn arn:aws:outposts:us-west-2
:123456789012:outpost/op-xxxxxxxxxxxxxxxx
\ --availability-zone-idusw2-az1
The following example creates an Amazon ECS cluster on an Amazon Outposts.
-
Create a role and policy with rights on Amazon Outposts.
The
role-policy.json
file is the policy document that contains the effect and actions for resources. For information about the file format, see PutRolePolicy in the IAM API Referenceaws iam create-role –-role-name
ecsRole
\ --assume-role-policy-document file://ecs-policy.json aws iam put-role-policy --role-nameecsRole
--policy-nameecsRolePolicy
\ --policy-document file://role-policy.json -
Create an IAM instance profile with rights on Amazon Outposts.
aws iam create-instance-profile --instance-profile-name
outpost
aws iam add-role-to-instance-profile --instance-profile-nameoutpost
\ --role-nameecsRole
-
Create a VPC.
aws ec2 create-vpc --cidr-block
10.0.0.0/16
-
Create a security group for the container instances, specifying the proper CIDR range for the Amazon Outposts. (This step is different for Amazon Outposts.)
aws ec2 create-security-group --group-name
MyOutpostSG
aws ec2 authorize-security-group-ingress --group-nameMyOutpostSG
--protocol tcp \ --port 22 --cidr10.0.3.0/24
aws ec2 authorize-security-group-ingress --group-nameMyOutpostSG
--protocol tcp \ --port 80 --cidr10.0.3.0/24
-
Create the Cluster.
-
Define the Amazon ECS container agent environment variables to launch the instance into the cluster created in the previous step and define any tags you want to add to help identify the cluster (for example,
Outpost
to indicate that the cluster is for an Outpost).#! /bin/bash cat << ‘EOF’ >> /etc/ecs/ecs.config ECS_CLUSTER=MyCluster ECS_IMAGE_PULL_BEHAVIOR=prefer-cached ECS_CONTAINER_INSTANCE_TAGS={“environment”: ”Outpost”} EOF
Note
In order to avoid delays caused by pulling container images from Amazon ECR in the Region, use image caches. To do this, each time a task is run, configure the Amazon ECS agent to default to using the cached image on the instance itself by setting
ECS_IMAGE_PULL_BEHAVIOR
toprefer-cached
. -
Create the container instance, specifying the VPC and subnet for the Amazon Outposts where this instance should run and an instance type that is available on the Amazon Outposts. (This step is different for Amazon Outposts.)
The
userdata.txt
file contains the user data the instance can use to perform common automated configuration tasks and even run scripts after the instance starts. For information about the file for API calls, see Run commands on your Linux instance at launch in the Amazon EC2 User Guide for Linux Instances.aws ec2 run-instances --count 1 --image-id
ami-xxxxxxxx
--instance-typec5.large
\ --key-nameaws-outpost-key
–-subnet-idsubnet-xxxxxxxxxxxxxxxxx
\ --iam-instance-profile Nameoutpost
--security-group-idsg-xxxxxx
\ --associate-public-ip-address --user-datafile://userdata.txt
Note
This command is also used when adding additional instances to the cluster. Any containers deployed in the cluster will be placed on that specific Amazon Outposts.
-
Register your task definition. Use the following command and substitute
ecs-task.json
with the name of your task definition.aws ecs register-task-definition --cli-input-json file://
ecs-task.json
-
Run the task or create the service.