ECS

Question 1

What is the role of dynamic port mapping with respect to ECS? Which ELB type supports this?

Answer 1

Dynamic port mapping is used to load balance ECS tasks on an EC2 instance and is supported by an ALB

Question 2

What is a task role with respect to ECS?

Answer 2

Optional IAM role that tasks can use to make API requests to authorized AWS services. Create an Amazon Elastic Container Service Task Role in the

Question 3

What is the difference between a REPLICA and a DAEMON service type with respect to setting up an ECS service?

Answer 3

A replica will attempt to run the desired specified amount of tasks accross the ECS cluster. A Daemon service runs one copy of the task on each of the EC2 instances in the cluster and is useful for monitoring.

Question 4

What is a Blue/Green deployment and what AWS technology can be used to execute a blue/green deployment against ECS?

Answer 4

A blue/green deployment consists of having individual deployments of both your existing code, and new code. A proportion of traffic can be routed to the new code to determine stability. A blue/green deployment allows fast roll backs. AWS CodeDeploy is used for Blue/Green deployments on ECS.

Question 5

We need to create a load balanced ECS cluster with multiple tasks per container. Would you use a classic or application load balancer?

Answer 5

Application. A classic load balancer allows only one task per container instance

Question 6

We have created an ECS Cluster intended to serve HTTP traffic. When defining the task definition, we have set up a port mapping to take traffic inbound on on the Host EC2 instances port 8080 and dynamic port mapping for the containers. The cluster starts without any issue, but when we attempt to hit the sites index.html page using port 8080, we get a time out. Why?

Answer 6

The security group that is created for the cHost EC2 instances setup when defining the cluster does not allow traffic inbound on port 8080.

Question 7

We have created an ECS Cluster intended to serve HTTP traffic. When defining the task definition, we have set up a port mapping to take traffic inbound on on the host EC2 instances port 8080 and map it to the Docker container port 80. In our service definition for the tasks we specify that we want to run 3 copies of the task definition on the same ECS Container. What are we likely to see in the ECS Event logs for that service and how many tasks will we see running?

Answer 7

We will see 1 task running and message stating that we were unable to place a task because no container instance met all of its requirements due a required port (host port 8080) already in use.

Question 8

We have a task set up in ECS which has defined a container. This container needs access to images stored on S3, but can’t seem to access the bucket. Why?

Answer 8

A task role needs to be set up defining allowing access to the specified bucket

Question 9

What would you use ECR for?

Answer 9

ECR is the AWS docker container repository. It is private to your account and is used to store docker images within AWS.

Question 10

You are attempting to do a pull request for a docker image against ECR, but get a permission denied error. Why?

Answer 10

Access to ECR is controlled by IAM. If you are getting a permission denied for push or pull requests it is because your IAM policy is not set up correctly and permissive enough.

Question 11

What is the purpose of this command and what is the meaning of the pipe? Which CLI version is this for?

aws ecr get-login-password –region us-east-1 | docker login –username AWS –password-stdin 260783585248.dkr.ecr.us-east-1.amazonaws.com

Answer 11

this command performs a login against an ECR repository. The command is split into two by the pipe, with the inital aws component generating a password for the ECR repo, which is then piped through to the docker command which performs the login. This is for CLI version 2.

Question 12

What is the purpose of this command?

docker push 260783585248.dkr.ecr.us-east-1.amazonaws.com/udemy-ecr-training:latest

Answer 12

this pushes a docker image to an ECR repository

Question 13

We currently have a task definition - httpd:1. What version is this definition?

Answer 13

Version 1

Question 14

I have a task definition set up to service http requests - the definition is called httpd:1. As part the setup, the task defition has a container (called httpd) which uses the public httpd:2.4 docker image from apache. We need to update this image to one that we have placed in ECR which contains some custom setup. Can we change the task definition as it stands to include this new image?

Answer 14

No, we will need to create a new version of the task definition and then make changes to the container settings in the new version.

Question 15

When setting up an ECS infrastructure, where would you define the task role?

Answer 15

In the task definition

Question 16

In terms of IAM and ECS, there are two key IAM components which define how and with what the ECS agent can communicate with, and how and what the ECS task can communicate with. What are they? (Hint think specifically of what ECS runs on, not Fargate)

Answer 16

EC2 Instance profile is used by the ECS agent and allows it to make calls to the ECS API, Cloudwatch and ECR
Task Roles allow a task to be assigned specific roles per task and different tasks can have different roles assigned to them - for instance one task can have getObject permissions on S3, another can have permissions to the EC2 API.

Question 17

What 3 things does an EC2 ECS instance profile allow the ECS Agent to interact with ?

Answer 17

• Cloudwatch Logs (For shipping container logs)
• ECR (for pulling images)
• ECS API (for making calls to the ECS API)

Question 18

Can you define task placement strategies or task placement constraints for Fargate based ECS cluster?

Answer 18

No. Task placement strategies and task placement constraints are only available for ECS on EC2

Question 19

When determining where to place tasks what 4 steps does ECS use to determine which container instance to use for the task?

Answer 19

1. Identify container instances that satisfy the CPU, RAM and Port requirements
2. Identify instances that satisfy the task placement constraints
3. Identify instances that satisfy the task placement strategy
4. Select the instances.

R.C.S.S - Radio Controlled Space Shuttle

Question 20

With respect to ECS placement strategies, which one offers the most cost savings and why?

Answer 20

Bin pack will offer the most cost savings as it assigns tasks to instances with the LEAST available CPU and memory - effectively making sure each instance is fully utilised before instantiating a new one.

Question 21

When designing and ECS cluster for maximum availability what Task Placement Strategy would you use and why?

Answer 21

Spread. This spreads tasks evenly across all instances over all AZ’s which maximizes availability

Question 22

What are the three Task Placement Strategies available in ECS

Answer 22

Binpack
Random
Spread

Question 23

We are setting up an ECS Classic Cluster (EC2 backed) which is intended to provide web server capabilities for our application. When setting up the Container Definitions in the Task Definition we need to decide if we want to map our Host port to the container port (in this case, the container port is port 80). Do we want to map our host port to our container port? Why, why not?

Answer 23

No, we don’t. If we map the host port to the container port we will only be able to instantiate one task per EC2 instance as when another task attempts to start it will throw an error as the host port is already in use.

Question 24

We are setting up an ECS Classic Cluster (EC2 backed) which is intended to provide web server capabilities for our application. Our instances responsible for running the tasks will be sitting behind an application load balancer. What changes do we need to make to the EC2 security group to make this setup secure?

Answer 24

The EC2 security group will need to be setup to allow inbound traffic from the ALB security group only.

Question 25

In ECS, does a security group operate at the INSTANCE or the TASK level?

Answer 25

At the instance level

Question 26

What does an ECS task need to allow it to execute actions against AWS services?

Answer 26

An IAM task role needs to be setup for the task

Question 27

what is the purpose of this command and what does it produce as an output?

$(aws ecr get-login –no-include-email –region eu-wet1)

Answer 27

this is the CLI v1 command for logging into ECR. It will produce as an output the docker login command string

Question 28

When provisioning containers through Fargate, do we need to provision an ENI as well?

Answer 28

No, Fargate will provision an ENI per container when it sets up the stack

Question 29

When provisioning through Fargate, what does the container spec refer to with respect to tasks?

Answer 29

The container spec defines the amount of CPU and RAM that we assign to the container. Fargate is serverless so it will manage the provisioning of the underlying EC2 instances for us based on the container specs and how many are running.

Question 30

When provisioning through Fargate, do we need to have IAM roles assigned to tasks to allow them access to AWS resources?

Answer 30

Yes

Question 31

what are the three autoscaling strategies for ECS Services and how are they triggered? (hint - autoscaling group stategies)

Answer 31

Target Tracking- based on specific average of resource utilisation

Step - Scale based on Cloudwatch alarms

Scheduled - based on predicable changes

Question 32

If we are autoscaling a SERVICE does this mean that the underlying EC2 instances will autoscale also?

Answer 32

No, the number of services will scale up or down, but the underlying instances may not

Question 33

How would we ensure that the underlying number of instances running our tasks will autoscale as more and more tasks are required so we don’t loose capacity?

Answer 33

You would need to setup a Cluster Capacity Provider. This will work with the cluster to determine the infrastructure required to run tasks. For EC2 classic this needs to be associated with an autoscaling group.

Question 34

You have started an EC2 instance and it’s not registered with the ECS cluster. What’s NOT a reason for this issue?

1. The ECS Agent is not running
2. The AMI used was not the AWS ECS AMI
3. The EC2 instance is missing IAM permissions
4. A Mis-configured security group

Answer 34

4. security groups do not matter when an instance registers with the ECS service

Question 35

During the configuration of an ECS service, we can set the minimumHealthyPercent value to less than or greater than 100%. What does this mean with respect to task termination and replacement?

Answer 35

If the value is below 100%, then a service will terminate a task and then launch a replacement so we will briefly have less than 100% health tasks as one comes down and the next task spools up.

If the value is over 100% then the service will attempt to create a new task and THEN terminate the old one.

Question 36

For a Fargate launch type, where are tasks launched and what gets provisioned to allow for network connectivity

Answer 36

Fargate launches tasks inside an AWS VPC and attaches an ENI to each of the tasks

Question 37

Why would I use container instance draining in ECS? Can additional containers be started up during draining?

Answer 37

You use container draining if you need tasks to exit gracefully - i.e. finish what they are doing before being terminated. This would be used for mission critical applications. New containers cannot be added while draining is in process.

Question 38

I have an ECS cluster running on EC2 instances. We need to be able to cope with increases in demand, so we have created an autoscaling group for our instances. When we hit peak load however, the application still crashed as not enough resources were available for the containers, even though we should have plenty. Why?

Answer 38

Enabling autoscaling for the EC2 instances isn’t enough - as scaling out the instances will not increase the running tasks count. You need to also enable service autoscaling.

Question 39

Can containers launched on fargate run in privileged mode (i.e. with elevated permissions on the host)?

Answer 39

No.

Question 40

With respect to Fargate, what is the purpose behind either the “requires” field in the ECS console or the –requires-capabilities CLI option?

Answer 40

These ensure the container is compatible with Fargate.

Question 41

In ECS what two things does a Service define?

Answer 41

A service specifies:

1. The task definition
2. The number of tasks to maintain at any one time

Question 42

I am running a deployment on an ECS cluster with the minimumPercent value set to 100 and the maximumPercent value set to 200. What cluster capacity will be required for this to run and why?

Answer 42

we will need double the cluster capacity for this to work as we will need to accommodate the additional running tasks during deployment.

Question 43

For ECS, we have specified multiple target tracking policies to scale out our tasks. What action will ECS take if these policies are in conflict - i.e how does AWS determine which one of these policies “wins”?

Answer 43

The policy that would result on the highest task count wins.

Question 44

When using ECS as a deployment provider for CodePipeline, will CodePipeline create the cluster and service as a part of the pipeline creation process?

Answer 44

No. You need to create these beforehand and then specify the appropriate cluster and service names in the CodePipeline console.