Prerequisites for ECS Multi-Container Deployment – EC2 Launch Type

Published:

Updated:

This document outlines the essential prerequisites for deploying a multi-container application using Amazon ECS with the EC2 launch type. It covers key configurations such as setting up VPC public subnets, creating IAM roles for ECS services, configuring EFS for persistent storage, and setting up a load balancer to route traffic to your services. Completing these steps ensures a secure and reliable infrastructure to support seamless ECS deployments in your environment.

1. VPC Public Subnet Setup

Check if a VPC public subnet exists. If not, create a public subnet. For an existing public subnet, ensure that the Public IP option is enabled.
If it is not enabled, click on the Actions button within the public subnet and select Edit subnet settings.
Enable the auto-assign public IPv4 checkbox, and then click Save.
By enabling the auto-assign public IPv4 option, all new instances launched in this public subnet will automatically receive a public IP address.

Note : The VPC and subnet must be shared across the ECS cluster, EFS, and the load balancer to ensure proper network communication and accessibility.

2. IAM Role Creation for ECS Service

Two IAM roles are required for ECS deployment: the Task Role and the Task Definition Role.

a. Creating the Task Role

Go to IAM and click the Roles option in the left-side menu.
Click the Create role button.
Select the entity type AWS Service. In the service section, choose Elastic Container Service.
Enable the use case Elastic Container Service Task, and then click Next.
On the next page, attach the policy AmazonECSTaskExecutionRolePolicy, and then click Next.
Enter a role name and click Create role to complete the creation of the ECS Task Role.

b. Creating the Task Definition Role

Go to IAM and click the Roles option in the left-side menu.
Click the Create role button.
Select the entity type AWS Service. In the service section, choose Elastic Container Service.
Enable the use case Elastic Container Service Task, and then click Next.
On the next page, attach the following AWS managed and custom policies, then click Next:

AWS Managed Policies:

AmazonECS_FullAccess
AmazonECSTaskExecutionRolePolicy

AWSCodeDeployRoleForECS

AWSCodeDeployRoleForECSLimited

AWSElasticBeanstalkRoleECS

Customer Managed Policies:

a. AmazonEKS_EFS_CSI

{
 "Version": "2012-10-17",
 "Statement": [
     {
         "Effect": "Allow",
         "Action": [
             "elasticfilesystem:DescribeAccessPoints",
             "elasticfilesystem:DescribeFileSystems",
             "elasticfilesystem:DescribeMountTargets",
             "ec2:DescribeAvailabilityZones"
         ],
         "Resource": "*"
     },
     {
         "Effect": "Allow",
         "Action": [
             "elasticfilesystem:CreateAccessPoint"
         ],
         "Resource": "*",
         "Condition": {
             "StringLike": {
                 "aws:RequestTag/efs.csi.aws.com/cluster": "true"
             }
         }
     },
     {
         "Effect": "Allow",
         "Action": "elasticfilesystem:DeleteAccessPoint",
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                 "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
             }
         }
     }
 ]
}

b. LogsStreamPolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*"
        }
    ]
}

Enter a role name and click Create role to complete the creation of the ECS Task Definition Role.

3. EFS for Mounting with ECS

Go to the EFS service and click the Create File System button.
The default creation page will appear. Click Customize to adjust the configuration.
Provide a name for the EFS and select the required File system type to ensure data availability.
Enable the backup option as required, and choose None for transitioning to archive storage after 30 days.
Choose the required Throughput mode for performance. Then, click Next.
On the Networking page, choose your VPC and select the public subnet under the subnet section. Then, click Next.
On the file system policy page, disregard the policy configuration since EFS access is granted in the Task Definition Role. Click Next to complete the EFS creation.

4. Load Balancer for Service Access

Go to the EC2 service and click the Load Balancers option in the left-side menu.
Click the Create load balancer button.
Select Application Load Balancer as the type and provide a name for the load balancer.
In the Network Mapping section, choose your VPC and public subnet along with a security group.
Add the listener and port (e.g., 80 for HTTP or 443 for HTTPS).
Create a Target Group to attach to the load balancer.

a. Target Group Creation

In the target group creation process, choose Instance as the target type.
Provide a name for the target group.
Select the protocol and port (443 or 80, based on your use case).
Click Next, and then click Create to complete the target group creation.
Attach the target group to the load balancer and click Create to finalize the load balancer setup.

Was this article useful?

Dislike

Comments (0)