1. Home
  2. Docs
  3. Infrastructure
  4. AWS Fargate

AWS Fargate

After AWS Lambda, AWS Fargate is currently our recommend deployment environment for development, staging, and production purposes. This is due to better pricing than Kubernetes if we’re using AWS Fargate Spot, and also eliminates the need to manage and allocate node pools. If using AWS Fargate is not possible, then we can use Kubernetes.

AWS Systems Manager – Parameter Store

When passing credentials in environment variables, it is mandatory to use AWS Systems Manager – Parameter Store, and to create parameter with SecureString type.

In order for the Task/Service to access the parameter store, you need to use an ECS Task Execution Role (by default is named ecsTaskExecutionRole). When AWS created ecsTaskExecutionRole role, it already automatically attached a default policy for reading from AWS ECR. You’ll need to also attach an inline policy with appropriate access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters",
        "secretsmanager:GetSecretValue",
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:ssm:*:<account ID>:parameter/*",
        "arn:aws:secretsmanager:*:<account ID>:secret:*",
        "arn:aws:kms:*:<account ID>:key/*"
      ]
    }
  ]
}

Service: Auto Assign Public IP & Security Groups

  • Auto-assign public IP: It must be enabled in order to fetch the image from Docker Hub
  • Security Groups: For web servers, make sure to have at least default so that the Application Load Balancer can access it

Service: Health Check Grace Period

When setting up your Service, you must pay attention to Health Check Command and Health Check Grace Period, otherwise Fargate will drain your service repeatedly. Hendy’s recommendation is 2 × Typical start time.

About Health Check Command, most containers do not include curl. So please check Service’s Task’s health status first. If it’s always UNHEALTHY, you can remove the container health check, and only rely on ALB Target Group health check instead.

How can we help?