quinta-feira, 28 de julho de 2016

AWS CSA: Professional - Core Services - Compute: ECS and ECR

In this blog I will briefly cover ECS and ECR, the Docker-based AWS solution for automated Docker containers deployment.

Both services are tightly related, as ECR stores the images and manages the deployment and permissions on the Docker repositories, and ECS is a scalable EC2-based cluster service to run and scale Docker containers.

ECR - Elastic Container Registry


As official AWS docs says:
Amazon EC2 Container Registry (Amazon ECR) is a managed AWS Docker registry service that is secure, scalable, and reliable . Amazon ECR supports private Docker repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images. Developers can use the Docker CLI to push, pull, and manage images.


Amazon ECR contains the following components: 
  • Registry An Amazon ECR registry is provided to each AWS account; you can create image repositories in your registry and store images in them. 
  • Authorization token Your Docker client needs to authenticate to Amazon ECR registries as an AWS user before it can push and pull images.The AWS CLI get-login command provides you with authentication credentials to pass to Docker. 
  • Repository An Amazon ECR image repository contains your Docker images. 
  • Repository policy You can control access to your repositories and the images within them with repository policies.
  • Image You can push and pull Docker images to your repositories.You can use these images locally on your development system, or you can use them in Amazon ECS task definitions. 

Registry Concepts

You can use Amazon ECR registries to host your images in a highly available and scalable architecture, allowing you to deploy containers reliably for your applications.You can use your registry to manage image repositories and Docker images. Each AWS account is provided with a single (default) Amazon ECR registry.

• The URL for your default registry is https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com. 
• By default, you have read and write access to the repositories and images you create in your default registry. 
• You can authenticate your Docker client to a registry so that you can use the docker push and docker pull command to push and pull images to and from the repositories in that registry. 
• Repositories can be controlled with both IAM user access policies and repository policies.

You can manage your repositories through the CLI, API or Mgmt Console, but for some image related actions you would prefer the Docker CLI. Docker CLI does not authenticate in AWS per default, so you will need to use the command get-login from AWS cli to get a Docker compatible auth string.

Repository Concepts

Amazon ECR provides API operations to create, monitor, and delete repositories and set repository permissions that control who can access them.You can perform the same actions in the Repositories section of the Amazon ECS console. Amazon ECR also integrates with the Docker CLI allowing you to push and pull images from your development environments to your repositories.

  • By default, you have read and write access to the repositories you create in your default registry (aws_account_id.dkr.ecr.us-east-1.amazonaws.com). 
  • Repository names can support namespaces, which you can use to group similar repositories. For example if there are several teams using the same registry, Team A could use the team-a namespace while Team B uses the team-b namespace. Each team could have their own image called web-app, but because they are each prefaced with the team namespace, the two images can be used simultaneously without interference. Team A's image would be called team-a/web-app, while Team B's image would be called team-b/web-app. 
  • Repositories can be controlled with both IAM user access policies and repository policies.


Amazon ECR stores Docker images in image repositories.You can use the Docker CLI to push and pull images from your repositories. 

Important Amazon ECR users require permissions to call ecr:GetAuthorizationToken before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.

Using ECR images with ECS

You can use your Amazon ECR images with Amazon ECS, but you need to satisfy some prerequisites:

• Your container instances must be using at least version 1.7.0 of the Amazon ECS container agent. The latest version of the Amazon ECS-optimized AMI supports Amazon ECR images in task definitions.
• The Amazon ECS container instance role (ecsInstanceRole) that you use with your container instances must possess the following IAM policy permissions for Amazon ECR.


  • You pay only for the storage used by your images. 
  • Data transfer IN is free of charge
  • Data transfer OUT is charged in layers according the amount of data transferred.

Service Limits

When to use ECS?

When you already have Docker images or utilizes Docker for your applications  you can have benefit for images store, solid security control, automated deployment and integration with ECS.

ECS - Elastic Container Service

<to be continued>

Nenhum comentário:

Postar um comentário