Aws Ecs

Core Architecture

ECS has three layers:

Key Components

Launch Types

Fargate (Serverless) — Default Choice

• AWS manages the underlying compute — no EC2 instances to provision or patch
• Each task gets its own isolated compute environment (separate kernel, CPU, memory, ENI)
• Uses awsvpc network mode exclusively
• Must use ip target type on load balancer target groups
• Supports Fargate Spot for interruptible, cost-sensitive workloads (~70% cheaper, 2-min interruption warning)
• Pay per vCPU and GB of memory per second

When to use Fargate:

• Default for new workloads — less operational overhead
• Variable or unpredictable traffic
• Security-sensitive workloads (stronger isolation)
• Teams without EC2 expertise

EC2 Launch Type

• You manage EC2 instances in the cluster (type, count, patching)
• Full control over instance type (GPU, high-memory, ARM)
• Supports multiple network modes (awsvpc, bridge, host)
• Container Instance Role required (allows EC2 to register with cluster)
• Better for: consistent high-utilization workloads, GPU containers, Windows containers, custom AMIs

ECS Anywhere (Hybrid)

• Register on-premises servers or VMs as external instances
• Useful for data-residency requirements or workloads that can't move to cloud

Capacity Provider Strategy

Preferred over hardcoding launch type — lets you mix Fargate and EC2, or Fargate and Fargate Spot:

"capacityProviderStrategy": [
  { "capacityProvider": "FARGATE",      "weight": 1, "base": 1 },
  { "capacityProvider": "FARGATE_SPOT", "weight": 3, "base": 0 }
]

This runs 1 guaranteed Fargate task, then places 3x as many on Spot.

Task Definitions

Task definitions are versioned JSON documents. Each new registration creates a new revision; old revisions remain available.

Critical Parameters

{
  "family": "my-app",
  "requiresCompatibilities": ["FARGATE"],
  "networkMode": "awsvpc",
  "cpu": "512",
  "memory": "1024",
  "executionRoleArn": "arn:aws:iam::ACCOUNT:role/ecsTaskExecutionRole",
  "taskRoleArn": "arn:aws:iam::ACCOUNT:role/my-app-task-role",
  "containerDefinitions": [
    {
      "name": "my-app",
      "image": "123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest",
      "portMappings": [{ "containerPort": 8080, "protocol": "tcp" }],
      "essential": true,
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/my-app",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "secrets": [
        { "name": "DB_PASSWORD", "valueFrom": "arn:aws:secretsmanager:..." }
      ]
    }
  ]
}

Fargate CPU/Memory Valid Combinations

Container Restart Policy

Configure per-container so a sidecar crash doesn't kill the whole task:

"restartPolicy": {
  "enabled": true,
  "ignoredExitCodes": [0],
  "restartAttemptPeriod": 300
}

IAM Roles — The Most Common Source of Confusion

ECS uses three distinct roles. Mixing them up causes the most common permission errors.

Task Execution Role

Who uses it: The ECS agent (not your code) Purpose: Allows ECS to do setup work on your task's behalf

Required permissions for common scenarios: