This chapter covers AWS Fargate, the serverless compute engine for containers. Fargate is a core part of the AWS container ecosystem and appears on the CLF-C02 exam under Domain 3: Cloud Technology Services, Objective 3.1 (which carries approximately 12% of the exam). Understanding Fargate is critical because it represents a key shift from managing servers to managing only applications. You will learn what problem Fargate solves, how it works under the hood, when to choose it over Amazon ECS with EC2 or Amazon EKS, and the exact exam traps that catch candidates.
Jump to a section
Imagine you are hosting a large banquet. Traditionally, you would need to rent a full commercial kitchen, hire chefs, and pay for the space and equipment whether you cook one meal or a hundred. This is like running your own servers (EC2) – you provision and pay for the underlying compute capacity even when idle. Now, consider a catering hall that offers a 'pay-per-plate' option. You simply tell them the menu (your container image) and the number of guests (tasks). The hall’s kitchen team (AWS Fargate) automatically fires up exactly the right number of stoves and ovens (compute resources) to cook each plate, charges you only for the cooking time and resources consumed per plate, and cleans up immediately after. You never see the kitchen, never manage the chefs, and never pay for idle equipment. The key mechanism: the hall’s scheduler (Fargate scheduler) places each plate’s cooking order onto an available stove from a shared pool, isolates each order with its own utensils and ingredients (container isolation via Firecracker microVMs), and scales the number of stoves up or down based on the incoming orders per minute. If you suddenly need 500 plates instead of 50, the hall instantly adds more stoves without you calling anyone. That is Fargate: you provide the container image and resource requirements, AWS manages the underlying server fleet, and you pay only for vCPU and memory used per second while your containers are running.
What Is AWS Fargate and What Problem Does It Solve?
AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Before Fargate, running containers on AWS required you to provision and manage a cluster of Amazon EC2 instances. You had to choose instance types, configure auto scaling groups, patch the operating system, and handle node failures. This is called the "control plane" and "data plane" model: you control the cluster (control plane) and you manage the worker nodes (data plane). Fargate removes the data plane management entirely. You define your task or pod – the container image, CPU, memory, networking, and IAM role – and AWS runs it on a shared, managed infrastructure. You never see the underlying servers; you only pay for the resources your containers consume while they are running.
How It Works: The Mechanism
Fargate uses a lightweight hypervisor technology called Firecracker, which AWS open-sourced in 2018. Firecracker creates micro Virtual Machines (microVMs) that provide strong isolation between containers, similar to how a traditional hypervisor isolates VMs, but with a much smaller footprint. Each Fargate task or pod runs inside its own microVM, which is dedicated to that task. This ensures security and performance isolation even though multiple customers share the same physical host.
When you submit a task definition to ECS (or a pod spec to EKS), the Fargate scheduler determines the optimal placement. It selects a host that has enough spare capacity to meet the task’s resource requirements. The scheduler uses a bin-packing algorithm to maximise utilisation across the fleet of managed hosts. Once a host is selected, Firecracker boots a microVM with the exact CPU and memory you specified, loads the container image from Amazon ECR (Elastic Container Registry), and starts the container. The entire process takes seconds.
Networking is handled via an elastic network interface (ENI) that is attached to each task. This means each Fargate task gets its own primary private IP address from your VPC subnet. You can assign security groups to the task’s ENI, giving you fine-grained network control. Tasks can also be placed behind an Application Load Balancer (ALB) or Network Load Balancer (NLB) for traffic distribution. Fargate integrates with AWS CloudMap for service discovery.
Key Configurations, Limits, and Pricing
CPU and Memory: Fargate supports CPU from 0.25 vCPU up to 16 vCPUs, and memory from 0.5 GB up to 120 GB. However, the combination must follow a valid ratio – for example, 0.25 vCPU requires 0.5 GB to 2 GB of memory. You can find the full matrix in the AWS documentation. If you request an invalid combination, the task fails to launch.
Pricing: You pay per second for the vCPU and memory your task uses, with a 1-minute minimum charge. There is no upfront cost or per-hour minimum beyond the first minute. This is a major advantage over EC2, where you pay for the entire hour even if you stop an instance after 5 minutes. Fargate pricing varies by region; for example, in us-east-1, vCPU is $0.04048 per vCPU-hour and memory is $0.004445 per GB-hour (as of 2024). There is no additional charge for the Fargate launch type itself, but you still pay for ECR storage, load balancer usage, and data transfer.
Task Size Limits: Each task can have up to 10 containers (sidecar pattern). The total ephemeral storage is 20 GB per task, shared among all containers in the task. If you need more, you can mount Amazon EFS volumes (up to 20 GB per task for EFS, but the actual EFS size is unlimited).
Integrations: Fargate works with ECS (both Fargate launch type and external launch type) and EKS (Fargate profiles). It also integrates with AWS App Mesh for service mesh, AWS X-Ray for tracing, and CloudWatch for logs and metrics.
Comparison to On-Premises and Other Approaches
Running containers on-premises requires you to manage the entire stack: physical servers, hypervisor, container runtime, orchestration (like Kubernetes), networking, storage, and security. With Fargate, you skip all of that. Compared to ECS with EC2 (the EC2 launch type), Fargate eliminates the need to manage a cluster of EC2 instances. With EC2 launch type, you must create an Auto Scaling group, choose instance types, handle patching, and optimise bin-packing yourself. Fargate handles bin-packing across AWS’s fleet, which can lead to better utilisation and lower cost for spiky workloads. However, for very predictable, high-utilisation workloads, EC2 launch type can be cheaper because you can reserve instances for a discount. For Kubernetes users, Fargate for EKS is similar: you define a Fargate profile that selects which pods run on Fargate versus on EC2 worker nodes. The pods run in microVMs, but you still manage the Kubernetes control plane (EKS managed, but not serverless).
When to Use Fargate vs Alternatives
Use Fargate when:
You want to avoid server management entirely.
Your workload is variable, batch-oriented, or event-driven (e.g., processing messages from SQS).
You need fast scaling and pay-per-use billing.
You have small or microservices that don't justify a full EC2 cluster.
Avoid Fargate when:
You need GPU compute (Fargate does not support GPUs).
You require custom networking features like VPC Flow Logs at the instance level (you can only get per-task ENI logs).
You have very high, steady-state CPU utilisation and can get significant discounts via EC2 Savings Plans or Reserved Instances (Fargate pricing is not eligible for Reserved Instances, but it is eligible for Savings Plans).
You need to run Windows containers (Fargate supports only Linux containers; Windows containers require EC2 launch type).
You need to mount EBS volumes (Fargate supports only EFS, not EBS).
How to Launch a Fargate Task (CLI Example)
Below is a minimal AWS CLI command to run a simple NGINX container on Fargate. You must have an ECS cluster and a task definition.
aws ecs run-task \
--cluster my-cluster \
--task-definition my-task-def \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-12345],securityGroups=[sg-67890],assignPublicIp=ENABLED}"The --launch-type FARGATE is crucial. Without it, the default is EC2 launch type. The --network-configuration is required because Fargate tasks use the awsvpc network mode, which gives each task its own ENI.
CloudFormation Example
Here is a snippet of an AWS CloudFormation resource that defines a Fargate service:
MyFargateService:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref MyCluster
TaskDefinition: !Ref MyTaskDefinition
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
Subnets:
- subnet-12345678
SecurityGroups:
- sg-12345678
AssignPublicIp: ENABLED
DesiredCount: 2Note the LaunchType: FARGATE property. Without it, the service would default to EC2 launch type and fail because no EC2 instances are in the cluster.
Create a Task Definition
The first step is to define your container application in a task definition. This is a JSON or YAML document that specifies the container image (from Amazon ECR or Docker Hub), the CPU and memory required per task (e.g., 0.5 vCPU and 1 GB memory), the port mappings, environment variables, and the IAM task execution role. The task execution role grants permissions to pull images from ECR and send logs to CloudWatch. For Fargate, the network mode must be `awsvpc`, which gives each task its own elastic network interface. You can create a task definition via the AWS Management Console, AWS CLI, or infrastructure as code tools like CloudFormation. The task definition is versioned; you can update it and create a new revision. When you run a task or create a service, you specify the task definition family and revision.
Set Up Networking and IAM
Before launching a Fargate task, you need a VPC with at least one subnet (public or private) and a security group that allows inbound traffic to your container. For tasks that need internet access (e.g., to pull images from public registries), you must either assign a public IP to the task’s ENI or place the task in a private subnet with a NAT gateway. You also need an IAM role called the task execution role (`ecsTaskExecutionRole`) that grants `ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage`, and `logs:CreateLogStream` and `logs:PutLogEvents`. AWS provides a managed policy named `AmazonECSTaskExecutionRolePolicy` that you can attach. Additionally, if your application needs to access other AWS services (e.g., DynamoDB), you create a separate task role (the container’s IAM role) and specify it in the task definition.
Launch a Task or Create a Service
You can run a standalone Fargate task (for batch jobs) or create a service (for long-running applications). For a standalone task, use the `run-task` CLI command or the console, specifying the launch type as FARGATE. For a service, you define desired count, deployment configuration (rolling update or blue/green), and optionally attach a load balancer. The service ensures that the desired number of tasks are always running; if a task fails, the service scheduler replaces it. Behind the scenes, the Fargate scheduler communicates with the Firecracker hypervisor to allocate a microVM on a suitable host. The microVM boots in seconds, and the container starts. If you specify a load balancer, the task registers with the target group upon reaching the `RUNNING` state.
Monitor and Scale
Once running, you can monitor your Fargate tasks via Amazon CloudWatch. Each task sends CPU and memory utilisation metrics to CloudWatch automatically. You can also enable Container Insights for more granular metrics. For scaling, you create an Application Auto Scaling target tracking policy based on CPU utilisation, memory utilisation, or custom CloudWatch metrics. For example, you can set a policy to maintain average CPU at 60%. Fargate scales by adding or removing tasks, not by resizing instances. Behind the scenes, the auto scaling service adjusts the desired count of the ECS service. The scaling process is fast because new tasks launch in seconds on the shared Fargate infrastructure. However, be aware of service quotas: by default, you can run up to 1,000 Fargate tasks per region (soft limit, can be increased).
Clean Up and Cost Management
Fargate tasks incur charges only for the resources consumed while they are in the `RUNNING` state. Stopping a task immediately stops billing. To avoid unexpected costs, ensure that tasks are not left running indefinitely. Use lifecycle hooks or scheduled tasks to stop idle tasks. For services, you can set the desired count to zero to stop all tasks without deleting the service. You can also use AWS Budgets to monitor spending. Remember that Fargate pricing is per second, so even short-lived tasks cost money. For example, a task that runs for 30 seconds is billed for 60 seconds (1-minute minimum). Clean up by deleting task definitions (if no longer needed), services, and clusters. Note that the ECS cluster itself is free; you pay only for the resources used by tasks and any associated resources like load balancers.
Scenario 1: Batch Processing of Image Files
A media company receives thousands of user-uploaded images every day. They need to resize and compress each image into multiple formats. Using AWS Fargate, they create a task definition that runs a Python script using the Pillow library. The script reads the original image from an S3 bucket, processes it, and writes the output back to S3. They trigger tasks via an SQS queue: a Lambda function consumes messages from SQS and calls run-task for each image. Fargate launches a task per image, processes it in seconds, and terminates. They pay only for the compute time per image. Cost is minimal because tasks are short-lived. If they used EC2, they would need a cluster of instances running 24/7, which would be wasteful. The challenge they face is cold start latency (a few seconds) and the 1-minute minimum billing, but for batch processing of thousands of images, the per-second billing after the first minute still saves money. They also use EFS to share a cache of common assets across tasks, reducing image pull time.
Scenario 2: Running a Microservices Backend
A SaaS startup runs a set of microservices (user service, payment service, notification service) on ECS with Fargate. Each service is a small container with 0.25 vCPU and 512 MB memory. They use an Application Load Balancer to route traffic. Traffic patterns are variable: spikes during business hours, low at night. With Fargate, they use Application Auto Scaling to scale each service based on CPU utilisation. During a spike, Fargate launches new tasks in seconds, handling the load. They never manage servers. The cost is higher per vCPU-hour compared to using EC2 with Reserved Instances, but because they avoid the overhead of managing EC2 and can scale to zero during off-hours, total cost is lower. A common mistake: they initially set the memory too low, causing out-of-memory errors. They learned to monitor memory utilisation and adjust task definitions. Another issue: they used public IPs for tasks, which exposed them to the internet. They switched to private subnets with a NAT gateway and ALB, improving security.
Scenario 3: Running a Periodic Data Pipeline
A financial analytics company runs a nightly ETL job that processes terabytes of data from a data warehouse. They use a Fargate task that runs a Spark-like container (using Apache Spark on EMR is separate, but they use a custom container). The job runs for about 2 hours. They schedule it with Amazon EventBridge (CloudWatch Events) to run once per day. With Fargate, they pay for 2 hours of compute per day. If they used EC2, they would need an instance running 24/7 for a 2-hour job, which is wasteful. However, Fargate’s CPU and memory limits (up to 16 vCPU, 120 GB) may not be enough for very large Spark jobs. They found that Fargate works well for medium-sized ETL but for massive jobs, they use EMR on EC2. A misconfiguration: they did not set the task execution role correctly, so the container could not pull the image from ECR, and the task failed with an AccessDenied error. They fixed it by attaching the AmazonECSTaskExecutionRolePolicy.
What CLF-C02 Tests on AWS Fargate
The CLF-C02 exam tests your understanding of Fargate as a serverless compute option for containers. The objective is under Domain 3: Cloud Technology Services, and the specific sub-objective is: "Identify the appropriate AWS compute service for a given use case." You will be asked to distinguish Fargate from EC2, Lambda, and ECS with EC2 launch type. The exam does not require you to write CLI commands or CloudFormation, but you must know the key characteristics, pricing model, and use cases.
Common Wrong Answers and Why Candidates Choose Them
"Fargate is a container orchestration service" – This is wrong because Fargate is a compute engine, not an orchestrator. The orchestrator is ECS or EKS. Candidates confuse the launch type (Fargate) with the orchestration service. On the exam, a question might say: "Which service orchestrates containers on AWS?" The correct answer is ECS or EKS, not Fargate.
"Fargate can run both containers and virtual machines" – Fargate only runs containers. Candidates might think it can run VMs because it uses Firecracker microVMs. However, Firecracker is an isolation technology for containers, not a general-purpose VM. You cannot run a full OS; you run a container.
"Fargate requires you to manage the underlying EC2 instances" – This is the opposite of the truth. Fargate is serverless; you do not manage instances. Candidates who are familiar with ECS with EC2 launch type might assume all ECS requires EC2 management.
"Fargate supports Windows containers" – Fargate only supports Linux containers. Candidates might assume it supports Windows because ECS supports Windows containers on EC2. The exam may test this distinction.
Specific AWS Service Names, Values, and Terms
Firecracker: The open-source microVM technology that powers Fargate. The exam may ask what technology provides isolation for Fargate tasks.
Task definition: The blueprint for your application. Contains container image, CPU, memory, networking mode, IAM roles.
Launch type: Options are FARGATE and EC2. The default is EC2 for ECS.
Network mode: Fargate requires awsvpc mode, which gives each task its own ENI.
Pricing: Pay per second for vCPU and memory, minimum 1 minute.
CPU limits: 0.25 to 16 vCPUs; memory 0.5 GB to 120 GB.
Integrations: ECS, EKS, ALB, NLB, CloudWatch, EFS, App Mesh, X-Ray.
Not supported: GPUs, Windows containers, EBS volumes.
Tricky Distinctions the Exam Tests
Fargate vs Lambda: Both are serverless, but Lambda runs functions (event-driven, short-lived, up to 15 minutes), while Fargate runs containers (longer-running, any runtime, up to 120 GB memory). Use Lambda for simple, short tasks; use Fargate for complex, long-running containerised apps.
Fargate vs ECS with EC2: Fargate removes EC2 management; EC2 launch type gives you control over instance types, placement, and allows you to use Reserved Instances for cost savings. The exam may ask: "Which launch type would you choose to avoid managing servers?" Answer: Fargate.
Fargate vs EKS: EKS is a managed Kubernetes service. Fargate can run EKS pods, but EKS itself is not serverless (you pay for the control plane). Fargate for EKS is a feature called "AWS Fargate for Amazon EKS."
Decision Rule for Multiple-Choice Questions
When the question asks you to choose a compute service for containers, ask yourself: 1. Does the customer want to avoid managing servers? → Fargate. 2. Does the customer need GPU or Windows? → ECS with EC2 (not Fargate). 3. Is the workload very predictable and high-utilisation? → ECS with EC2 + Reserved Instances for lower cost. 4. Is the workload event-driven and short (<15 min)? → Lambda. 5. Is the customer already using Kubernetes? → EKS (with Fargate for serverless pods if desired).
AWS Fargate is a serverless compute engine for containers that eliminates the need to manage EC2 instances.
Fargate works with both Amazon ECS (as a launch type) and Amazon EKS (via Fargate profiles).
Each Fargate task runs in its own Firecracker microVM for strong isolation.
Fargate tasks require the 'awsvpc' network mode, giving each task its own ENI and security group.
Pricing is per second for vCPU and memory, with a 1-minute minimum; no upfront costs.
Fargate supports CPU from 0.25 to 16 vCPUs and memory from 0.5 GB to 120 GB (with valid combinations).
Fargate does NOT support GPUs, Windows containers, or EBS volumes (only EFS).
On the CLF-C02 exam, know that Fargate is serverless, while ECS with EC2 launch type requires managing instances.
Common exam trap: confusing Fargate with ECS itself – Fargate is a launch type, not an orchestrator.
Use Fargate for variable, batch, or microservices workloads; use EC2 for steady-state, GPU, or Windows needs.
These come up on the exam all the time. Here's how to tell them apart.
AWS Fargate (Serverless Containers)
No server management; AWS handles the underlying hosts.
Pay per second for vCPU and memory used (1-minute minimum).
Scales automatically by adding/removing tasks; no instance provisioning.
Limited to Linux containers; no GPU support.
Best for variable, spiky, or short-lived workloads.
Amazon EC2 (Self-Managed Instances)
Full control over OS, instance types, and placement.
Pay per hour or per second (with Savings Plans) for the entire instance.
Manual or auto scaling via Auto Scaling groups; instance launch takes minutes.
Supports Linux, Windows, and GPU instances.
Best for steady-state, high-utilisation workloads where Reserved Instances reduce cost.
Mistake
Fargate is a container orchestration service like Kubernetes.
Correct
Fargate is a compute engine, not an orchestrator. It runs containers, but the orchestration is handled by Amazon ECS or Amazon EKS. Fargate is the launch type that abstracts the underlying servers.
Mistake
Fargate tasks run on shared EC2 instances that you can see and manage.
Correct
Fargate tasks run on AWS-managed infrastructure that is invisible to you. You never provision or manage EC2 instances. The isolation is provided by Firecracker microVMs, not by user-managed instances.
Mistake
Fargate supports both Linux and Windows containers.
Correct
Fargate currently supports only Linux containers. Windows containers require the EC2 launch type on ECS or EKS with Windows worker nodes.
Mistake
You pay for Fargate by the hour, just like EC2.
Correct
Fargate pricing is per second, with a 1-minute minimum. You are billed only for the vCPU and memory your task consumes while in RUNNING state. This is more granular than EC2 hourly billing.
Mistake
Fargate tasks cannot access the internet unless they have a public IP.
Correct
Fargate tasks can access the internet via a NAT gateway or NAT instance if placed in a private subnet. A public IP is one option, but not the only way. Tasks in a private subnet with a route to a NAT gateway can reach the internet.
ECS (Elastic Container Service) is a container orchestration service that manages the scheduling and lifecycle of containers. Fargate is a launch type within ECS that runs containers on serverless infrastructure. With the EC2 launch type, you manage a cluster of EC2 instances. With Fargate, you provide only the task definition, and AWS runs the containers. On the exam, remember: ECS is the orchestrator; Fargate is the compute engine.
Yes, AWS Fargate integrates with Amazon EKS. You create a Fargate profile that tells EKS which pods should run on Fargate. The pods run in Firecracker microVMs, just like ECS tasks. The Kubernetes control plane is still managed by EKS (and you pay for it). Fargate for EKS is useful when you want to run Kubernetes without managing worker nodes.
Fargate charges per second for the vCPU and memory your task consumes. EC2 charges per hour (or per second with Savings Plans) for the entire instance, regardless of utilisation. For spiky workloads, Fargate is often cheaper because you pay only when tasks run. For steady, high-utilisation workloads, EC2 with Reserved Instances can be cheaper. The exam may ask you to choose based on cost: Fargate for variable, EC2 for predictable.
Firecracker is an open-source virtual machine monitor (VMM) that uses Linux KVM to create microVMs. It was built by AWS to power Fargate and Lambda. Each Fargate task runs inside its own Firecracker microVM, providing strong isolation with low overhead. The exam may ask what technology provides isolation for Fargate tasks; the answer is Firecracker.
No, Fargate does not support EBS volumes. For persistent storage, you can use Amazon EFS (Elastic File System) by mounting an EFS file system to your container. EFS is a network file system that can be shared across multiple tasks. The maximum EFS mount size per task is 20 GB, but the file system itself can be much larger. For ephemeral storage, Fargate provides 20 GB of temporary storage per task, shared among all containers.
There is no maximum runtime limit for a Fargate task. Unlike AWS Lambda (which has a 15-minute timeout), Fargate tasks can run indefinitely. However, you are billed per second for the entire duration. For long-running tasks, ensure you have proper monitoring to avoid unexpected costs. The exam may test this distinction between Lambda and Fargate.
You can store secrets in AWS Secrets Manager or AWS Systems Manager Parameter Store. In your task definition, you can reference these secrets as environment variables or mount them as files. The task execution role must have permission to read the secrets. This is more secure than hardcoding secrets in the container image. The exam may ask about best practices for secrets management.
You've just covered AWS Fargate — Serverless Containers — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?