Set up to use Amazon ECS - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Set up to use Amazon ECS

If you've already signed up for Amazon Web Services (Amazon) and have been using Amazon Elastic Compute Cloud (Amazon EC2), you are close to being able to use Amazon ECS. The set-up process for the two services is similar. The following guide prepares you for launching your first Amazon ECS cluster.

Complete the following tasks to get set up for Amazon ECS.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Create an administrative user

After you sign up for an Amazon Web Services account, create an administrative user so that you do not use the root user for everyday tasks.

To create an administrative user for yourself and add the user to an administrators group (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    Note

    We strongly recommend that you adhere to the best practice of using the administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. In the navigation pane, choose Users and then choose Add users.

  3. For User name, enter Administrator.

  4. Select the check box next to Amazon Web Services Management Console access. Then select Custom password, and then enter your new password in the text box.

  5. (Optional) By default, Amazon requires the new user to create a new password when first signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

  6. Choose Next: Permissions.

  7. Under Set permissions, choose Add user to group.

  8. Choose Create group.

  9. In the Create group dialog box, for Group name enter Administrators.

  10. Choose Filter policies, and then select Amazon managed - job function to filter the table contents.

  11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

    Note

    You must activate IAM user and role access to Billing before you can use the AdministratorAccess permissions to access the Amazon Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the Billing and Cost Management console.

  12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

  13. Choose Next: Tags.

  14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

  15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this process to create users and to give your users access to your Amazon Web Services account resources. To learn about using policies that restrict user permissions to specific Amazon resources, see Access management and Example policies.

To sign in as the IAM administrator

  • Sign in to the IAM console by choosing IAM user and entering your Amazon Web Services account ID or account alias. On the next page, enter your IAM user name and your password.

Create the credentials to connect to your EC2 instance

For Amazon ECS, a key pair is only needed if you intend on using the EC2 launch type.

A Linux instance, such as an Amazon ECS container instance, has no password to use for SSH access. You use a key pair to log in to your instance securely. You specify the name of the key pair when you launch your container instance, then provide the private key when you log in using SSH.

If you haven't created a key pair already, you can create one using the Amazon EC2 console. If you plan to launch instances in multiple regions, you'll need to create a key pair in each region. For more information about regions, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.

To create a key pair

  • Use the Amazon EC2 console to create a key pair. For more information about creatiting a key pair, see Create a key pair in the Amazon EC2 User Guide for Linux Instances.

For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

To connect to your instance using your key pair

To connect to your Linux instance from a computer running macOS or Linux, specify the .pem file to your SSH client with the -i option and the path to your private key. To connect to your Linux instance from a computer running Windows, you can use either MindTerm or PuTTY. If you plan to use PuTTY, you need to install it and use the following procedure to convert the .pem file to a .ppk file.

To prepare to connect to a Linux instance from Windows using PuTTY

  1. Download and install PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Be sure to install the entire suite.

  2. Start PuTTYgen (for example, from the Start menu, choose All Programs > PuTTY > PuTTYgen).

  3. Under Type of key to generate, choose RSA.

    
						SSH-2 RSA key in PuTTYgen
  4. Choose Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, select the option to display files of all types.

    
						Select all file types
  5. Select the private key file that you created in the previous procedure and choose Open. Choose OK to dismiss the confirmation dialog box.

  6. Choose Save private key. PuTTYgen displays a warning about saving the key without a passphrase. Choose Yes.

  7. Specify the same name for the key that you used for the key pair. PuTTY automatically adds the .ppk file extension.

Create a virtual private cloud

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon resources into a virtual network that you've defined. We strongly suggest that you launch your container instances in a VPC.

Note

The Amazon ECS console first-run experience creates a VPC for your cluster, so if you intend to use the Amazon ECS console, you can skip to the next section.

If you have a default VPC, you also can skip this section and move to the next task, Create a security group. To determine whether you have a default VPC, see Supported Platforms in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances. Otherwise, you can create a nondefault VPC in your account using the steps below.

Important

If your account supports Amazon EC2 Classic in a region, then you do not have a default VPC in that region.

For information about how to create a VPC, see Create a VPC only in the Amazon VPC User Guide and use the following table to determine what options to select.

Option Value

Resources to create

VPC only
Name

Optionally provide a name for your VPC.

IPv4 CIDR block

IPv4 CIDR manual input

The CIDR block size must have a size between /16 and /28.

IPv6 CIDR block

No IPv6 CIDR block

Tenancy

Default

For more information about Amazon VPC, see What is Amazon VPC? in the Amazon VPC User Guide.

Create a security group

Security groups act as a firewall for associated container instances, controlling both inbound and outbound traffic at the container instance level. You can add rules to a security group that enable you to connect to your container instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere. Add any rules to open ports that are required by your tasks. Container instances require external network access to communicate with the Amazon ECS service endpoint.

Note

The Amazon ECS classic console first run experience creates a security group for your instances and load balancer based on the task definition you use, so if you intend to use the Amazon ECS console, you can move ahead to the next section.

If you plan to launch container instances in multiple Regions, you need to create a security group in each Region. For more information, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.

Tip

You need the public IP address of your local computer, which you can get using a service. For example, we provide the following service: http://checkip.amazonaws.com/ or https://checkip.amazonaws.com/. To locate another service that provides your IP address, use the search phrase "what is my IP address." If you are connecting through an internet service provider (ISP) or from behind a firewall without a static IP address, you must find out the range of IP addresses used by client computers.

For information about how to create a security group, see Create a security group in the Amazon EC2 User Guide for Linux Instances and use the following table to determine what options to select.

Option Value

Region

The same Region in which you created your key pair.
Name A name that is easy for you to remember, such as ecs-instances-default-cluster.
VPC The default VPC (marked with "(default)" .
Note

If your account supports Amazon EC2 Classic, select the VPC that you created in the previous task.

Amazon ECS container instances do not require any inbound ports to be open. However, you might want to add an SSH rule so you can log into the container instance and examine the tasks with Docker commands. You can also add rules for HTTP and HTTPS if you want your container instance to host a task that runs a web server. Container instances do require external network access to communicate with the Amazon ECS service endpoint. Complete the following steps to add these optional security group rules.

Add the following three inbound rules to your security group.For information about how to create a security group, see Add rules to your security group in the Amazon EC2 User Guide for Linux Instances.

Option Value

HTTP rule

Type: HTTP

Source: Anywhere (0.0.0.0/0)

This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the source. This is acceptable for a short time in a test environment, but it's unsafe in production environments. In production, authorize only a specific IP address or range of addresses to access your instance.

HTTPS rule

Type: HTTPS

Source: Anywhere (0.0.0.0/0)

This is acceptable for a short time in a test environment, but it's unsafe in production environments. In production, authorize only a specific IP address or range of addresses to access your instance.

SSH rule

Type: SSH

Source: Custom, specify the public IP address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing prefix /32. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

Important

For security reasons, we don't recommend that you allow SSH access from all IP addresses (0.0.0.0/0) to your instance, except for testing purposes and only for a short time.

Install the Amazon CLI

The Amazon Web Services Management Console can be used to manage all operations manually with Amazon ECS. However, installing the Amazon CLI on your local desktop or a developer box enables you to build scripts that can automate common management tasks in Amazon ECS.

To use the Amazon CLI with Amazon ECS, install the latest Amazon CLI version. For information about installing the Amazon CLI or upgrading it to the latest version, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.