- Overview
- Prerequisites
- Deployment Steps
- Deployment Validation
- Running the Guidance
- Next Steps
- Cleanup
- FAQ, known issues, additional considerations, and limitations
- Notices
This Guidance demonstrates how to implement a hybrid architecture using Amazon ECS Anywhere with cross-region load balancing. It addresses the challenge of running containerized workloads across both AWS cloud infrastructure and on-premises environments while maintaining unified management and load distribution.
The solution provides:
- Primary Region (ap-south-1): ECS Fargate workloads for cloud-native deployment
- Secondary Region (us-west-1): ECS Anywhere on EC2 instances simulating on-premises infrastructure
- Cross-Region Connectivity: AWS Transit Gateway for secure networking
- Load Balancing: Application Load Balancer with Fargate targets and manual IP registration for ECS Anywhere
Note: For demonstration purposes, we're using EC2 instances to act as on-premises infrastructure. In a real-world scenario, ECS Anywhere would be deployed on your actual on-premises servers or edge locations.
Multi-Region EC2 Architecture:
Data Center On-Premises Architecture:
terraform-ecs-anywhere/
├── main.tf # Main Terraform configuration
├── variables.tf # Input variables
├── outputs.tf # Output values
├── modules/
│ ├── networking/ # Transit Gateway and VPC peering
│ ├── ecs/ # ECS cluster, roles, and task definitions
│ ├── ec2/ # EC2 instances for ECS Anywhere
│ └── load-balancer/ # ALB and target groups
└── scripts/
├── app.py # Flask application
├── Dockerfile # Container image
├── requirements.txt # Python dependencies
└── install-ecs.sh # ECS Anywhere installation script
You are responsible for the cost of the AWS services used while running this Guidance. As of December 2024, the cost for running this Guidance with the default settings in the US East (N. Virginia) region is approximately $150.00 per month.
We recommend creating a Budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this Guidance.
The following table provides a sample cost breakdown for deploying this Guidance with the default parameters in the US East (N. Virginia) Region for one month.
| AWS service | Dimensions | Cost [USD] |
|---|---|---|
| Amazon ECS Fargate | 2 tasks, 0.25 vCPU, 0.5 GB memory, 24/7 | $8.76 |
| Amazon EC2 (t3.medium) | 1 instance, 24/7 | $30.37 |
| Application Load Balancer | 1 ALB, minimal processing | $16.20 |
| AWS Transit Gateway | 2 attachments, minimal data transfer | $36.50 |
| NAT Gateway | 2 gateways (multi-region) | $45.00 |
| VPC Endpoints | 3 endpoints in secondary region | $10.80 |
| Amazon ECR | 1 GB storage | $0.10 |
| Amazon CloudWatch | Logs and metrics | $2.00 |
| Total estimated cost | $149.73 |
These deployment instructions are optimized to best work on Amazon Linux 2023 AMI. Deployment on another OS may require additional steps.
-
Terraform >= 1.0
# Install Terraform on Amazon Linux 2023 sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo sudo yum -y install terraform -
Docker (for building container images)
# Install Docker on Amazon Linux 2023 sudo yum update -y sudo yum install -y docker sudo systemctl start docker sudo systemctl enable docker sudo usermod -a -G docker ec2-user
-
AWS CLI configured with appropriate permissions
# Install AWS CLI v2 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install
- IAM permissions for ECS, EC2, VPC, Transit Gateway, and Application Load Balancer services
- Two AWS regions enabled: ap-south-1 and us-west-1
- Default VPCs available in both regions (or custom VPCs as specified in variables)
-
Clone the repository:
git clone <repository-url> cd ecs-a-blog-content-code-review
-
Configure Terraform variables:
cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars with your specific values -
Initialize Terraform:
terraform init
-
Review the deployment plan:
terraform plan
-
Deploy the infrastructure:
terraform apply
-
Alternatively, use the automated deployment script:
chmod +x deploy.sh ./deploy.sh
-
Verify the CloudFormation stacks are created successfully by checking the Terraform state:
terraform show
-
Confirm ECS clusters are running in both regions:
aws ecs list-clusters --region ap-south-1 aws ecs list-clusters --region us-west-1
-
Check that the Application Load Balancer is active:
aws elbv2 describe-load-balancers --region ap-south-1
-
Verify Transit Gateway attachments:
aws ec2 describe-transit-gateway-attachments --region ap-south-1
-
Get the load balancer DNS name:
terraform output load_balancer_dns_name
-
Test the application endpoints:
# Test main endpoint curl http://<alb-dns>/ # Test health endpoint curl http://<alb-dns>/health
-
Monitor ECS services:
# Check Fargate service status aws ecs describe-services --cluster <fargate-cluster-name> --services <service-name> --region ap-south-1 # Check ECS Anywhere container instances aws ecs list-container-instances --cluster <anywhere-cluster-name> --region us-west-1
Successful deployment should show:
- HTTP 200 responses from both endpoints
- Load balancer distributing traffic between Fargate and ECS Anywhere targets
- Container instances registered in both ECS clusters
To enhance this Guidance for production use:
- Security: Implement proper IAM roles with least privilege principles
- Monitoring: Add comprehensive CloudWatch dashboards and alarms
- Scaling: Configure auto-scaling policies for both Fargate and EC2 instances
- CI/CD: Integrate with AWS CodePipeline for automated deployments
- Networking: Use private subnets and VPC endpoints for enhanced security
- Container Images: Use specific image tags instead of "latest"
-
Destroy the Terraform infrastructure:
terraform destroy
-
Alternatively, use the cleanup script:
chmod +x destroy.sh ./destroy.sh
-
Manually delete any remaining resources if needed:
- ECR repositories with images
- CloudWatch log groups
- Any custom VPC resources not managed by Terraform
- Transit Gateway peering intermittent connectivity: The peering connection may show as "deleted" in the console but basic connectivity should still work
- ECS container instance registration delays: Initial registration may take 5-10 minutes
- Cross-region latency: Expect higher latency for cross-region traffic
- This Guidance creates public-facing load balancers for demonstration purposes
- ECS Anywhere uses EC2 instances instead of true on-premises servers for simplicity
- Container images use "latest" tags which is not recommended for production
- Broad IAM permissions are used for demonstration - implement least privilege in production
- Cross-Region Peering: Transit Gateway peering may have intermittent connectivity
- Network Connectivity: EC2 instances need internet access or VPC endpoints for AWS API calls
- Load Balancer: Uses IP-based target groups for cross-VPC connectivity
For feedback, questions, or suggestions, please use the issues tab under this repository.
Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided "as is" without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.