Q: What is Amazon ECS Anywhere?

Amazon ECS Anywhere is a feature of Amazon ECS that enables you to run and manage container-based applications on-premises, including on your own virtual machines (VMs) and bare metal servers. With ECS Anywhere, you do not need to install or operate local container orchestration software, thus reducing operational overhead. Rather, ECS Anywhere offers a completely managed solution that enables you to standardize container management across all of your environments.

Q: Why should I use ECS Anywhere?

As a fully managed and highly scalable container orchestration solution, Amazon ECS makes it easy for you to run container-based applications on different types of compute capacity such as Amazon Fargate and Amazon Graviton2-powered instances as well as servers in your own data centers. ECS Anywhere extends the reach of Amazon ECS to provide you with a single management interface for all of your container-based applications, irrespective of the environment they’re running in. As a result, you have a simple, consistent experience when it comes to cluster management, workload scheduling, and monitoring for both the cloud and on-premises. With ECS Anywhere, you don’t need to install and maintain any container orchestration software, thus removing the need for your team to learn specialized knowledge domains and skillsets for disparate tooling. ECS Anywhere makes it easy for you to run your applications in on-premises environments as long as desired and then migrate to the cloud with a single click at any time.

Q: Which platforms and operating systems does ECS Anywhere support?

You can use ECS Anywhere with any VM (e.g., running on VMware, Microsoft Hyper-V, or OpenStack) or bare metal server running a supported operating system (OS). The ECS agent, software that allows a host to connect with the ECS control plane, is supported and tested for the long-term support (LTS) releases of Amazon Linux 2, Bottlerocket, Ubuntu, RHEL, SUSE, Debian, CentOS, and Fedora.

Q: Can I use ECS Anywhere with VMware Cloud on Amazon Web Services(VMC)?

Yes; you can use ECS Anywhere with VMC. You can use the ECS-optimized Amazon Linux variants of VMware Virtual Machine Disk (VMDK) to launch instances. These ECS-optimized VMDKs are pre-configured with the latest version of the ECS agent, Docker daemon, and Docker runtime dependencies.

Q: How do I connect on-premises compute with Amazon Web Services to use ECS Anywhere?

  1. Ensure the VMs/bare metal servers have a stable internet connection.
  2. Log in to the ECS management console and get an activation key. One key, which is configurable, can be used to register from 1 up to 1,000 VMs or bare metal servers. You can create as many activation keys as you need.
  3. Install the lightweight open source ECS agent, available on Github, Docker Hub, and Amazon Elastic Container Registry Public, on the VMs/bare metal servers. As part of the installation configuration, provide the activation key along with the Amazon Web Services region.

Once completed, your server (or bare metal) instance will be available for use as compute capacity in your ECS cluster and ready for ECS tasks to be scheduled on them.

Q: Which Amazon Web Services region should I register my on-premises compute with?

We recommend you register with the Amazon Web Services region that is geographically closest to your on-premises compute.

Q: How do I ensure the link between my on-premises compute and Amazon Web Services cloud is secure?

The link between your on-premises compute and Amazon Web Services cloud is secure by default. The ECS control plane running in the Amazon Web Services region orchestrates containers by sending instructions to the ECS agent installed on each registered server over a secure link, which is authenticated using the IAM role credentials attached to the instance at the time of the server registration. Hence, you do not need to take any additional actions.

Additionally, the ECS agent uses the Amazon Systems Manager Agent to automatically and securely establish trust between the on-premises server and ECS control plane; its connection to Amazon Web Services is encrypted with Transport Layer Security (TLS).

Q: What type of information flows from the on-premises compute back to the Amazon Web Services region? 

Only information necessary for managing the containers is sent to the ECS control plane running in the Amazon Web Services region. For example, information about host health, container activity (whether it’s launched or stopped), and container health checks (if configured) may be sent back to the Amazon Web Services region. This information enables Amazon Web Services to provide you with alerts on health and capacity and manage ECS tasks running on your on-premises compute infrastructure. The contents of container memory, disk storage, or network traffic are not sent to the control plane.

Q. Can I have on-premises compute, EC2 instances, and Fargate in the same ECS cluster?

Yes. This makes it easy for you to migrate your ECS workloads running on-premises to ECS in an Amazon Web Services region on Fargate or EC2 in the future if necessary.

Q. Can I use the same ECS task definition for on-premises environments that I use to run ECS tasks on Fargate and/or EC2 instances?

Yes. An ECS task definition is a specification for a group of containers that must run co-located. ECS task definitions can be created so that they are compatible with on-premises compute, Fargate, and EC2, all in a single task definition.

Q. What happens if there is a loss of network connectivity between the on-premises compute and Amazon Web Services cloud?

In the event of a loss of network connectivity between the ECS agent running on the on-premises compute and the in-region ECS control plane, existing ECS tasks will continue to run as usual. If tasks still have connectivity with other Amazon Web Services services, they will continue to communicate with them for as long as the task role credentials are active (the default expiration time is 6 hours). Once the credentials expire, tasks will not be able to communicate with other Amazon Web Services services until the network connectivity with the control plane has been re-established, which will automatically renew the credentials. Additionally, during the period of disconnection, no data plane mutation operations such as scaling tasks up or down would work.

Q. Can I use ECS Anywhere to run containers in air-gapped/disconnected environments?

No. ECS offers a cloud-based and fully managed container orchestration solution that resides in an Amazon Web Services region. Hence, it requires your on-premises compute to have a stable internet connection to communicate with the in-region ECS control plane.

Q. Which other ECS integrations with Amazon Web Services services can I use when using ECS Anywhere?

With ECS Anywhere, you can get CloudWatch Metrics for your clusters and services, use the CloudWatch log driver to get your containers’ logs, and access the ECS CloudWatch Event stream to monitor your clusters’ events. You can also use Task IAM Roles and Task Execution Roles to give your containerized applications fine-grained access control to Amazon Web Services resources.

Q. Which third party solutions can I use when using ECS Anywhere?

ECS Anywhere works with the same tools that ECS in the cloud does, including Terraform, Consul, Datadog, Spinnaker, Jenkins, and many others.

Q. How much does ECS Anywhere cost?

You pay 0.065 CNY per instance-hour for each managed ECS Anywhere external instance. See the pricing page for further information.