This chapter covers Amazon Elastic Container Service (ECS), a core AWS compute service for running containerized applications. Understanding ECS is essential for the CLF-C02 exam as it falls under Domain 3: Cloud Technology Services, which represents about 34% of the exam. ECS is a key service for deploying microservices, batch jobs, and web applications in a scalable, managed environment. We'll explore its architecture, launch types, key concepts like tasks and services, and how it compares to other compute options like EC2 and Lambda.
Jump to a section
Imagine you run a global shipping company. Before containerization, you had to pack cargo in irregular crates, barrels, and boxes—each requiring custom handling, loading, and unloading. Every ship and port had to adapt to the unique dimensions of each package. This was slow, error-prone, and expensive. Then someone invented the standardized shipping container: a uniform steel box that fits any truck, train, or ship. You pack your goods inside once, seal it, and the container moves seamlessly across all modes of transport. Amazon ECS works like a fleet of container ships and port cranes. Your application code and dependencies are packed into a standardized container image (like a shipping container). ECS provides the "ships" (compute clusters) and "cranes" (schedulers) that automatically load, unload, and move containers across a fleet of virtual servers (EC2 instances or AWS Fargate). You simply define how many containers you need, what resources they require (CPU, memory), and how they should be networked—ECS handles placement, scaling, health monitoring, and redeployment. Just as shipping containers revolutionized global trade by decoupling cargo from transport, ECS decouples your application from the underlying infrastructure, allowing you to focus on code while AWS manages the logistics.
What is Amazon ECS and What Problem Does It Solve?
Amazon Elastic Container Service (ECS) is a fully managed container orchestration service that allows you to run, stop, and manage Docker containers on a cluster. Before containers, developers faced the "it works on my machine" problem—applications behaved differently across environments due to inconsistent dependencies, libraries, and operating system versions. Containers solve this by packaging the application code, runtime, system tools, and libraries into a single, lightweight executable image that runs consistently anywhere.
However, running containers at scale introduces new challenges: how do you schedule containers across multiple servers, handle failures, scale up/down based on demand, manage networking, and integrate with storage and monitoring? This is where orchestration tools like ECS come in. ECS automates these operational tasks, allowing you to focus on building applications rather than managing clusters.
How ECS Works: Core Mechanism
ECS operates on a few fundamental concepts:
Cluster: A logical grouping of compute resources (EC2 instances or Fargate tasks) where containers run. By default, you can have up to 1,000 clusters per region, and each cluster can have up to 5,000 tasks.
Task Definition: A blueprint for your application. It specifies the container image, CPU and memory requirements, networking mode, environment variables, IAM role, and port mappings. Think of it as a recipe for a container.
Task: A running instance of a task definition. It can be a single container or multiple containers that share resources (e.g., a web server and a sidecar logging agent).
Service: A scheduler that maintains a desired number of tasks. If a task fails, the service restarts it. Services can be integrated with load balancers (ALB/NLB) to distribute traffic.
Container Agent: A process running on each EC2 instance in the cluster that communicates with the ECS control plane to start/stop tasks and report status.
The workflow: 1. You create a task definition (JSON or YAML) that describes your container. 2. You launch a task or define a service that runs the task definition. 3. ECS places the task on an available compute resource (EC2 instance or Fargate) based on CPU/memory requirements and launch type. 4. The container agent pulls the container image from a registry (Amazon ECR or Docker Hub) and starts the container. 5. ECS monitors the task health and restarts it if needed.
Launch Types: EC2 vs Fargate
ECS offers two launch types that determine how compute resources are managed:
Fargate Launch Type: Serverless compute for containers. You specify CPU and memory requirements (e.g., 512 vCPU, 1 GB memory), and AWS manages the underlying EC2 servers. You pay for the resources consumed by your tasks. Fargate is ideal when you don't want to manage servers, have unpredictable workloads, or need rapid scaling.
EC2 Launch Type: You manage a cluster of EC2 instances. You are responsible for patching, scaling, and optimizing the cluster. You pay for the EC2 instances regardless of how many containers run. This is cost-effective for large, steady-state workloads where you can reserve instances for discounts (Savings Plans, Reserved Instances).
Task Definitions and Networking
Task definitions are JSON documents that specify:
- Container image URL (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest)
- CPU and memory limits: For Fargate, you must specify task-level CPU and memory (e.g., 256 vCPU, 0.5 GB). For EC2, you can specify container-level limits that sum up to the instance capacity.
- Networking mode:
- awsvpc: Each task gets its own elastic network interface (ENI) with a private IP address. This is the recommended mode for Fargate and EC2 tasks that need direct VPC networking.
- bridge: Uses Docker's built-in bridge network. Ports are mapped from the host to the container.
- host: Container uses the host's network stack directly.
- IAM role: An IAM role that the container assumes to access AWS services (e.g., S3, DynamoDB).
- Logging: Configuration for CloudWatch Logs, FireLens, or other log drivers.
Services and Load Balancing
An ECS service ensures that a specified number of tasks are always running. You can attach an Application Load Balancer (ALB) or Network Load Balancer (NLB) to distribute traffic. The service performs health checks on tasks and automatically replaces unhealthy ones. You can also configure auto scaling based on metrics like CPU utilization or request count per target.
Integration with Other AWS Services
Amazon ECR: A fully managed Docker container registry that stores your container images. ECS pulls images from ECR (or other registries) when starting tasks.
AWS CloudMap: Service discovery for microservices. ECS tasks can register with CloudMap, allowing other services to find them via DNS.
AWS App Mesh: Service mesh that provides traffic management, observability, and security for ECS tasks.
AWS CloudWatch: Monitoring and logging. ECS sends metrics (CPU, memory) and logs to CloudWatch.
Pricing
Fargate: You pay for vCPU and memory resources consumed per second (minimum 1 minute). No per-task or per-cluster fees.
EC2: You pay for the underlying EC2 instances (including any associated EBS volumes). No additional fee for ECS itself.
ECS Anywhere: You can run ECS tasks on your own on-premises servers; you pay per-task-hour.
Comparison to On-Premises
Running containers on-premises requires you to manage everything: servers, container runtime (Docker), orchestration (Kubernetes or Docker Swarm), networking, storage, and monitoring. With ECS, AWS handles the orchestration control plane, integrates with other services, and provides a managed scaling experience. The trade-off is cost predictability and potential vendor lock-in.
When to Use ECS vs Alternatives
ECS vs EC2: Use EC2 directly when you need full control over the operating system, custom AMIs, or are running non-containerized applications. Use ECS when you want to run containers at scale without managing orchestration.
ECS vs Lambda: Use Lambda for short-running, event-driven functions (max 15 minutes execution). Use ECS for long-running applications, stateful workloads, or when you need more control over the runtime environment.
ECS vs EKS: EKS is AWS's managed Kubernetes service. Choose ECS if you want a simpler, AWS-native experience with less operational overhead. Choose EKS if you need Kubernetes compatibility, portability across clouds, or have existing Kubernetes expertise.
Create a Task Definition
Navigate to the Amazon ECS console, choose 'Task Definitions', and click 'Create new task definition'. You must select a launch type (Fargate or EC2). For Fargate, specify task CPU (e.g., 256 vCPU) and memory (e.g., 512 MB). Define the container: name, image URI (e.g., from ECR), port mappings (e.g., 80:80), environment variables, and IAM role. Optionally configure logging, health check, and resource limits. The task definition is versioned; each update creates a new revision. AWS stores up to 500 task definitions per account per region.
Set Up an ECS Cluster
In the ECS console, go to 'Clusters' and click 'Create Cluster'. Choose a cluster template: 'Networking only' for Fargate, 'EC2 Linux + Networking' for EC2. For Fargate, you only need to name the cluster and optionally create a VPC. For EC2, you must configure an Auto Scaling group with an EC2 instance type (e.g., t3.medium), key pair, and security group. The cluster name can be up to 255 characters. By default, ECS creates a CloudWatch Logs group for cluster logs.
Create a Service to Run Tasks
Inside your cluster, click 'Create' under 'Services'. Select 'Fargate' or 'EC2' launch type. Choose the task definition and revision. Set the desired number of tasks (e.g., 2). Configure networking: select a VPC, subnets (at least two for high availability), and security groups. Optionally, attach an Application Load Balancer (ALB) by creating a new target group or selecting an existing one. Enable auto scaling if needed (e.g., target tracking based on average CPU utilization). Review and create. ECS now maintains the desired count; if a task fails, it automatically replaces it.
Monitor and Scale Tasks
Use the ECS console to view running tasks, their status, and logs. You can manually update the desired count of a service. For auto scaling, you can define scaling policies based on CloudWatch metrics (e.g., CPU, memory, ALB request count). ECS integrates with Application Auto Scaling, which can scale out or in based on schedules or metric thresholds. You can also set up CloudWatch alarms to notify you of anomalies. For EC2 launch type, you must also scale the underlying instance cluster using Auto Scaling groups or ECS Cluster Auto Scaling.
Update and Deploy New Versions
To deploy a new version of your application, update the task definition (create a new revision) and update the service to use the new revision. You can choose deployment types: rolling update (gradually replace old tasks with new ones) or blue/green deployment (using CodeDeploy). Rolling update allows you to set minimum and maximum healthy percentages (e.g., 100% desired, 200% maximum during deployment). ECS monitors the health of new tasks and automatically rolls back if they fail. For blue/green, you create a separate 'green' environment and shift traffic using the load balancer.
Scenario 1: Microservices for an E-Commerce Platform
A mid-sized e-commerce company wants to migrate from a monolithic application to microservices. They have services for product catalog, user authentication, shopping cart, and payment processing. Each service has different scaling requirements—the catalog might need more instances during flash sales, while authentication is steady. They choose ECS with Fargate to avoid managing servers. They create separate task definitions for each service, each with its own container image stored in Amazon ECR. They deploy each service as an ECS service behind an Application Load Balancer. For the catalog service, they set up auto scaling based on request count per target. During Black Friday, the catalog scales from 10 to 200 tasks seamlessly. The team uses AWS CloudWatch Logs to centralize logging and AWS X-Ray for tracing requests across services. Cost: they pay only for the vCPU and memory consumed per second. A common mistake is not setting appropriate memory limits, causing tasks to be killed by the OOM killer—they fixed this by monitoring and adjusting task definitions.
Scenario 2: Batch Processing for a Financial Services Firm
A financial firm runs nightly batch jobs that process transaction data and generate reports. Each job runs for 30 minutes to 2 hours and requires consistent compute resources. They use ECS with the EC2 launch type to take advantage of Reserved Instances for cost savings. They create a cluster of m5.large instances with a Savings Plan. They submit each batch job as a standalone ECS task (not a service) using the RunTask API. The task definition specifies the container image with the processing script, and the task is placed on an available EC2 instance. They use Amazon CloudWatch Events to trigger tasks on a schedule. If an instance fails, the task is rescheduled on a healthy instance. They monitor task failures and retry logic using Step Functions. The team learned that they must properly size the EC2 instances—over-provisioning wastes money, under-provisioning causes tasks to fail due to insufficient resources.
Scenario 3: Web Application Hosting for a Startup
A startup wants to host a Node.js web application with a PostgreSQL database. They containerize the application and run it on ECS with Fargate. They also run a sidecar container for log forwarding using FireLens. The database runs on Amazon RDS. They set up an Application Load Balancer in front of the ECS service for HTTPS termination. For development, they use a single task; for production, they run 3 tasks across two Availability Zones. They use AWS CodePipeline to automate deployment: when code is pushed to GitHub, CodeBuild builds the Docker image, pushes it to ECR, and updates the ECS service. A common pitfall: they initially forgot to set the task IAM role to allow access to RDS, causing connection failures. They also learned to configure health check endpoints to avoid false positives from the load balancer.
Exam Focus for CLF-C02
The CLF-C02 exam tests your understanding of ECS as a container orchestration service under Domain 3: Cloud Technology Services. You need to know:
The difference between Fargate and EC2 launch types.
Core concepts: cluster, task definition, task, service.
How ECS integrates with other services: ECR, ALB, CloudWatch, IAM.
Use cases: microservices, batch processing, web apps.
Pricing models: Fargate (pay per task per second), EC2 (pay for instances).
Common Wrong Answers and Why Candidates Choose Them
"ECS is a serverless compute service for running functions." This is incorrect because that describes AWS Lambda. Candidates confuse containers with functions. ECS runs containers, not functions. The exam may ask: "Which service is best for running Docker containers?" ECS is the answer, not Lambda.
"You must manage the underlying EC2 instances with Fargate." This is false. Fargate is serverless—AWS manages the infrastructure. Candidates may think Fargate still requires EC2 management because they remember the EC2 launch type. The exam will test this distinction.
"ECS is only for Linux containers." While historically ECS supported Linux first, it now supports Windows containers (with EC2 launch type). The exam may state "ECS supports both Linux and Windows containers" — know this.
"ECS tasks always run behind a load balancer." Not true. Standalone tasks (RunTask) do not have a load balancer. Only services can be associated with a load balancer. Candidates often assume all tasks are load-balanced.
Specific Service Names and Terms
Amazon ECR: Elastic Container Registry — store and retrieve Docker images.
Task Definition: Blueprint for a container (JSON).
Fargate: Serverless compute engine for containers.
Service: Maintains desired count of tasks.
Cluster: Logical grouping of resources.
Tricky Distinctions
ECS vs EKS: Both orchestrate containers, but EKS uses Kubernetes. The exam may ask: "Which service provides a managed Kubernetes control plane?" Answer: EKS. "Which service is AWS-native and simpler to set up?" Answer: ECS.
Fargate vs Lambda: Lambda is for short, event-driven functions; Fargate is for containers that can run longer. The exam may ask: "Which service is best for a web server that runs 24/7?" Answer: ECS (Fargate or EC2).
Decision Rule for Multi-Choice Questions
When asked to choose a compute service for containers, follow this elimination strategy: 1. If the scenario mentions "Docker containers" → ECS or EKS. 2. If the scenario mentions "Kubernetes" or "portability" → EKS. 3. If the scenario mentions "serverless" or "no infrastructure management" → Fargate (ECS). 4. If the scenario mentions "long-running" or "stateful" → ECS (Fargate or EC2). 5. If the scenario mentions "short-lived functions" → Lambda.
Always read the question carefully: if it asks for a "container orchestration service" and the options include ECS, EKS, and Lambda, eliminate Lambda first.
Amazon ECS is a fully managed container orchestration service that runs Docker containers on a cluster.
Two launch types: Fargate (serverless) and EC2 (you manage instances). Fargate is pay-per-task; EC2 is pay-per-instance.
Core components: Cluster, Task Definition, Task, Service. A service maintains desired task count and can be load-balanced.
ECS integrates with ECR (image registry), ALB/NLB (load balancing), CloudWatch (monitoring), and IAM (permissions).
Use ECS for microservices, batch processing, web apps, and any containerized workload. Not for short functions (use Lambda).
Task definitions specify container image, CPU/memory, networking mode, IAM role, and logging. They are versioned.
Fargate tasks always use the 'awsvpc' networking mode, giving each task its own ENI and private IP.
ECS supports blue/green deployments via AWS CodeDeploy for zero-downtime updates.
Default limits: 1,000 clusters per region, 5,000 tasks per cluster, 500 task definitions per account.
ECS Anywhere allows running ECS tasks on on-premises servers for hybrid deployments.
These come up on the exam all the time. Here's how to tell them apart.
Amazon ECS with Fargate
Serverless: no infrastructure management
Pay per task per second (vCPU + memory)
Best for unpredictable or variable workloads
Limited to Linux containers (no Windows)
Automatic scaling of compute resources
Amazon ECS with EC2
You manage EC2 instances (patching, scaling)
Pay for EC2 instances (per hour, plus any reservations)
Best for steady-state, predictable workloads
Supports both Linux and Windows containers
You control instance placement and optimization
Mistake
ECS requires you to manage EC2 instances even with Fargate.
Correct
Fargate is serverless; AWS manages the underlying infrastructure. You only specify CPU and memory requirements. The EC2 launch type requires you to manage instances.
Mistake
ECS can only run containers from Amazon ECR.
Correct
ECS can pull images from any Docker-compatible registry, including Docker Hub, Google Container Registry, or private registries. ECR is the AWS-native option but not mandatory.
Mistake
ECS tasks always have public IP addresses and are internet-facing.
Correct
By default, tasks are launched in a VPC and get private IPs. You can optionally assign public IPs, but it's not automatic. For internet access, you need a load balancer or NAT gateway.
Mistake
ECS is only for microservices and not for batch jobs.
Correct
ECS supports both long-running services (via Service) and short-lived tasks (via RunTask). Batch jobs are a common use case for standalone ECS tasks.
Mistake
You cannot use ECS with Windows containers.
Correct
ECS supports Windows containers on the EC2 launch type (Windows Server 2019, 2022). Fargate currently does not support Windows. The exam may test this distinction.
ECS is AWS's native container orchestration service, while EKS is a managed Kubernetes service. ECS is simpler to set up and tightly integrated with other AWS services. EKS provides Kubernetes compatibility, allowing you to use standard Kubernetes tools and migrate workloads from other platforms. For the CLF-C02 exam, remember that ECS is the simpler, AWS-native choice, and EKS is for Kubernetes-specific needs.
Technically yes, but it's not recommended for production. Containers are ephemeral; data is lost when the container stops unless you mount persistent storage (e.g., EFS). For stateful workloads like databases, use Amazon RDS or DynamoDB instead. The exam may test best practices: use managed database services rather than running databases in containers.
ECS uses a scheduler that places tasks on available compute resources based on constraints (e.g., CPU, memory, port availability). You can influence placement with strategies: binpack (pack tasks tightly to minimize cost), spread (distribute across Availability Zones for high availability), or random. For Fargate, placement is automatic. For EC2, you can also use custom attributes and instance filtering.
A task is a running instance of a task definition. You can run a task manually (RunTask) for one-off jobs. A service is a scheduler that ensures a desired number of tasks are always running, automatically replacing failed tasks. Services can be associated with a load balancer and support auto scaling. For the exam, remember: services are for long-running, persistent workloads; standalone tasks are for batch jobs.
With Fargate, you pay for the vCPU and memory resources consumed by your tasks, billed per second with a 1-minute minimum. For example, a task with 512 vCPU and 1 GB memory running for 10 minutes costs a fraction of a cent. There are no upfront fees or minimum commitments. You can also purchase Fargate Savings Plans for up to 50% discount in exchange for a 1- or 3-year commitment.
Yes, via ECS Anywhere. This feature allows you to register external instances (on-premises servers or even edge devices) as part of an ECS cluster. You install the ECS agent on those instances, and they can run tasks managed by ECS. You pay per task-hour for tasks running on external instances. This is useful for hybrid cloud scenarios.
The default and only supported networking mode for Fargate is 'awsvpc'. Each task receives its own elastic network interface (ENI) with a private IP address from your VPC. This provides strong isolation and allows security groups to be applied per task. For EC2 launch type, you can choose 'awsvpc', 'bridge', or 'host'.
You've just covered Amazon ECS — Container Service — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?