ECS Pricing

There is no additional charge for Amazon ECS. You pay for AWS resources


  • Amazon EC2 Launch Type Model
  • AWS Fargate Launch Type Model


  • amazon-ecs-agent 及用戶的 container 都係用 ec2-user 去執行.


  • Fargate V.S. EC2
  • ECS Tutorials
  • 建立 ECS 應用
  • Task Definition parameters
  • Tasks healthy
  • ECR
  • AWSVPC Trunking
  • Container Insights


Fargate V.S. EC2



You pay for the amount of vCPU and memory resources that your containerized application requests.

vCPU and memory resources are calculated from the time your container images are pulled until the Amazon ECS Task terminates

不用管理 EC2 的 Instance (OS upgrade / patch)

Fargate only supports container images hosted on Elastic Container Registry (ECR) or Docker Hub.

Task storage is ephemeral. After a Fargate task stops, the storage is deleted.


  • Data volumes that can be used: Docker volumes, Bind mounts
  • Private repositories


ECS Tutorials


Task Definition <- LaunchConfig for a docker container

Settings Example:

  • exposed port,
  • docker image,
  • cpu shares,
  • memory requirement,
  • command to run and
  • environmental variables.

每個 "Task Definition" 都可以多過一個 container


This is a running container with Task Definition config

多數是行一段時間 1 次就完


Defines long running tasks of the Task Definition.

Scheduler Strategies

responsible for placing tasks within your cluster.


places and maintains the desired number of tasks across your cluster

By default, the service scheduler spreads tasks across Availability Zones.


deploys exactly one task on each active container instance



A logic group of EC2 instances. (Region-specific)

When using the EC2 launch type, then your clusters are a group of container instances you manage.

These clusters can contain multiple different container instance types

Container Agent

ecs-agent is only supported on Amazon EC2 instances.

Container Instance

A part of an ECS Cluster and the "ecs-agent" running on it.


Amazon ECS-Optimized Amazon Linux 2 (AL2) x86_64 AMI

ECS Application type

"service" / "task"


  • 支援: Replica / Daemon 設定
  • 支援: Load balancing


  • 行一次就完

Replica & Daemon

  • Replica - Place and maintain a desired number of tasks across your cluster.
  • Daemon - Place and maintain one copy of your task on each container instance.


建立 ECS 應用


步驟: Cluster > Container Instance > Task Definition > ECR > Task / Service

Step 1: Create a Cluster

# "clusterName": "default"

aws ecs create-cluster

* By default, your account receives a "default" cluster when you launch your first container instance.
If you do create your own, non-default, cluster, you must specify --cluster cluster_name for each command

aws ecs create-cluster --cluster-name MyCluster


aws ecs list-clusters

    "clusterArns": [

Step 2: Launch an Instance with the Amazon ECS AMI

  • AMI

Amazon ECS-Optimized Amazon Linux 2 (AL2) x86_64 AMI


  • user_data

By default, your container instance launches into your "default" cluster

To launch into a non-default cluster, choose the Advanced Details list.

echo ECS_CLUSTER=your_cluster_name >> /etc/ecs/ecs.config
  • Container instances need access to communicate with the Amazon ECS service endpoint.

所以 Instance 要有 public ip 上網 / VPC 有 ECS service endpoint

  • IAM permissions

container instance 要有 ecsInstanceRole IAM permissions 才可以連接 cluster


aws ecs list-container-instances --cluster MyCluster

aws ecs describe-container-instances --cluster MyCluster --container-instances container_instance_ID

aws ec2 describe-instances --instance-id instance_id

Step 3: Register a Task Definition

 * Task Definition 不是在 Cluster 之下的


  "containerDefinitions": [
      "name": "sleep",
      "image": "busybox",
      "command": [
      "essential": true
  "family": "sleep360"

aws ecs register-task-definition --cli-input-json file://sleep360.json

aws ecs list-task-definitions

    "taskDefinitionArns": [


aws ecs deregister-task-definition --task-definition sleep360

Step 4: Run a Task

aws ecs run-task --cluster MyCluster --task-definition sleep360 --count 1

--task-definition family:revision

If a revision isn't specified, the latest ACTIVE revision is used.

--count 1

The number of instantiations of the specified task to place on your cluster.

You can specify up to 10 tasks for each call.


aws ecs list-tasks --cluster MyCluster

aws ecs describe-tasks --cluster MyCluster --task task_ID


Task Definition parameters

More than 1 containers in a task 作用:

  • containers share a common lifecycle
  • containers must run on the same underlying host(localhost port)
  • require that your containers share resources(data volumes)


describe the different containers that make up your task.


"containerDefinitions": [
    "name": "sample-app",
    "command": [
      "/bin/sh -c \"echo ... \""
    "entryPoint": [
    "essential": true,
    "image": "httpd:2.4",
    "portMappings": [
        "containerPort": 80,
        "hostPort": 80,
        "protocol": "tcp"


  • command
  • entryPoint
  • essential


By default, images in the Docker Hub registry are available.

Other repositories are specified with either repository-url/image:tag or repository-url/image@digest

Images in Amazon ECR repositories can be specified by either using

registry/repository:tag or registry/repository@digest

essential(Default: true)

true, and that container fails or stops for any reason,

all other containers that are part of the task are stopped.

All tasks must have at least one essential container.



    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/fargate-task-definition",
        "awslogs-region": "ap-east-1",
        "awslogs-stream-prefix": "ecs"

cpu, memory

 * 有分 "task-level memory value" 及 "container-level memory value"

If you use the EC2 launch type, this field is optional.

The amount (in MiB) of memory used by the task.

256 (.25 vCPU)


  "containerDefinitions": [
      "memoryReservation": 300,
      "cpu": 1024,
  "memory": "512",
  "cpu": "2048",

memory(hard limit)

If your container attempts to exceed the memory specified here, the container is killed.

memoryreservation(soft limit)

When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit.

If a task-level memory value is not specified,
you must specify a non-zero integer for one or both of memory or memoryReservation in a container definition.


none, bridge(ec2 default), awsvpc, and host

Fargate 必須是 awsvpc


enabling you to use security groups and network monitoring tools
Because each task gets its own elastic network interface (ENI)


Port mappings allow containers to access ports on the host container instance to send or receive traffic.

awsvpc / host network mode, you should only specify the containerPort.

bridge network mode: container automatically receives a host port in the ephemeral port range


A family groups multiple versions of a task definition.

ECS gives sequential revision numbers to each task definition that you add.


連到 Container 的 Shell


aws ecs list-clusters

aws ecs execute-command --cluster cluster-web-ecs --task ID \
--container web-container --interactive --command "/bin/bash"






aws ecs create-service \
--cluster MyCluster \
--launch-type EC2 \
--service-name MyWebService \
--task-definition MyWebTask \
--desired-count 1 \
--network-configuration "$NET" \
--load-balancers $ALB


--desired-count           # "--scheduling-strategy  REPLICA" 才用
--launch-type             # EC2|FARGATE|EXTERNAL
--network-configuration   # awsvpcConfiguration={subnets=[string,string],securityGroups=[string,string],assignPublicIp=string}
--load-balancers          # targetGroupArn=string,loadBalancerName=string,containerName=string,containerPort=integer


aws ecs list-services --cluster MyCluster

    "serviceArns": [




aws ecs update-service --cluster MyCluster --service MyWebService --desired-count 0

 * --desired-count 的改變不影響 "Task definition: revision"


當 container image 係 least 時, "--force-new-deployment" 會影響 "Task definition" 內的 更新

aws ecs update-service --cluster MyCluster --service MyWebService --force-new-deployment


aws ecs update-service --cluster MyCluster --service MyWebService --task-definition MyWebTask

--task-definition family[:revision]

If a revision is  not  specified, the  latest  ACTIVE revision is used.
If you modify the task definition with UpdateService ,
ECS spawns a task with the new version of the task definition and
then stops an old task after the new version is running.




aws ecs delete-service --cluster MyCluster --service MyWebService

An error occurred (InvalidParameterException) when calling the DeleteService operation:
 The service cannot be stopped while it is scaled above 0.

aws ecs update-service --cluster MyCluster --service MyWebService --desired-count 0

aws ecs delete-service --cluster MyCluster --service MyWebService


Tasks healthy


healthy = task in the RUNNING state & ALB report as healthy

ECS container agent only monitors and reports on the health checks specified in the task definition.

=> ECS does not monitor Docker health checks that are embedded in
      a container image and not specified in the container definition.




Private registry

A container image in a private registry outside of Amazon ECR.

You provide the credentials needed to authenticate to the private registry.

You must store the credentials as an AWS Secrets Manager secret.

The Private registry authenticationoption turns the feature on or off.

The Secrets Manager ARN or name is where you specify the Amazon Resource Name (ARN) of the secret.

This feature requires the use of the task execution IAM role

Upload image 到 ECR

#1 建立 ecr 的 repos

aws ecr create-repository --repository-name my-ecr-repo

aws ecr describe-repositories

#2 Login ECR


# podman logout

aws ecr get-login-password --region ap-east-1 | podman login --username AWS --password-stdin "$repositoryUri"

Login Succeeded!

#3 用 dockerfile 建立 image

podman build -t web:v1 .

# 由於沒有 tag, 會相當於 my-ecr-repo:latest

podman tag web:v1 $repositoryUri

podman images

#4 將 image push 到 ecr 上的 repos

podman push $repositoryUri

aws ecr list-images --repository-name my-ecr-repo

    "imageIds": [
            "imageDigest": "sha256:...",
            "imageTag": "latest"

Update Image

podman tag web:v2 $repositoryUri

podman push $repositoryUri

Getting image source signatures
Copying blob b365b46d1be3 skipped: already exists
Copying blob 2313381a5461 done
Writing manifest to image destination
Storing signatures

# 舊那個 Image tag 會變成 "-", 新那個會叫 "least"

aws ecr list-images --repository-name my-ecr-repo

    "imageIds": [
            "imageDigest": "sha256:..."
            "imageDigest": "sha256:...",
            "imageTag": "latest"


retag without pulling or pushing the image

#1 獲得 Image 的 MANIFEST

MANIFEST=$(aws ecr batch-get-image --repository-name my-ecr-repo --image-ids imageTag=latest --output text --query images[].imageManifest)

# --image-ids 可以用 "imageDigest" / "imageTag"

aws ecr put-image --repository-name my-ecr-repo --image-tag v1 --image-manifest "$MANIFEST"

刪除 tag

aws ecr batch-delete-image \
    --repository-name my-ecr-repo \
    --image-ids imageTag=v1 imageTag=v2

刪除 image

# 當 image 連 1 個 tag 也沒有時就會被刪除

aws ecr batch-delete-image \
    --repository-name my-ecr-repo \
    --image-ids imageTag=v0


AWSVPC Trunking


Amazon EC2 instance types


  • Maximum network interfaces: 2
  • Private IPv4 addresses per interface: 2

ENI trunking

This feature is only supported on specific Amazon EC2 instance types.


ECS Account Setting > AWSVPC Trunking

This setting only applies to new Linux instances that are launched after you change this setting.

ALB Settings

If your service's task definition uses the awsvpc network mode (required for the AWS Fargate launch type),
 you must choose IP as the target type.


Container Insights



  1. CloudWatch metrics
  2. CloudWatch Logs


  • Every cluster reports 8 metrics;
  • every task reports 6 metrics;
  • and every service reports 11 metrics.
  • All CloudWatch metrics are prorated on an hourly basis.


Creative Commons license icon Creative Commons license icon