AWS Fargate

With the introduction of orchestration services like Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS), developers were able to conveniently deploy their containerized applications. However, these applications required an infrastructure on the cloud to run, commonly known as a capacity. Elastic Compute Cloud (EC2) instances can provide the infrastructure to run the containers. However, they add the overhead of provisioning, maintaining, and managing the instances.

To cater to this issue, a serverless service Fargate was introduced. With Fargate, we pay only for the CPU and memory resources allocated to our containers and there are no charges for the underlying EC2 instances, offering a cost-effective model for running containerized workloads.

How Fargate works

AWS Fargate abstracts the underlying infrastructure and only requires us to define a task, including the Docker image of the containerized application, CPU and memory requirements, and networking settings. It eliminates the requirement to configure the server, schedule scaling, and optimize performance.

To understand the workings of Faragte, it is important to understand its components.

Components of Fargate

• Task/Pod: The basic deployment unit in Fargate is a task that represents a running container or a group of containers. If we are running a Kubernetes cluster, it is called a pod. We run a task or a pod when we launch an application with Fargate. Each task/pod has its own container image, CPU, memory, and network settings.

• Cluster: A group of tasks/pods is called a cluster. Though we do not need to manage physical servers in a Fargate cluster, it does provide a consolidated space to manage applications.

• Service: We use services to simultaneously run multiple instances of tasks or pods. Services manage a specific number of tasks/pods and relaunch them if one fails.

We use Fargate as the launch type to launch a task or pod. Fargate schedules the task for execution and provides the required compute resources. When the application completes it's execution, it stops the task/pod and cleans up to ensure maximum utility of resources and minimize wastage.

Security model of Fargate

Fargate is secure by default. Here are some of the essential features of the Fargate security model:

• Hardware virtualization: Each task or pod gets its private virtual machine. They do not share kernels, cores, and memory with other tasks. Fargate does not provide privilege containers or escalations and runtime SSH. Thus, these virtual machines are secure and immutable

• Network isolation: Fargate provides two network modes; awsvpc (Amazon VPC mode) and bridge. In Amazon VPC network mode, each task or pod has a network-level isolation boundary. This means that there is one Elastic Network Interface (ENI) and private IP address per task, which is used for downloading container images, logging streams, and more. Contrary to this, in bridge mode, tasks share the same network namespace, similar to traditional container networking on a single host. You use port mappings to expose services from a task to the host or other tasks.

• Storage isolation: Each task gets a dedicated storage, encrypted by service manage keys. The storage lasts only for the lifetime of the task.

• IAM credentials isolation: The tasks or pods have IAM credentials that are only visible to the container running within it. These credentials could be API keys, access tokens, or database passwords required by the application. We can only use CloudWatch to monitor the use of these credentials.

The isolation boundary of a task or a pod reduces the attack surface and improves the overall security posture.

Workloads that fit best for Fargate

Many enterprises have completely shifted their workloads to Fragate. Let’s briefly overview the use cases of Fargate in cloud-based applications.

• API and web services: Fargate seamlessly integrates with services such as ECS, EKS, and API Gateways, simplifying development, monitoring, and security. Furthermore, it enables us to efficiently migrate and manage our Windows containers on Amazon ECS without requiring extensive modifications or restructuring of our existing applications.

• Data processing and inference: We can effortlessly run data processing, NLP, and machine learning workloads on Fargate. Its ability to process hundreds of millions of documents and spin up ECS tasks in a matter of minutes makes Fargate the right choice.

Fargate is a primary option due to its scalability, flexibility, ease of integration with other AWS services, and the ability to abstract away the complexities of infrastructure management. By utilizing the built-in capabilities of Fargate, businesses can concentrate on their core strengths and provide value to customers.