
AWS Fargate Deep Dive - aray07
https://www.learnaws.org/2019/09/14/deep-dive-aws-fargate/
======
tbrock
I love AWS, I really do and I thought about using fargate because the promise
of not managing your “cattle-like” servers is wonderful but they need to get
the pricing within this stratosphere for it to not be a complete joke.

I actually really like ECS and aware of how much time it would save me (a lot)
and how much terraform I could delete (a ton) and it’s still not even close to
worth it.

Amazon usually nails this sort of thing, surprising that despite the
operational value it provides nobody seems to be using it.

~~~
airocker
I believe vendor lock-in and lack of incremental value over EKS are the
reasons. The amount of flexibility we lose by using Fargate is not compensated
well enough by the ease of use offered.

~~~
staticassertion
What lock-in? I'm genuinely curious, I can't imagine it would be hard at all
to move my service from Fargate to anything else. It's just docker containers
and DNS, I haven't done anything Fargate specific.

~~~
llarsson
I assume what is referred to is rather of the "we have built all this internal
tooling, release pipelines and processes, internal know-how even among non-
developers" etc that any technology choice is accompanied by. These
effectively lock you in and costs real money to replace.

~~~
tilolebo
I get that, although in many cases the AWS-specific tooling needed to build
and deploy services running on Fargate is minimal.

It's basically logging in to ECR and triggering an ECS service update (2 API
calls).

I voluntarily keep out the networking and IAM parts out, as I believe they are
also needed for a Kubernetes cluster.

What I don't get is that many people seem to think that they are lock-in free
just by choosing Kubernetes. But:

1\. Kubernetes itself is a very, very opinionated piece of software. You are
not free, you have to go the Kubernetes way.

2\. The overhead of learning and maintaining Kubernetes is real, compared to a
more managed solution like Fargate.

3\. If you use Kubernetes, you still have to set up the underlying
infrastructure. This infra is still vendor specific. If you go for a managed
Kubernetes like GKE or EKS, you still have to deal with a vendor-specific API.

~~~
airocker
I would rather run kops and not GKE/EKS. Also, if needed, for the vendor
specific infra we can use terraform.

I believe Kubernetes stack is more intuitive than any AWS (or GC or Azure)
software. The open source approach will spur innovation that will outclass
Fargate by miles. Fargate provides single instances, you would need
networks/routes/Load balancers/auto scalers to make anything meaningful. I bet
they will all be provided as AWS way of doing the same if Fargate gets any
traction.

~~~
scarface74
And you’re still locked in to your cloud provider with Terraform since every
provisioner is cloud provider specific.

~~~
airocker
At least the code is uniform and extendable.

~~~
scarface74
Saying your code is uniform because the syntax is the same is about like
saying developing a website with Java and developing an Android app is
“uniform”.

------
mharroun
We spend ~900$ a month on fargate to run our of our dev, stage, qa, and prod
environments as well as some other services and sqs consumers. After the
recent price decrease we looked at how much reserve instance would save us and
the few hundred in savings would not make sense vs the over provisioning and
need to dedicate resources to scaling and new tools to monitor individual
containers.

Note: do have some stuff in lambda but its package size restrictions limit us.

~~~
philliphaydon
Your packages exceed 250mb??? Wow

~~~
etaioinshrdlu
My docker containers average about 5gb total. And I have lots of them. It is
incredibly easy to become bloated. It is hard to stay bloat free

~~~
philliphaydon
We're talking about Lambda tho, executing a function, how much code is
required to execute a function... The largest .net lambda I've managed to
create is ~40mb which included chromium.

~~~
jon-wood
While Lambda is sold as “functions as a service” I have on several occasions
made the particular function being served the router for a Ruby web
application - with the Ruby runtime there’s really nothing stopping you
running a complete Rails app in Lambda other than size limitations once you
add a few too many gems.

------
fovc
For people who worry about security (either sincere or tick the box types):
what are the pros and cons of managed containers? It seems like you get a
reduction in attack surface but also have fewer tools at your disposal

~~~
bbgm
One of the key things to remember about Fargate is the following.

 _Each Fargate task has its own isolation boundary and does not share the
underlying kernel, CPU resources, memory resources, or elastic network
interface with another task._ (Source:
[https://docs.aws.amazon.com/AmazonECS/latest/developerguide/...](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html))

The other part is patching. We are (I work at AWS) responsible for patching
the underlying hosts. More details at
[https://docs.aws.amazon.com/AmazonECS/latest/developerguide/...](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html)

~~~
nnx
> Each Fargate task has its own isolation boundary and does not share the
> underlying kernel, CPU resources, memory resources, or elastic network
> interface with another task.

Isn't Lambda the same as they're both using Firecracker under the hood isn't
it?

~~~
bbgm
With or without Firecracker the isolation models are similar.

------
codewithcheese
I would love a managed Kubernetes Deployment/Job/StatefulSet. Forget managing
the cluster or the node, just allow me to "apply" a Deployment config with
associated Service straight to the cloud. I will tell you my resource limits
bill me accordingly.

I hope Google Cloud or AWS is working on that. That would have a much wider
impact then Fargate.

~~~
wikibob
Check out Google’s CloudRun
[https://cloud.google.com/run/](https://cloud.google.com/run/)

------
haolez
I’m using Fargate for services that are CPU intensive (i.e. 24/7) and not
reactive by nature. It’s been a good experience so far.

------
zmmmmm
For my poor brain still trying to cope with the enslaught of the huge number
of all these cloud service features ... this sounds a lot like kubernetes ...
is this just a proprietary version of that? Can someone differentiate them for
me?

~~~
joseph
It's a fully managed version of Amazon ECS (elastic container service). With
Fargate, you don't need to manage the EC2 instances that make up the cluster,
as is required with ECS.

Early on, Amazon tried to avoid offering a managed Kubernetes service, and so
they rolled their own container service in the form of ECS. Later they caved
in and created EKS, their Kubernetes platform. ECS is still used as the
underpinnings of some of their other services, such as Batch and Fargate.

~~~
lkrubner
It's not 100% fully managed. You still need to set auto-scaling rules. I find
that mildly annoying.

~~~
gingerlime
When I played with Fargate about a year ago or, this was its Achilles heel. I
was hoping for a solution that would auto-scale very quickly, but the
healthcheck intervals and minimum counts to consider a container "running"
couldn't go below 30 seconds or so.

As far as I recall, this is all configured on the load balancer, rather than
directly inside Fargate. Somehow makes it feel less like a "fully managed"
solution, but rather something you have to still tinker quite a bit with.

(compared to Lambda, which you really don't have to worry about scaling at
all)

EDIT: [0] indicates that the minimum you can set is 10 seconds (minimum 2
intervals of 5 seconds to consider it "healthy"), if I understand it correctly

[0]
[https://docs.aws.amazon.com/elasticloadbalancing/latest/appl...](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-
group-health-checks.html)

~~~
ben_jones
GKE and Google Load Balancer has similar issues, changes to the
loadbalancer/ingress take up to 10-15 minutes to propogate and if you miss a
health check you'll be serving 500's until it magically balances itself out or
you just nuke it out of frustration and wait the 10 minutes for it to
configure with your ip again.

------
samvher
I like using Fargate for one-shot tasks that are easy to split up. I used it a
couple of times for summary tasks on large batches of satellite data (100s of
GBs). Set up a docker image that takes the month for which to do the analysis
as environment variable and then launch 50 or so Fargate tasks in parallel.
Fairly easy to set up and can save quite a lot of time. If it's for short
running jobs the increased price is not much of an issue. For more
complicated, long-running services I feel like I would prefer managed
Kubernetes.

~~~
tams
What is the advantage of using Fargate instead of Batch for this use case?

~~~
samvher
I wasn't aware of AWS Batch. Looks like that might actually be more suitable
for this use case, so thanks for mentioning it :)

------
fulafel
Can I easily SSH into or otherwise interactively get a shell into a Fargate
container? I think this is a minimum debuggability requirment for these kinds
of services.

[https://github.com/aws/containers-
roadmap/issues/187](https://github.com/aws/containers-roadmap/issues/187)
sounds like the answer is "no"?

~~~
flurie
The short answer is no. The long answer is that you could theoretically
explicitly set up a user for auth, run sshd in fargate containers, and shell
in, but it’s not going to be worth it as anything other than a toy example.

~~~
fulafel
I wonder what's behind this functionality gap in the managed services. After
all we take docker exec, podman exec, kubectl exec etc for granted in
troubleshooting.

------
sebasmurphy
This product always makes me think of Aqua Teen Hunger Force. I wonder if
that's where the name originated.

[https://youtu.be/uOd7HQoKxcU?t=50](https://youtu.be/uOd7HQoKxcU?t=50)

------
nickthemagicman
Is EKS a serious competitor to this? It seems like it would be and the bonus
of no lockin. What's the advantage of Fargate over EKS?

------
crucialfelix
I still haven't managed to SSH into a container (for Django). The best way I
guess is SSM (systems security manager) which at least gives a web based
console.

codepipeline integration was time consuming to set up. You have to get it to
create a json file with the image id and uh I'd have to consult my notes.

All told, it was more complicated to set up than I expected.

~~~
jon-wood
We’re working on this at my workplace as a pre-requisite to a widespread
deployment of Fargate, its the only blocker on moving out of Heroku for a
large distributed system.

The approach I’m going with is to have an EC2 host attached to the ECS cluster
which people can schedule interactive tasks on. Coupled with some scripting
(maybe a Lambda function if I decide to get fancy) we can then start a task
for any given service on the instance with the same environment and IAM role,
but with a command like /bin/yes just to keep it alive. Once that’s running
users can SSH to the host instance and docker exec into the container for
whatever command they actually wanted to run.

It’s quite a bit more involved than Heroku’s run command, but initial
prototypes seem to indicate it’ll work once we wrap it in some tooling.

------
peterwwillis
In general, you should just start with whatever service AWS has that
integrates the most features, and once you know what your technical
requirements/limitations are, you'll know if you need to back up to a less
integrated solution. Worst case, you're paying too much for a solution for a
short time, but you have a working MVP.

------
013a
Does anyone remember that time at Re:Invent 2017 when they announced Fargate,
and said that Fargate was coming to EKS "soon"? Let's put odds on which is
released first: Fargate for EKS, or Half Life 3.

------
squid3
NodeChef is a good alternative where you don't have to do the tedious job of
managing servers. [https://www.nodechef.com/](https://www.nodechef.com/)

~~~
gravypod
Are they allowed to host a MongoDB for you? Isn't there something in the
license about that not being allowed?

~~~
detaro
Not of the versions they offer.

