Kit Wai Chan - Fotolia

AWS EC2 Container Service eases Docker deployment

AWS' EC2 Container Service tackles some network and security issues for Docker containers, though there's still room for scheduling improvements.

The AWS EC2 Container Service addresses network and security issues with Docker containers on-premises, drawing significant interest from IT pros.

Containers have been around since the early days of Linux, but the Docker open source project, on which Amazon's EC2 Container Service (ECS) is based, has made it easier to manage and port containers between Linux operating systems. IT pros kicking the tires on the ECS say containers could revolutionize application development.

With Docker containers' enhanced portability, for example, a developer writing an application in a container on a MacBook Pro could send precisely that container up into a cloud infrastructure to be deployed at scale, eliminating an error-prone process of porting an app between development, quality assurance and production environments.

'For startups and smaller companies, where developers may have more ability to drive technology, I think you're going to see the adoption rate [for containers] improve drastically.'
John D'Espositofounder of Devopulence

"We have several new internal services and new applications that we are building," said Kevin Felichko, CTO of, an online auction company based in Frederick, Md. "With all of them, we are using Docker for development, and moving them up to ECS is just a natural fit."  

Others see potential cost savings by deploying small, lightweight containers on ECS rather than VMs on EC2.

"Instead of using dozens of micro or small instances on AWS, each running a single service, I may be able to use one or two large instances, each running a handful to a few dozen Docker containers," said EJ Brennan, a freelance developer based in Massachusetts. "More computer power for the same or less money is my hope."

EC2 Container Service addresses Docker drawbacks

The biggest value for ECS may be how it abstracts or solves challenges presented by on-premises container deployments.

The creation of network "hot spots" due to new, dense populations of network endpoints within a single machine is similar to an issue IT pros faced in the early days of server virtualization.

"If you have a network that is optimized for highly virtualized data centers, that can handle a lot of east-west VM-to-VM traffic, you might be ready [for containers]," said Shamus McGillicuddy, analyst with Enterprise Management Associates based in Boulder, Colo. "If you have a network that is optimized for old-fashioned client-server workloads, where most traffic is north-south between the end user and an application, you will probably be in trouble."

There are multiple projects designed to hook containers into software-defined networks (such as an API being developed by SocketPlane, a startup acquired by Docker Inc. in March or the Weave project headed by, but those are in their early phases.

AWS, meanwhile, handles thorny scaling issues on the back end, and advertises support for thousands of containers across hundreds of EC2 machines on its website.

"When ECS creates your containers, it can attach those containers to a load balancer … and that helps with some of the networking issues," said Ross Fairbanks, a developer based in Barcelona. Fairbanks is working with Force 12, a London-based startup that aims to create an advanced resource scheduler for containers that will base its development work on ECS. "That's one of the big things that was there in the GA release that wasn't there in the previous trial release."

ECS can also offer advanced security features beyond what's available on-premises for Docker containers. Specifically, the EC2 instances that underpin containers in ECS can be placed into AWS' Virtual Private Clouds (VPCs) to isolate them from containers belonging to other customers.

"By using ECS you can use that kind of isolation layer," Fairbanks said. Such isolation would be much more difficult when deploying Docker to physical servers on-premises, he said.

ECS customers can also restrict access to containers using Identity and Access Management roles.

Container caveats: Security-squeamish need not apply

The AWS EC2 Container Service isn't a panacea; there's still room for scheduling improvements, and highly security-conscious users may want to wait for the Docker open source project to further polish native security features before proceeding with ECS.

VPCs help with some isolation challenges when deploying containers, but they don't mitigate some security issues at the container level itself, such as the fact that containers have root access to the host file system.

Eventually, the Docker daemon will run restricted privileges, delegating operations [to] well-audited sub-processes, each with its own [very limited] scope of Linux capabilities, virtual network setup and filesystem management according to the Docker Security page.

Highly regulated or security-conscious enterprise users will probably want to wait for those native features, IT consultants said. 

"There's a root access security issue that needs to be solved and I haven't read anything yet that the Amazon EC2 Container Service alleviates that risk," said John D'Esposito, founder of Devopulence, a New York-based company that consults with large enterprises on IT projects.

ECS provides two built-in schedulers, one of which runs tasks once; the service scheduler, new with the GA release of ECS, ensures containers are running, associates containers with Load Balancers, monitors load balancer health checks and deploys updates. However, IT pros say third-party schedulers such as the Apache Mesos Marathon scheduler are preferable to what AWS has built in so far. With ECS, customers can also build their own scheduler or integrate a third-party scheduler like Marathon. AWS Labs also has a project on GitHub that integrates Mesos with ECS.

Still, some IT pros want to see AWS further refine the native ECS scheduler rather than bringing in a third party.

"It's an initial go and it gives you some basic capabilities, but it's not something to rely on for production purposes at this point," said Christopher Riley, a founding partner at HKM Consulting based in Rochester, Mass. "We'll see that improve over time. … Once you get to one or two years down the line we'll have much more advanced capabilities."

That said, "for startups and smaller companies, where developers may have more ability to drive technology, I think you're going to see the adoption rate [for containers] improve drastically," D'Esposito said.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Next Steps

Get tips for backing up the Docker host

Dig Deeper on AWS instances strategy and setup