ECS · Fargate — Managed Container Execution

After building a container image, the next question is where to run it. One option is to run docker directly on EC2; another is to delegate container lifecycle, health checks, rolling deploys, and service discovery to a managed platform.

1. About ECS

When	Event
2014	ECS GA — predates Kubernetes becoming the standard.
2015	ECR (container registry).
2017	Fargate (serverless launch type).
2018	EKS (managed Kubernetes).
2019	Fargate Spot.
2021	ECS Anywhere · EKS Anywhere.

Core objects:

• Cluster — A logical group that runs containers.
• Task Definition — A bundle of containers + resource requirements + IAM roles, in JSON.
• Task — A running instance of a Task Definition.
• Service — Maintains N copies of a task and manages ALB · health checks · rolling deploys.

Cluster
├── Service A (Task Def v3, desired=3)
│   ├── Task 1 (Container X + Y)
│   ├── Task 2
│   └── Task 3
└── Service B (desired=1)
    └── Task 1 (Container Z)

2. Launch Type — EC2 vs Fargate

EC2 Launch Type — The user runs EC2 instances and the ECS Agent registers them with the cluster. The instance OS, security, and patching are user-owned.

• Per-instance billing (Reserved · Spot usable).
• Host access possible (debugging).
• GPU and special instances usable.

Fargate Launch Type — EC2 is invisible. Declare resources (vCPU · memory) per task and AWS spins up the runtime and bills.

• Almost no operational burden.
• Strong isolation (Firecracker-based).
• Bills only for the count of tasks.
• vCPU/memory unit price is higher than direct EC2.
• No host access (ECS Exec gives limited debugging).

For small-to-medium workloads, Fargate wins on operational simplicity. For large scale, steady load, or special instances, EC2 is favored.

3. Task Definition

{
  "family": "web",
  "networkMode": "awsvpc",
  "cpu": "512",
  "memory": "1024",
  "containerDefinitions": [{
    "name": "app",
    "image": "1234.dkr.ecr.ap-northeast-2.amazonaws.com/web:abc123",
    "portMappings": [{ "containerPort": 8080 }],
    "essential": true,
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/web",
        "awslogs-region": "ap-northeast-2",
        "awslogs-stream-prefix": "app"
      }
    }
  }],
  "executionRoleArn": "arn:aws:iam::1234:role/ecsTaskExecutionRole",
  "taskRoleArn": "arn:aws:iam::1234:role/web-task"
}

• executionRoleArn — Used when ECS pulls images and writes logs.
• taskRoleArn — Used when the container calls AWS APIs.
• networkMode — awsvpc is standard. Each task gets an ENI and a private IP.

4. Service · deploys

A Service maintains a Task's desired count and registers/deregisters with the ALB Target Group automatically.

Strategy	Notes
Rolling	Default. Add new tasks gradually and remove old ones.
Blue/Green (CodeDeploy)	Switch traffic at once between two Target Groups. Instant rollback.

aws ecs update-service \
  --cluster prod \
  --service web \
  --task-definition web:42 \
  --force-new-deployment

5. ECR · App Mesh · ECS Anywhere

ECR — Managed Docker registry (2015). IAM auth, image scanning, lifecycle policy.

aws ecr get-login-password --region ap-northeast-2 \
  | docker login --username AWS --password-stdin 1234.dkr.ecr.ap-northeast-2.amazonaws.com
docker push 1234.dkr.ecr.ap-northeast-2.amazonaws.com/web:abc123

App Mesh — Envoy-based service mesh. Adds an Envoy sidecar to each task for traffic routing, retries, and observability. Overkill at small scale.

ECS Anywhere (2021) — Register on-prem or other-cloud hosts to an ECS cluster.

6. EKS — Managed Kubernetes

Item	ECS	EKS
API	AWS-only	Kubernetes standard
Learning curve	Low	High
Portability	AWS-locked	Portable to other K8s clusters
Ecosystem	AWS-integrated	Helm · Operators · OSS
Control plane cost	Free	Hourly (~$0.10/hr)

ECS for the simpler seat; EKS where standards and ecosystem matter. Fargate works under both (EKS Fargate has some constraints).

7. Comparison with other options

Platform	Model	Strengths	Limits
ECS + Fargate	Managed containers	AWS integration · simple	AWS lock
EKS	Managed K8s	Standard · ecosystem	Learning curve · cost
Cloud Run (2019)	Container serverless	Short cold starts · scale-to-zero	GCP lock
Fly.io	Firecracker microVM	Global distribution · anycast	Shared managed responsibility
Railway · Render	PaaS	Simple start	Few large-traffic reports
Kubernetes (self)	Self K8s	Full freedom	Very heavy operational burden

8. Auto Scaling · cost · security

ecs:service-autoscaling adjusts desired count based on metrics:

• Average CPU > 60% → +1
• Requests > 1000/min → +1

Cost structure:

• Fargate — vCPU-hour + memory GB-hour.
• EC2 Launch Type — EC2 cost only (ECS itself is free).
• EKS — Control plane time + worker node cost.
• ECR — Storage GB-month + egress.

Security defaults:

• Reach ECR · CloudWatch · Secrets Manager via private subnets + NAT or VPC Endpoints.
• Least-privilege Task Role.
• Only ALB exposed to the internet; tasks live in private subnets.
• Inject secrets via Secrets Manager · SSM Parameter Store.

9. Common pitfalls

Task IP exhaustion — awsvpc mode requires an ENI per task. Smaller instance types hit ENI limits quickly, blocking new tasks.

ALB Target Group deregistration delay — Old tasks keep receiving traffic for a while during deploys. Too short drops in-flight; too long slows deploys.

No SSH on Fargate — Direct host access is unavailable. Use ECS Exec for limited debugging.

Log floods — CloudWatch Logs cost climbs quickly. Tune log levels, retention, and consider S3 export.

Image platform mismatch — ARM images built on M1/M2 Macs fail on x86 EC2. Use docker buildx build --platform linux/amd64.

Spot reclaim — Both Fargate Spot and EC2 Spot can be reclaimed. Implement graceful shutdown.

Closing thoughts

ECS + Fargate is a natural answer for small-to-medium container workloads. EKS's standard ecosystem is appealing, but its operational burden makes it appropriate when there are clear portability or tooling requirements. A small team's first choice stays safe with PaaS, single VPS, or ECS Fargate.

Next

• localstack-and-ministack
• supabase-self-hosted

ECS developer guide · Fargate · ECR · EKS · Cloud Run · Fly.io · Kubernetes · AWS Copilot for reference.