Have you heard about containers?

Today is Friday, March 29th, are we are 25% of the way through the year and things are coming quick and fast in the world of Amazon Web Services. When I was going through the recent announcements in preparation for this article it was a pleasure to see that the world of containers has gotten a number of handy feature updates this week. From new pre-configured container images to testing tools and even new deployment options, it’s all happening this week. As always, this list is not meant to be an exhaustive list of all the updates and changes to the AWS ecosystem, but simply a summary of changes that might have an impact on the business and trends we at Kloud are seeing within the industry. If you would like to talk to somebody about how you might be able to leverage some of these new technologies and services, please feel free to reach out using the contact link at the top of the page.

The key takeaways from this week are:

  • AWS Fargate and Amazon ECS Support external Deployment Controllers for ECS Services
  • Amazon EKS Opens Public Preview of Windows Container Support
  • New Local Testing Tools Now Available for Amazon ECS
  • New AWS Deep Learning Containers
  • Service control policies in AWS Organizations enable fine-grained permission controls

AWS Fargate and Amazon ECS Support external Deployment Controllers for ECS Services

First off in this week’s rundown is the announcement coming out of the Containers team that both AWS Fargate and Amazon Elastic Container Services (ECS) now support deployment controllers for ECS services with the launch of task set management API’s. What does that mean for the masses? Well, Task Sets are a new primitive to allow controlled management of application revisions within a single ECS Service.

Taken Directly from the announcement “You typically deploy new versions of your services in a staged deployment sequence to ensure everything is functioning smoothly before fully transitioning your current production workload from one version to another.” While this process does work, it limited a team’s available to granularly control how the updates and transfer of traffic would occur. If you wanted to fully manage the release of a new version, you would typically create a new ECS service and transition users across.

With this announcement “Now, you may leverage task sets to configure multiple revisions of your application all scoped within a single service. When you want to deploy a new version of your application you may create a new task set within an existing service that has its own task definition. Individual task sets also provide a scale parameter which will ensure that it is running a specific percentage of the overall desired tasks of your service.” This means that you can release a new revision of your application and control how it is eased into your production environment, reducing the size of the change and in turn lowering the likelihood of unexpected issues arising. This is shown to save a lot of time for teams currently working on Fargate and ECS workloads and we will be releasing an article in the coming weeks with a deep dive on the new functionality. If you would like to investigate the new feature for yourself in the meantime the can get started by revising the updated documentation available here.

Amazon EKS Opens Public Preview of Windows Container Support

Here at Kloud, we are no stranger to running Windows-based container workloads for our customers on Amazon ECS. Well, on Wednesday it was announced that AWS has just launched a developer preview of Windows nodes for Amazon Elastic Container Service for Kubernetes (EKS). Starting with Kubernetes version 1.11, users can begin to test and validate migrating windows workloads to containers managed by Kubernetes with Amazon EKS.

I’m sure there are a lot of people itching to get started playing with Windows nodes, and you can start right now by heading over to the GitHub project, which has all of the information you’ll need to get up and running. It’s important to remember, however, that this is a developer preview and as such there are a number of Important considerations to be aware of before starting:

  • EKS Windows nodes are only supported by Kubernetes version 1.11 (1.10 is not supported).
  • Windows EC2 instance types C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3 instances are not supported.
  • Microsoft doesn’t support hostnetworking mode in Windows yet. Hence an EKS Windows cluster will be a mixed mode cluster (1 Linux node and 3+ Windows nodes).
  • The VPC resource controller and coredns will be running in a Linux node.
  • Kubelet and kube-proxy event logs are redirected to Windows Event log (Log: EKS) and is set to 200 MB limit.
  • There is no support for secondary CIDR blocks with Windows nodes.
  • Workloads must have valid node selectors:

As of the time of writing, there are 159 open issues on the GitHub project (quite a number are feature requests rather than actual issues/bugs) with another 60 already closed so it’s clearly a very active project.

New Local Testing Tools Now Available for Amazon ECS

Continuing on the Container theme, the ECS team also announced on Wednesday the availability of a new set of open sources tools to test an application locally before deploying to ECS.

“Previously, you had to deploy your applications to ECS to ensure that updates were technically working properly for the credentials and task metadata service. If something was misconfigured, it required subsequent deployments to production to resolve the issue.


Now, you can use a new open source repository to locally test containers that use AWS credentials or the task metadata service end-points. This speeds up the local development iteration loop to allow you to get your applications running faster on ECS with confidence”

I’m a little torn when it comes to local development tools. On the one hand, if you have a solid CI/CD toolchain, there is an argument to be had that decoupling some of your development tasks may reduce the traceability of your development and deployment workflows. On the other hand, I’ve lost count of the number of times I’ve deployed broken applications and had to redeploy the previous version to fix the issue, so being able to valid earlier in the development cycle will save time and effort (Not to mention my personal sanity level). I’ll defiantly be giving this a test of my next ECS project so if nobody else beats me to it, I’ll document my experience and post it here. As with most things AWS, they’ve released the code under the awslabs GitHub organization and it’s available here if you’d like to give it a spin for yourself.

New AWS Deep Learning Containers

And lastly, for our Container updates, is the release of a range of newly created AWS Deep Learning Containers. “AWS Deep Learning Containers (AWS DL Containers) are Docker images pre-installed with deep learning frameworks to make it easy to deploy custom machine learning environments quickly. AWS DL Containers support TensorFlow and Apache MXNet, with PyTorch coming soon.” While I’m not the right person to be putting these new containers through their paces (We have much smarter people than I when it comes to Deep Learning), I’m excited to see AWS continue to make these services available and lower the barrier of entry to Machine Learning. It’s important to note that AWS Deep Learning Containers can be deployed on Amazon EKS, Amazon ECS, EC2 and Self-managed Kubernetes environments for specific information available at the product page here.

Service control policies in AWS Organizations enable fine-grained permission controls

Breaking away from the world of containers is an announcement that I’ve been waiting for ever since AWS Organizations was first announced. On Monday it was announced that “you can use Service Control Policies (SCPs) to set permission guardrails with the fine-grained controls used in AWS Identity and Access Management (IAM) policies” This is huge, with the update, you can now specify conditions, Resources and NotActions to deny access across accounts in you AWS organization. These new features greatly open up the options customers have when designing and managing their Multi-Account environments and I am already in the process of writing an article showcasing how they can be used to simplify your security footprint… Keep an eye out for it in the next day or two. If you’re like me and want to dive right in…. take a look at the updated Service Control Policies Documentation here.

And that’s it for the AWS update for Friday the 29th of March 2019. Please keep an eye out for our weekly updates on the happenings within the AWS eco-system. We post updates every Friday as well as detailed tutorials and deep dives on products throughout the week. If there something you’d like to see on the Kloud Blog, please feel free to drop a comment below.


Amazon Web Services