AWS re:Invent 2022 - A close look at AWS Fargate and AWS App Runner (CON406)

00:00

- Thank you for joining this late afternoon session today.

00:03

My name is Archana Srikanta,

00:05

I'm a principal engineer at AWS.

00:07

I've been with AWS for over 11 years now,

00:11

and a large part of that tenure

00:12

has been with the container services org.

00:15

So I've actually had the good fortune of working

00:19

on multiple container services during that tenure.

00:23

And in fact,

00:24

I've actually rotated through all of these services

00:27

that we're gonna talk about today, at some point.

00:29

And, you know,

00:30

App Runner and Fargate are especially close to my heart

00:32

'cause I was one of the founding engineers,

00:34

part of the founding team for those services.

00:37

So I wanna start today by telling you a little bit

00:41

of the story of these services

00:43

and how the product ideas for these services kind of evolved

00:47

from one service to the next.

00:49

You know, starting from EC2,

00:50

which is our original compute service,

00:53

all the way to App Runner,

00:54

which is kind of the newest service on the block.

00:57

And then we'll pull the curtains back

01:00

and look at the under-the-hood architecture

01:02

for these services.

01:04

And you'll see that it's not just the product ideas

01:07

that, kind of, have built on top of each other,

01:10

but the actual architecture itself

01:12

has kind of layered on top of each other.

01:14

So newer services have been built on top of foundations

01:17

that we laid with predecessor services.

01:20

And for the under-the-hood part of this talk,

01:23

we'll go backwards.

01:23

So we'll start with App Runner,

01:25

which is kind of the highest abstraction service,

01:27

and then we'll see how that's built on top of Fargate,

01:29

and how Fargate kind of built on top of ECS.

01:33

And finally,

01:35

security and availability are kind of the key tenets

01:41

that we apply at Amazon across all AWS services,

01:44

across all Amazon services.

01:47

So, we'll go over how, for these architectures,

01:50

for these particular services,

01:52

how kind of security and availability played a role

01:55

in influencing the design.

02:01

All right, so for the the product idea evolution,

02:05

we're gonna use this use-case of a web application.

02:08

So this is your standard kind of http server

02:11

that listens on a socket

02:12

and responds to http requests, right?

02:14

And generally when you think

02:17

of how you would run such an application, you have a VM,

02:20

you install an operating system on it,

02:22

you pick a language of your choice

02:23

to write the application in,

02:24

and then the app sits on top of it

02:26

and you're probably running multiple copies of this stack

02:29

for scale and redundancy.

02:30

So you put a load balancer in front of it,

02:32

you put an auto scaling group around it,

02:34

and you probably have some build deployment pipeline.

02:39

Now before we see how to run this on AWS, you know,

02:45

I wanna pause and talk a little bit

02:47

about the shared responsibility model on AWS.

02:49

And some of you might have heard about this already,

02:53

but the spirit of shared responsibilities

02:55

is that no matter what AWS service you use,

02:58

not just specific to the ones we're gonna talk about today,

03:00

in most cases the availability

03:03

and the security posture of your application

03:05

at the end of the day is a joint responsibility between you,

03:08

the customer, and us, AWS.

03:10

So there's gonna be parts of the stack that we own,

03:13

the responsibility, and there will be parts of the stack

03:16

that you will own the responsibility for.

03:19

And we're gonna use this lens of shared responsibility

03:22

to go through each of the services

03:25

in the context of that web application.

03:29

So with EC2, this is the original compute service.

03:34

EC2 basically took responsibility

03:37

for running the physical servers and data centers

03:40

and the virtualization software

03:42

that runs on these physical servers.

03:44

But you as the customer, you still own the VMs,

03:47

what we call EC2 instances.

03:49

You still own all the software

03:51

that runs inside these instances.

03:53

And you know, you own hooking up the load balancer,

03:56

the auto scaling group and,

03:57

and the build deployment pipeline around these instances.

04:00

Now you can use AWS managed services,

04:03

like application load balancer etcetera,

04:06

but kind of tying it all together

04:08

and making sure that it's configured properly

04:11

is still your responsibility at the end of the day.

04:14

And you know,

04:15

a lot of our EC2 customers came back and told us,

04:19

especially the ones that weren't, you know,

04:21

core infrastructure admin personas,

04:25

they said that this is still a lot of things

04:27

that you as the customer have to tie together.

04:29

It's a lot of things that you have to get right

04:33

and it's a lot of services that you have to learn

04:35

to run just a super simple web application.

04:38

So in 2011 we launched Elastic Beanstalk.

04:42

And what Beanstalk did is it said, okay,

04:44

you don't have to go to each of these individual services

04:47

and learn how to, kind of, stitch it all together.

04:50

We will do that for you

04:52

as a central kind of orchestration plane,

04:55

which is Beanstalk.

04:56

So you can just go to Elastic Beanstalk,

04:58

you can describe your application

04:59

and the environment in those terms.

05:02

And Beanstalk will basically create

05:04

a cloud formation template behind the scenes

05:06

and, you know, deploy and provision all of these resources

05:09

behind the scenes in your account.

05:11

So the responsibility line here still doesn't shift

05:16

because these resources still end up running

05:19

in your account at the end of the day.

05:21

So you have full access to these resources,

05:23

you can go in and customize various aspects

05:25

of these resources if you wanna change things.

05:28

So in that sense, you as the customer

05:30

still own the responsibility for these components.

05:37

And then around 2013, 2014 on EC2,

05:42

this is before AWS had any container services available,

05:46

on EC2 we started seeing

05:48

that containers were starting to become popular.

05:50

And a lot of our customers

05:51

for this web application type use cases,

05:53

they were actually using container technology.

05:55

And what does that mean?

05:57

They would, you know,

05:57

install a container runtime like Docker

05:59

or Container D etcetera,

06:01

and they would basically decouple the app packaging

06:05

from the OS.

06:06

So instead of building a monolithic army,

06:10

they decoupled the app, you know,

06:12

layered it with the language runtime

06:14

and they would build a container image

06:15

and deploy it as containers on these instances.

06:18

And because containers provide some amount

06:20

of resource isolation,

06:21

you can actually co-locate multiple apps,

06:24

multiple copies of the same app or even multiple, you know,

06:26

different apps within the same instance.

06:29

So you get, you know,

06:30

all the wonderful benefits of containers,

06:32

which is, you know, fast start times,

06:33

better fleet utilization, etcetera, etcetera.

06:37

Now this looks fine if you're looking at one instance,

06:40

but if you're looking at, you know,

06:42

hundreds of instances and thousands of applications,

06:44

like many customers were doing,

06:46

the actual orchestration and placement logic

06:51

becomes a fairly complex software problem.

06:53

So when you know workload request comes in,

06:56

how do you find the right spot on the right instance

06:58

to actually go launch this application?

07:01

And so we saw a lot of these container orchestrator projects

07:04

start to crop up, Mesos was a popular one,

07:07

Kubernetes is a big one today.

07:08

And a lot of these orchestrators

07:10

were basically large open source projects.

07:12

And what customers were doing is that, you know,

07:16

they would install a orchestrator specific agent

07:19

on this instance,

07:22

and then the agent typically talks to a control plane,

07:27

which is a much larger, beefier piece of software

07:31

that has all the smarts for running the placement logic,

07:33

and you know, the execution of the container orchestration.

07:40

So these container orchestrators,

07:42

they're not easy pieces of software, right?

07:45

These are large services that you have to run

07:46

and customers were running these control planes themselves.

07:49

So they would actually launch more instances

07:51

and, you know, run these open source projects themselves.

07:54

And that was kind of the first opportunity we spotted

07:58

and it just felt wrong

07:59

that customers have to run more instances

08:01

to manage their existing instances.

08:04

So with ECS, which was released in 2015, we basically moved

08:08

the container orchestration control plane bit

08:10

down under the boundary

08:11

into the AWS side of the responsibility.

08:14

So on the EC2 instance, you install an ECS agent

08:19

and your instances is basically registered with our service

08:22

and then you can just speak our service APIs

08:24

to launch containers on your instances.

08:28

Now, you know, this is, oh,

08:32

and then you still own, of course,

08:34

the load balancing and the auto scaling CICD

08:37

because the instances are all still running in your account.

08:39

You still, kind of,

08:40

have to hook up all of these things together.

08:43

And actually some of the problems

08:44

got even more complicated with containers

08:47

because now, auto scaling for example,

08:49

you're not just auto scaling your instances

08:52

because you've decoupled the container from the instance.

08:54

You have to auto scale your instance fleet

08:56

and then you have to auto scale the containers

08:57

on top of that.

08:59

A similar build it and fort build and deployment pipeline,

09:01

there's software that goes on the instance

09:03

that you need a pipeline for.

09:04

There's software that goes in the container, etcetera.

09:06

So there was still a lot of stuff

09:09

that was in the customer side of this responsibility line.

09:14

Not to mention just the, you know, the OS patching,

09:17

the runtime patching, agent patching.

09:19

All of that non-trivial amount of work

09:22

for someone who just wants to run a web app.

09:24

So in 2017, what we did is we moved this line even higher,

09:29

with Fargate,

09:30

and Fargate was our serverless containers offering.

09:33

And what that means is that we said, you as the customer,

09:37

if you wanna run a container,

09:38

you don't have to ever launch an EC2 instance.

09:41

So we took responsibility of the underlying instance,

09:44

we took responsibility of all that base layer software

09:46

that's running on the instance.

09:48

We run a Fargate agent, it's slightly modified version

09:52

of the open source ECS agent that we make available,

09:55

but we're gonna call it the Fargate agent.

09:58

So you as the customer,

09:59

you can really only speak in the currency of containers

10:03

and you don't have to worry about the instance layer at all.

10:07

There is still a certain aspect

10:09

of load balancing auto scaling CICD

10:12

that you don't have to do at the instance level,

10:14

but at the containers level,

10:15

you still have to kind of hook everything up together.

10:20

So with App Runner, which, like I said,

10:23

one of our newer services,

10:25

what we did was, we said,

10:28

let's focus on this use case of web applications

10:31

and see for that specific vertical,

10:33

how can we make things even easier for you, the customer?

10:36

So we moved that responsibility line even higher

10:40

and we said, you know,

10:42

you don't have to run the containers even, so you know,

10:47

we'll talk about what this experience looks like,

10:48

but basically you don't have to run the containers

10:50

in your account, you don't have to run the load balancer,

10:52

you don't have to worry about the auto scaling groups,

10:54

you don't have to worry about deployment pipelines.

10:57

Really all you are responsible for is your application image

11:01

and all the software that goes in the application image.

11:05

So what does this experience look like with App Runner?

11:09

So your teams can either start with source code

11:15

directly in GitHub

11:17

or you can start with prebuilt container images in ECR.

11:21

But basically you have to give us permission

11:23

to access your artifacts.

11:25

So if it's source code in GitHub,

11:26

you have to create a connection object,

11:28

but if it's a image in ECR,

11:30

you have to create an IM role that gives us permissions

11:33

and then we will pull it down,

11:35

and you just have to make one API call,

11:37

the create service API call,

11:40

and you get a URL in return,

11:43

against which your clients can start making http requests.

11:47

And like I said, you won't see the instances,

11:49

you won't see the Fargate tasks or the containers.

11:52

You won't see the load balancer,

11:53

you won't see the auto scaling group.

11:54

You just see this end point,

11:56

against which you can make requests

11:57

and everything magically scales

11:59

as you start to send more requests to that end point.

12:03

So what's going on under the hood of all this magic?

12:08

So, you know, it's not magic.

12:12

We have a VPC that we run behind the scenes.

12:14

We we're gonna call it the App Runner, our service VPC.

12:19

And if you're starting with source code,

12:21

we basically have managed language run times

12:26

that we make available to you.

12:27

So you don't even have to to worry about the language layer

12:30

of your application.

12:32

We will layer it onto the runtime that that we provide

12:35

and then we'll pump it through a build process

12:37

and then we'll generate a container image for your app.

12:40

Of course, if you're starting with a container image,

12:42

we just copy it over into our account

12:44

and then we basically deploy these as Fargate tasks in our,

12:49

you know, App Runner owned service account.

12:52

Now these Fargate tasks have to have some networking.

12:55

So they have a, because they live in our service VPC,

12:58

they have their primary ENI is attached

13:00

to the App Runner service VPC,

13:02

but they also have a secondary network interface

13:05

that is attached to your VPC.

13:07

So the application that you bring to us,

13:10

if it needs to talk to a private database

13:12

or something in your VPC,

13:14

it uses the secondary network interface to do that.

13:20

So what happens when you actually send a request?

13:22

So when your clients send a request to that URL

13:25

that I talked about,

13:26

the URL basically gets resolved.

13:29

We use Rev53 behind the scenes,

13:31

to an NLB network load balancer that we run in our account.

13:37

The NLB basically forwards it to an L7 request router

13:43

and the L7 request router will then forward it

13:45

to the Fargate tasks that we've spun up

13:48

for your service through that primary ENI

13:50

that we talked about.

13:54

So that's kind of the picture of what's going on

13:58

at the App Runner level.

14:00

So what's actually going on behind the scenes

14:02

of these Fargate tasks that we're launching.

14:05

So now we're going into, kind of,

14:07

the Fargate team's responsibility.

14:10

Before I talk about Fargate,

14:13

I want to introduce this technology

14:15

that we use called Firecracker.

14:18

Firecracker is a open source virtualization software project

14:22

by Amazon, and it's basically a hypervisor

14:27

that's purpose built for, specifically for,

14:29

containers and functions.

14:30

And Fargate uses it and Lambda uses it.

14:34

So what's actually going on here?

14:36

So you can take any bare metal server

14:38

and then instead of the hypervisor,

14:41

you basically install Firecracker

14:43

and Firecracker will spin up what we call micro VMs.

14:47

Now these are special,

14:49

they're not traditional VMs,

14:50

they're different from traditional VMs,

14:52

that's why they're called micro VMs

14:54

because what we've done, is we've basically ripped out

14:58

some of the, kind of, devices and things

15:02

from a traditional VM,

15:05

in order to optimize for the startup time.

15:07

So these are things that add latency to VM bootstrap.

15:10

And by doing that,

15:12

and these are devices that, you know,

15:13

especially for abstracted workloads like containers

15:15

and functions in the cloud,

15:17

a lot of these devices aren't used.

15:19

So we could kind of safely pair that down

15:21

to gain advantages on startup times.

15:24

So with these Firecracker micro VMs,

15:27

we were able to go from, you know,

15:29

traditional VM bootstrap time is, you know,

15:32

probably tens of seconds if not minutes

15:35

to basically sub-second bootstrap time.

15:38

So we can launch these micro VMs, basically,

15:40

just in time as those requests are coming in

15:42

to launch containers, right?

15:43

And so that's how they're different from traditional VMs,

15:48

but how are they similar to traditional VMs?

15:51

So the thing about these micro VMs

15:53

is that the boundary between two micro VMs

15:58

that are running on the same bare metal server,

16:00

it's still using the same traditional, kind of,

16:03

VM level isolation.

16:05

So we can safely, you know,

16:07

co-locate multiple VMs on the same same bear metal server

16:11

and you basically get, you know,

16:12

EC2 instance level isolation between between workloads

16:15

that are running on the same server.

16:18

And as you can see in this picture, you know,

16:19

each micro VM has its own guest kernel.

16:21

So you know, if we put multiple Fargate tasks,

16:24

they're not sharing the guest dose

16:26

or the guest kernel at all.

16:29

So how has this been applied to Fargate?

16:33

So the Fargate team runs their own VPC,

16:37

we're gonna call that the Fargate service VPC.

16:40

And within the Fargate VPC

16:42

they run these bare metal instances.

16:46

These are EC2 bare metal instances,

16:47

they're publicly available, all of you can run it.

16:49

It's basically, you get the whole machine.

16:52

So you can actually install virtualization software

16:54

on these machines

16:56

unlike traditional other types of EC2 instances.

17:00

And because these bare metal instances are running

17:03

in the Fargate VPC, you know,

17:05

it has an ENI, elastic network interface,

17:08

that's in the Fargate service VPC.

17:11

So within this instance, like I said,

17:14

we install the Firecracker VMM and we install Container D

17:19

and we install this piece of, kind of,

17:21

glue code between Firecracker and Container D,

17:23

which is, basically when we call Container D to launch

17:29

the container, rather than using traditional C groups

17:32

and name spaces to spin up the container,

17:34

it will actually turn around and speak the Firecracker APIs

17:37

to spin up the container within a micro VM.

17:40

So that's what that glue code is doing.

17:43

And then we run our Fargate agent

17:45

and then we basically have these micro VMs

17:47

that are running your actual application container

17:50

within it.

17:54

And then we have ENI at the micro VM layer

17:57

separate from the ENI for the actual bare metal instance.

18:00

There's one, they're dual honed.

18:02

So like we talked about before,

18:04

there's one ENI attached to this micro VM

18:06

that talks to the App Runner VPC,

18:07

and then there's a secondary ENI attached to the VM

18:10

that talks to to your VPC.

18:15

So that's kind of the Fargate story.

18:18

So moving on to the ECS orchestration part of this story.

18:24

So ECS, like we talked about,

18:26

it's an orchestrator and it's job is really to,

18:30

when we make a request of the ECS control plane

18:33

to launch a Fargate task,

18:35

its job is to find an appropriate slot,

18:37

on an appropriate bare metal instance

18:40

and speak to the Fargate agent

18:41

to actually make the launch happen.

18:43

So, the control plane itself

18:46

is actually pretty sophisticated mesh

18:49

of multiple microservices,

18:50

and I'm not gonna go into a lot of details into each service

18:54

but those of you who've used ECS,

18:55

you might recognize some of the things there,

18:57

like task definitions, clusters, services,

19:00

these are all concepts in ECS

19:02

and we basically have a microservice

19:04

that owns each concept in ECS.

19:08

But the way this this works,

19:11

is that when we launch all these bare metal instances

19:14

in the Fargate VPC and the Fargate agent bootstraps,

19:18

the Fargate agent basically speaks out

19:20

through that primary bare metal instance ENI

19:23

and registers that the bare metal instance

19:25

with one of the microservices,

19:28

which we're gonna call the agent communication service.

19:30

It's the agent, so that's the service

19:32

that owns all these incoming connections

19:34

from the actual worker nodes, right?

19:39

And then when App Runner calls ECS, you know,

19:42

App Runner is a client of ECS,

19:43

calls ECS to launch that Fargate task in the App Runner VPC.

19:48

Basically the placement algorithm in ECS lights up

19:51

and, you know, it picks a specific bare metal instance

19:55

and the agent communication service is called upon

19:59

to actually communicate with the Fargate agent

20:01

and send it the command and all the configuration

20:03

that the agent needs.

20:04

The agent then speaks to Firecracker or Container D

20:07

or it speaks Container D and the micro VM is spun up

20:11

with your application container in it.

20:18

So how do security considerations layer on top of this?

20:27

So let's start with App Runner.

20:31

So, so far we kind of looked at the case of a single service

20:35

and how it works, a single app runner service

20:37

and how the logistics work.

20:40

But in reality, these VPCs that we're running,

20:43

they're hugely multi-tenant VPCs.

20:45

So we actually put, I mean I'm showing showing two here,

20:47

but we actually put, you know,

20:49

many, many different app services into this VPC

20:54

and we have some pretty strict controls

20:56

that we have to put in place to make sure that there's no,

20:58

you know, you know,

21:01

undesired breakages from one to the other,

21:05

from one tenant to the other.

21:06

So we use actually a lot of the controls

21:09

that are available to all of you, as customers of VPC.

21:12

So the first one is, we basically use security groups

21:17

for these tasks that don't allow

21:19

any task-to-task communication,

21:22

not even within tasks of the same service

21:25

or the same tenant.

21:26

There's no reason why these tasks should be talking

21:29

to each other at all.

21:30

So we completely block that communication.

21:32

The only communication that should be coming

21:35

into these tasks is the requests that are flowing in

21:37

from the load balancer and the request router.

21:44

But as I mentioned, shared responsibility,

21:47

the secondary ENI that these Fargate tasks are attached to,

21:52

that that kind of segues into your, the customer's, VPC,

21:57

the security groups on that

21:58

is the customer's responsibility to configure, you know,

22:01

what kind of outbound traffic you wanna allow

22:03

from your application that's running in App Runner.

22:08

And this is, kind of, a recently launched feature.

22:11

So this is on the inbound traffic side of things.

22:16

We just announced private service endpoints for App Runner.

22:19

And what this means is,

22:20

that instead of getting an app runner service URL

22:24

that's publicly reachable over the internet,

22:27

you can now create a private endpoint in your VPC

22:31

to accept the incoming traffic.

22:32

And what we're doing is,

22:33

really we're creating a private link endpoint in your VPC.

22:37

And again, the security groups that you can figure

22:40

on that sort of inbound connection in your VPC

22:43

would be your responsibility,

22:45

to configure exactly which clients within the VPC

22:47

can talk to your service.

22:53

All right, Fargate data plane security.

22:59

So zooming into this Fargate VPC, like we said,

23:04

we have these bare metal instances.

23:06

There obviously isn't just one bare metal instance.

23:08

We have many, many bare metal instances that we run per VPC.

23:12

So a similar kind of theme.

23:15

We don't allow any bare metal instance

23:18

to instance communication through that primary ENI,

23:21

no reason why instances should be talking to each other.

23:28

The only communication that's allowed is the communication

23:31

that the Fargate agent needs to perform

23:33

to the ECS control plane

23:35

and just any other kind of image pull

23:38

and things like that that the agent needs to perform.

23:40

So very controlled, the security groups there.

23:46

We do, like I mentioned,

23:48

one of the benefits of Firecracker

23:50

is that it allows us to safely place multiple tenants

23:53

on the same machine.

23:54

So we do actually place multiple tenants,

23:56

tasks for multiple tenants.

23:58

And these are not just App Runner workloads, these are,

24:02

you know, any public Fargate workloads.

24:04

We can safely co-locate them

24:06

on the same bare metal instance,

24:10

but we will only run one task per micro VM.

24:13

We will never put two tasks,

24:15

even if it's from the same customer, same account,

24:18

we will never put more than one Fargate task

24:20

in the same micro VM.

24:21

At Amazon, we don't trust the container boundary

24:25

to be safe enough for multi-tenant isolation,

24:30

which is the reason why we've, kind of, made this choice,

24:33

of just really maintaining the security posture of your task

24:36

and not putting multiple tasks within the same VM boundary.

24:42

There's, you know,

24:43

independent network interfaces for each of those micro VMs.

24:47

So your tasks are not kind of cross communicating

24:50

through the same network interface.

24:51

They have their dedicated ENI

24:53

that are connected to the customer VPC.

24:59

And as we said, you know,

25:00

micro VM boundary hardware, isolated EC2 instance,

25:04

like isolation basically.

25:05

And as you can see here, you know,

25:06

completely separate guest OSs and guest kernels

25:09

between the multi-tenant workloads.

25:13

So all of these things basically ensures

25:15

that we don't have any side words breakages

25:18

from tenant to tenant or that there's no downward breakages

25:22

to, kind of, some of the Fargate layer software running,

25:25

running on the instance.

25:28

All right, so going into the ECS control plane security.

25:33

So ECS, the, kind of,

25:36

protected resource is all the state that ECS is keeping

25:40

about the bare metal instances, about the Fargate tasks

25:45

that are running on the bare metal instances.

25:47

And a lot of, kind of, the security aspect of ECS

25:50

is making sure that that state is accessed

25:52

and modified in a properly authenticated way.

25:56

And there's basically two entry points to the control plane.

26:01

Many of these services are internal services,

26:03

but there's two entry points from the outside internet.

26:06

And the first one is this agent communication service.

26:09

So we talked about these, you know,

26:11

with Fargate, these bare metal instances

26:13

and the agent talking to the agent communication service

26:16

and you know,

26:17

this is fairly safe 'cause it's our agent,

26:20

it's running on our instances, so, you know,

26:22

we're all friends

26:23

and we don't generally expect any malicious activity

26:26

between Fargate and ECS.

26:28

But remember that the ECS control plane

26:31

is not just serving Fargate, right.

26:32

It's also serving the EC2 launch type,

26:35

which is customers running their own instances

26:38

as worker nodes and having these instances register

26:42

with the ECS control plane.

26:44

So the agent communication service

26:46

also feels these connections from all of these, you know,

26:50

customer owned instances as well.

26:53

And that's the reason why,

26:57

because the agent is just a piece of software

27:00

for this EC2 launch type.

27:02

It's a piece of software that's running out there,

27:04

in the wild, on a customer instance,

27:06

it's just an open source piece of software really.

27:08

They can write their own custom version of the agent

27:10

and try and talk to our APIs.

27:12

So we actually don't consider the agent

27:14

to be within the trust boundary.

27:18

And the way we kind of enforce checks and balances here,

27:24

is that the instance role that's present on your instance,

27:29

that's the identity that the agent is going to use

27:31

to talk to our control plane.

27:32

And the agent communication service basically ensures

27:36

that you're only modifying

27:39

or reading state about other tasks or instances

27:43

in your own account and you can't read across accounts.

27:48

The other entry point is the front end service of course.

27:51

So this is the one that feels all the other, kind of,

27:54

incoming APIs, task management, you know,

27:58

run task APIs and task definition APIs,

28:02

cluster API, service APIs.

28:04

And, you know, here there's standard, again,

28:10

IM-oth, we enforce IM-oth based on the calling actor.

28:15

And then limits and throttles

28:17

are another important piece of really just, kind of,

28:21

protecting fairness on the service

28:23

because unlike, you know,

28:25

some of those open source orchestrator projects

28:27

that we talked about,

28:28

those basically are run in a single tenant mode, right?

28:31

One customer installs their installation of, you know,

28:34

Kubernetes or Mesos and it only serves that customer.

28:37

ECS is basically a multi-tenant AWS service.

28:40

So we, you know,

28:43

a lot of times these limits and throttles are frustrating

28:45

to customers 'cause you have to keep coming to our account

28:47

and you know, getting it raised for your use case,

28:49

but it's really to protect you from each other really.

28:52

So we have to make sure

28:53

that all the resources behind the scenes are fairly used

28:56

across all of our customers.

28:58

So, you know,

28:59

that's really the spirit of limits and throttles

29:01

that are basically enforced, kind of,

29:03

right at the front door, at the front end service.

29:08

All right, moving on to availability.

29:13

So now we're gonna start from ECS and go backwards.

29:17

So ECS control plane availability,

29:19

we talked about this kind of web of microservices

29:22

and we basically don't just run one one copy

29:26

of that entire stack,

29:27

we run a copy of that stack for every region.

29:30

So there's kind of complete independence between regions.

29:33

There's no service in one region

29:35

that's trying to talk to a service in another region.

29:38

This is all in the spirit of, you know,

29:39

if a region is having an an outage,

29:42

we don't want to have that impact spillover

29:45

to any other regions.

29:47

And I think AWS has 30 something regions, give or take.

29:52

So we're actually running like 30 copies of the stack

29:54

and it's not just infrastructure failures, right?

29:56

Even software deployments that we perform to these services,

29:59

we've, you know, phased them out region by region.

30:03

So any kind of software related errors

30:05

that we might roll out are also kind of very controlled

30:08

to make sure that they don't hit multiple regions

30:10

at the same time.

30:13

So within a region,

30:15

we actually don't just run one copy of the stack per region

30:17

'cause we wanna do better, right?

30:19

We don't, when a region is having a problem,

30:21

it's not okay for us to take down the entire region

30:24

and everyone that's using that region.

30:26

So we actually have this notion of a cellular architecture

30:30

and we actually run multiple copies of this stack

30:34

within a region.

30:35

And what we do,

30:36

this is completely transparent to you as the customer

30:39

is we basically allocate, you know,

30:43

I wouldn't say it's arbitrary,

30:45

but there's an algorithm that basically when you, you know,

30:49

create your cluster or your tasks in ECS,

30:52

you get allocated to one of our cells

30:55

and then all of your APIs are then routed

30:57

to that particular cell

30:59

via this thin, kind of, cell router layer.

31:02

And like I said, completely transparent to you,

31:05

you don't get to pick your cells,

31:07

you don't see the cells or anything like that.

31:09

It's really just a knob for us.

31:11

Again, like I said, to reduce that impact of blast radius

31:16

to be subregion.

31:22

And if you look at a particular microservice, you know,

31:27

within this cellular control plane,

31:30

each service is actually spread across AZ.

31:33

So this is again like standard best practice

31:35

that we recommend for customers, we follow the same.

31:38

And really the idea there is,

31:40

if a single AZ is having a infrastructure failure,

31:44

we're basically losing just a third of each service

31:50

and our services are scaled up enough

31:54

in the other two AZs that we're able to, kind of,

31:57

fail over the traffic from that AZ to the other two AZs,

32:00

and we're able to operate with, basically,

32:02

no customer facing impact if they're single AZ failures.

32:09

So let's talk about the Fargate data plane availability.

32:15

So again, similar kind of concept,

32:19

that Fargate VPC that we talked about,

32:22

that has the bare metal instances.

32:23

We're not just running one of that per region,

32:27

we actually have zonal VPCs.

32:29

So we have single subnet VPCs

32:32

completely separated out zone by zone.

32:35

And like I said, it's not just about the zonal of failures,

32:40

but you know, we also think about,

32:42

you know, what if an operator is going into a VPC

32:44

and trying to to perform some operations and they're,

32:48

you know, they fat finger something,

32:49

we don't wanna affect more than one AZ at a time

32:52

or software deployments, like I mentioned,

32:55

you know, they're rolled out zoned by zone

32:57

to make sure that if there's any problems there, you know,

33:01

we're not affecting multiple zones at the same time.

33:04

And again,

33:05

the whole zone being affected is not acceptable to us.

33:08

So we actually run multiple single subnet VPCs per AZ

33:16

and it's blast radius protection,

33:18

but it's also kind of our scaling mechanism.

33:21

So the idea here is that each VPC, we've kind of tried

33:25

and tested how much load a single VPC can take

33:29

and it's a fixed size.

33:31

So once we start to get close to capacity

33:34

for one of these fixed size cells,

33:36

we basically can just keep scaling out horizontally

33:39

by adding more of these VPCs per AZ.

33:46

The App Runner data plane availability.

33:50

So with App Runner, you know, it's the similar thread,

33:55

it's cellular architecture with each component

34:00

within the cell being striped across multiple AZs.

34:03

So the app runner service VPC for a given region,

34:07

we run multiple VPCs per cell,

34:11

similar to, kind of, the ECS control plan picture

34:15

your App Runner service gets allocated

34:19

to one of the cells arbitrarily transparent to you.

34:24

And if you look at kind of a single VPC,

34:28

within the VPC, the Fargate task,

34:31

basically every component, right?

34:33

We have the load balancer, the L7 request router,

34:36

the Fargate tasks, they're all striped across AZs.

34:42

So, you know, that's kind of bringing me

34:46

to the end of my talk.

34:48

And really the points I wanted to make here is

34:54

we have a pretty rich portfolio

34:56

for hosting container applications and, you know,

35:01

often it can be confusing to decide

35:03

which service you should use for your application,

35:06

but it's important to understand, kind of,

35:08

the different abstraction at which each service

35:12

is providing for you.

35:15

And you know, my rule of thumb for these questions

35:20

that we get, is to always start

35:22

with the highest abstraction service

35:24

and then, you know, start your experiments there.

35:27

Really only move down lower to the stack

35:29

if you find specific reasons

35:31

why the higher abstraction services don't work for you.

35:34

And of course like come back and tell us,

35:36

so we can tell you if that's, you know,

35:37

something that's coming up that we wanna support

35:39

or if it's a feature that we're like, no,

35:41

that's like just never gonna be built

35:43

into that abstraction layer.

35:44

So the lower abstraction layer is the right layer for you.

35:47

And you know, as you can see,

35:49

a lot of thought has been put in to kind of the security

35:52

and availability stance of these services

35:56

and especially for the higher abstraction services.

35:58

Like it has, you know,

36:00

all of that thought put into every single layer beneath it

36:03

and the lower down you go, like,

36:05

you basically start owning the security

36:07

and availability stance of those kind of layers beneath you.

36:11

So, and it's hard to put a dollar amount on that.

36:13

So, you know, really take advantage I guess,

36:18

of the value proposition

36:19

of all the work that we do behind the scenes,

36:21

of all the work that our teams do behind the scenes.

36:23

And, and like I said, you know,

36:24

try to use the higher abstraction services

36:26

as far as possible.

36:30

That's all I had.