Set up to use Amazon ECS
If you've already signed up for Amazon Web Services (Amazon) and have been using Amazon Elastic Compute Cloud (Amazon EC2), you are close to being able to use Amazon ECS. The set-up process for the two services is similar. The following guide prepares you for launching your first Amazon ECS cluster.
Complete the following tasks to get set up for Amazon ECS.
Amazon Web Services Management Console
The Amazon Web Services Management Console is a browser-based interface for managing Amazon ECS resources. The console provides a visual overview of the service, making it easy to explore Amazon ECS features and functions without needing to use additional tools. Many related tutorials and walkthroughs are available that can guide you through use of the console.
For a tutorial that guides you through the console, see Learn how to create and use Amazon ECS resources.
When starting out, many customers prefer using the console because it provides instant visual feedback on whether the actions they take succeed. Amazon customers that are familiar with the Amazon Web Services Management Console, can easily manage related resources such as load balancers and Amazon EC2 instances.
Start with the Amazon Web Services Management Console.
Sign up for an Amazon Web Services account
If you do not have an Amazon Web Services account, use the following procedure to create one.
To sign up for Amazon Web Services
Open http://www.amazonaws.cn/
and choose Sign Up. Follow the on-screen instructions.
Amazon sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to http://www.amazonaws.cn/
Secure IAM users
After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.
To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.
For more information about creating and securing IAM users, see the following topics in the IAM User Guide:
Create a virtual private cloud
You can use Amazon Virtual Private Cloud (Amazon VPC) to launch Amazon resources into a virtual network that you've defined. We strongly suggest that you launch your container instances in a VPC.
If you have a default VPC, you can skip this section and move to the next task, Create a security group. To determine whether you have a default VPC, see Work with your default VPC and default subnets in the Amazon VPC User Guide. Otherwise, you can create a nondefault VPC in your account using the steps below.
For information about how to create a VPC, see Create a VPC in the Amazon VPC User Guide, and use the following table to determine what options to select.
Option | Value |
---|---|
Resources to create |
VPC only |
Name |
Optionally provide a name for your VPC. |
IPv4 CIDR block |
IPv4 CIDR manual input The CIDR block size must have a size between /16 and /28. |
IPv6 CIDR block |
No IPv6 CIDR block |
Tenancy |
Default |
For more information about Amazon VPC, see What is Amazon VPC? in the Amazon VPC User Guide.
Create a security group
Security groups act as a firewall for associated container instances, controlling both inbound and outbound traffic at the container instance level. You can add rules to a security group that enable you to connect to your container instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere. Add any rules to open ports that are required by your tasks. Container instances require external network access to communicate with the Amazon ECS service endpoint.
If you plan to launch container instances in multiple Regions, you need to create a security group in each Region. For more information, see Regions and Availability Zones in the Amazon EC2 User Guide.
Tip
You need the public IP address of your local computer, which you can get using a
service. For example, we provide the following service: http://checkip.amazonaws.com/
For information about how to create a security group, see Create a security group for your Amazon EC2 instance in the Amazon EC2 User Guide and use the following table to determine what options to select.
Option | Value |
---|---|
Region |
The same Region in which you created your key pair. |
Name | A name that is easy for you to remember, such as ecs-instances-default-cluster. |
VPC | The default VPC (marked with "(default)" .NoteIf your account supports Amazon EC2 Classic, select the VPC that you created in the previous task. |
For information about the outbound rules to add for your use cases, see Security group rules for different use cases in the Amazon EC2 User Guide.
Amazon ECS container instances do not require any inbound ports to be open. However, you might want to add an SSH rule so you can log into the container instance and examine the tasks with Docker commands. You can also add rules for HTTP and HTTPS if you want your container instance to host a task that runs a web server. Container instances do require external network access to communicate with the Amazon ECS service endpoint. Complete the following steps to add these optional security group rules.
Add the following three inbound rules to your security group.For information about how to create a security group, see Configure security group rules in the Amazon EC2 User Guide.
Option | Value |
---|---|
HTTP rule |
Type: HTTP Source: Anywhere ( This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the source. This is acceptable for a short time in a test environment, but it's unsafe in production environments. In production, authorize only a specific IP address or range of addresses to access your instance. |
HTTPS rule |
Type: HTTPS Source: Anywhere ( This is acceptable for a short time in a test environment, but it's unsafe in production environments. In production, authorize only a specific IP address or range of addresses to access your instance. |
SSH rule |
Type: SSH Source: Custom, specify the public IP address of your computer or
network in CIDR notation. To specify an individual IP address in
CIDR notation, add the routing prefix ImportantFor security reasons, we don't recommend that you allow SSH
access from all IP addresses ( |
Create the credentials to connect to your EC2 instance
For Amazon ECS, a key pair is only needed if you intend on using the EC2 launch type.
A Linux instance, such as an Amazon ECS container instance, has no password to use for SSH access. You use a key pair to log in to your instance securely. You specify the name of the key pair when you launch your container instance, then provide the private key when you log in using SSH.
If you haven't created a key pair already, you can create one using the Amazon EC2 console. If you plan to launch instances in multiple regions, you'll need to create a key pair in each region. For more information about regions, see Regions and Availability Zones in the Amazon EC2 User Guide.
To create a key pair
-
Use the Amazon EC2 console to create a key pair. For more information about creating a key pair, see Create a key pair in the Amazon EC2 User Guide.
For information about how to connect to your instance, see Connect to your Linux instance in the Amazon EC2 User Guide.
Install the Amazon CLI
The Amazon Web Services Management Console can be used to manage all operations manually with Amazon ECS. However, you can install the Amazon CLI on your local desktop or a developer box so that you can build scripts that can automate common management tasks in Amazon ECS.
To use the Amazon CLI with Amazon ECS, install the latest Amazon CLI version. For information about installing the Amazon CLI or upgrading it to the latest version, see Installing or updating to the latest version of the Amazon CLI in the Amazon Command Line Interface User Guide.
The Amazon Command Line Interface (Amazon CLI) is a unified tool that you can use to manage your Amazon services. With this one tool alone, you can both control multiple Amazon services and automate these services through scripts. The Amazon ECS commands in the Amazon CLI are a reflection of the Amazon ECS API.
The Amazon CLI is suitable for customers who prefer and are used to scripting and interfacing with a command line tool and know exactly which actions they want to perform on their Amazon ECS resources. The Amazon CLI is also helpful to customers who want to familiarize themselves with the Amazon ECS APIs. Customers can use the Amazon CLI to perform a number of operations on Amazon ECS resources, including Create, Read, Update, and Delete operations, directly from the command line interface.
Use the Amazon CLI if you are or want to become familiar with the Amazon ECS APIs and corresponding CLI commands and want to write automated scripts and perform specific actions on Amazon ECS resources.
Amazon also provides the command line tools Amazon Tools for Windows PowerShell. For more information, see the Amazon Tools for Windows PowerShell User Guide.
Next steps for using Amazon ECS
After installing the Amazon CLI, there are many different tools you can utilize as you continue to use Amazon ECS. The following links explain what some of those tools are and give examples of how to use them with Amazon ECS.
-
Create your first container image with Docker and push it to Amazon ECR for use in your Amazon ECS task definitions.
-
Learn how to create an Amazon ECS Linux task for the Fargate launch type.
-
Learn how to create an Amazon ECS Windows task for the Fargate launch type.
-
Learn how to create an Amazon ECS Windows task for the EC2 launch type.
-
Using your preferred programming language, define infrastructure or architecture as code with the Creating Amazon ECS resources using the Amazon CDK.
-
Define and manage all Amazon resources in your environment with automated deployment using Creating Amazon ECS resources using Amazon CloudFormation.
-
Use the complete Creating Amazon ECS resources using the Amazon Copilot command line interface end-to-end developer workflow to create, release, and operate container applications that comply with Amazon best practices for infrastructure.