Running containers in production requires a solid foundation that won’t crumble under pressure or expose your applications to security threats. This comprehensive guide walks you through building secure and scalable ECS infrastructure on AWS with Terraform, covering everything from initial setup to production-ready deployments.
This tutorial is designed for DevOps engineers, cloud architects, and developers who want to move beyond basic container deployments and create enterprise-grade AWS ECS infrastructure using infrastructure as code. You’ll learn how to automate container infrastructure while maintaining the security and reliability standards your production workloads demand.
We’ll start by setting up your AWS environment and mastering Terraform fundamentals for ECS deployment, ensuring you have the right foundation for success. You’ll then dive deep into designing secure network infrastructure for container workloads, where we’ll cover ECS network security best practices and build production-ready ECS clusters that can handle real-world traffic.
Finally, we’ll focus on implementing robust security controls and achieving high availability through proven AWS container orchestration patterns. By the end, you’ll have a complete secure ECS architecture design that scales automatically and maintains peak performance under any load.
Setting Up Your AWS Environment for ECS Success
Configuring AWS CLI and authentication credentials
Setting up proper authentication forms the foundation of any successful AWS ECS Terraform deployment. Start by installing the AWS CLI version 2, which provides better performance and enhanced security features compared to the legacy version. After installation, configure your credentials using aws configure or by setting up AWS profiles for different environments.
For production workloads, avoid using long-term access keys directly. Instead, leverage AWS IAM roles with temporary credentials through AWS STS (Security Token Service). This approach significantly reduces security risks while maintaining operational flexibility. Consider using AWS IAM Identity Center (formerly AWS SSO) for centralized access management across multiple AWS accounts.
When working with Terraform, export your credentials as environment variables or use AWS profiles to maintain clean separation between different deployment environments. The AWS provider for Terraform automatically inherits these credentials, streamlining your infrastructure automation workflows.
Understanding IAM roles and policies for ECS operations
AWS ECS requires specific IAM roles to function properly, and understanding these roles is crucial for building secure ECS infrastructure with Terraform. The ECS service needs permissions to interact with other AWS services on your behalf, which is where carefully crafted IAM policies become essential.
Create an ECS Task Execution Role that grants ECS permission to pull container images from ECR, send logs to CloudWatch, and retrieve secrets from AWS Systems Manager Parameter Store or Secrets Manager. This role uses the ecs-tasks.amazonaws.com service as its trusted entity.
For applications running inside your containers, implement ECS Task Roles that provide least-privilege access to AWS services. These roles follow the principle of granting only the minimum permissions necessary for your application to function. For example, if your containerized application needs to read from S3, create a task role with read-only S3 permissions for specific buckets.
| Role Type | Purpose | Key Policies |
|---|---|---|
| Task Execution Role | ECS service operations | AmazonECSTaskExecutionRolePolicy |
| Task Role | Application permissions | Custom policies based on app needs |
| ECS Service Role | Load balancer integration | AmazonEC2ContainerServiceRole |
Establishing proper VPC architecture for container workloads
Designing a robust VPC architecture for ECS container workloads requires careful planning of network segments, security boundaries, and connectivity patterns. Your VPC should accommodate both current requirements and future scaling needs while maintaining strong security isolation.
Create separate subnets for different tiers of your application architecture. Place ECS services in private subnets to minimize attack surface, while using public subnets for load balancers and NAT gateways. This multi-tier approach provides natural security boundaries and follows AWS well-architected principles for container deployment.
Plan your CIDR blocks with growth in mind. Start with a /16 VPC CIDR block, which provides 65,000+ IP addresses, giving you plenty of room for expansion. Distribute your subnets across multiple Availability Zones to support high availability requirements from the start.
Configure VPC Flow Logs to monitor network traffic patterns and detect potential security issues. Enable DNS resolution and DNS hostnames within your VPC to support service discovery mechanisms that ECS relies on for container communication.
Consider implementing VPC endpoints for AWS services that your containers frequently access, such as ECR, S3, and CloudWatch. These endpoints reduce data transfer costs and improve performance by keeping traffic within the AWS network backbone rather than routing through the internet gateway.
Mastering Terraform Fundamentals for ECS Deployment
Installing and configuring Terraform for AWS integration
Setting up Terraform for AWS ECS deployment starts with downloading the appropriate binary for your operating system from HashiCorp’s official website. Once installed, add Terraform to your system’s PATH to enable global access from your terminal.
AWS integration requires proper credential configuration. Create an IAM user with programmatic access and attach the necessary ECS-related policies:
# Required minimum permissions for ECS Terraform deployment
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"iam:*",
"logs:*",
"elasticloadbalancing:*"
],
"Resource": "*"
}
]
}
Configure your AWS credentials using the AWS CLI, environment variables, or IAM roles. The most secure approach for production environments involves using IAM roles for service accounts or cross-account access patterns.
Create a basic provider.tf file to establish AWS connectivity:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Environment = var.environment
Project = var.project_name
ManagedBy = "terraform"
}
}
}
Creating reusable modules for ECS infrastructure components
Modular Terraform code promotes reusability and maintainability across different environments. Structure your AWS ECS Terraform modules to encapsulate specific infrastructure components like clusters, services, and task definitions.
Start by creating a directory structure that separates concerns:
modules/
├── ecs-cluster/
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── ecs-service/
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
└── ecs-task-definition/
├── main.tf
├── variables.tf
└── outputs.tf
Design your ECS cluster module with configurable parameters:
# modules/ecs-cluster/main.tf
resource "aws_ecs_cluster" "main" {
name = var.cluster_name
setting {
name = "containerInsights"
value = var.enable_container_insights ? "enabled" : "disabled"
}
configuration {
execute_command_configuration {
logging = "OVERRIDE"
log_configuration {
cloud_watch_log_group_name = aws_cloudwatch_log_group.cluster.name
}
}
}
}
resource "aws_ecs_cluster_capacity_providers" "main" {
cluster_name = aws_ecs_cluster.main.name
capacity_providers = var.capacity_providers
default_capacity_provider_strategy {
base = var.fargate_base_capacity
weight = var.fargate_weight
capacity_provider = "FARGATE"
}
}
Create flexible variables that allow customization without code duplication:
# modules/ecs-cluster/variables.tf
variable "cluster_name" {
description = "Name of the ECS cluster"
type = string
}
variable "enable_container_insights" {
description = "Enable CloudWatch Container Insights"
type = bool
default = true
}
variable "capacity_providers" {
description = "List of capacity providers for the cluster"
type = list(string)
default = ["FARGATE", "FARGATE_SPOT"]
}
Implementing state management and remote backends
Terraform state management becomes critical when working with team environments and production deployments. Remote backends ensure state consistency and enable collaboration while providing locking mechanisms to prevent concurrent modifications.
Configure S3 as your remote backend with DynamoDB for state locking:
# backend.tf
terraform {
backend "s3" {
bucket = "your-terraform-state-bucket"
key = "ecs/infrastructure/terraform.tfstate"
region = "us-west-2"
dynamodb_table = "terraform-state-locks"
encrypt = true
}
}
Create the backend infrastructure first using a separate Terraform configuration:
# backend-setup/main.tf
resource "aws_s3_bucket" "terraform_state" {
bucket = "your-terraform-state-bucket"
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-state-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
Implement workspace-based environments to manage multiple deployments:
# Create separate workspaces for different environments
terraform workspace new dev
terraform workspace new staging
terraform workspace new prod
# Switch between workspaces
terraform workspace select dev
Establishing consistent naming conventions and tagging strategies
Consistent naming conventions and comprehensive tagging strategies enable better resource management, cost allocation, and operational visibility across your ECS infrastructure.
Develop a standardized naming pattern that includes environment, application, and resource type:
# variables.tf
variable "naming_convention" {
description = "Naming convention variables"
type = object({
environment = string
project = string
application = string
owner = string
cost_center = string
})
}
locals {
name_prefix = "${var.naming_convention.project}-${var.naming_convention.environment}-${var.naming_convention.application}"
common_tags = {
Environment = var.naming_convention.environment
Project = var.naming_convention.project
Application = var.naming_convention.application
Owner = var.naming_convention.owner
CostCenter = var.naming_convention.cost_center
ManagedBy = "terraform"
CreatedDate = formatdate("YYYY-MM-DD", timestamp())
}
}
Apply consistent naming to your ECS resources:
resource "aws_ecs_cluster" "main" {
name = "${local.name_prefix}-cluster"
tags = merge(local.common_tags, {
ResourceType = "ecs-cluster"
Description = "ECS cluster for ${var.naming_convention.application}"
})
}
resource "aws_ecs_service" "app" {
name = "${local.name_prefix}-service"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.app.arn
tags = merge(local.common_tags, {
ResourceType = "ecs-service"
ServiceType = "web-application"
})
}
Create a comprehensive tagging strategy that supports cost allocation and governance:
| Tag Key | Purpose | Example Value |
|---|---|---|
| Environment | Deployment stage | prod, staging, dev |
| Project | Project identifier | ecommerce-platform |
| Application | Application name | user-service |
| Owner | Team responsibility | platform-team |
| CostCenter | Billing allocation | engineering-dept |
| Backup | Backup requirements | daily, weekly, none |
| Monitoring | Monitoring level | critical, standard |
Implement tag validation using Terraform validation blocks:
variable "environment" {
description = "Environment name"
type = string
validation {
condition = contains([
"dev", "staging", "prod"
], var.environment)
error_message = "Environment must be one of: dev, staging, prod."
}
}
variable "application" {
description = "Application name"
type = string
validation {
condition = can(regex("^[a-z0-9-]+$", var.application))
error_message = "Application name must contain only lowercase letters, numbers, and hyphens."
}
}
Designing Secure Network Infrastructure for Container Workloads
Creating Isolated VPCs with Proper Subnet Segmentation
A solid AWS ECS Terraform deployment starts with a well-architected Virtual Private Cloud that isolates your container workloads from external threats. Your VPC acts as the foundational layer where all ECS infrastructure components will reside.
When designing your VPC architecture, create separate subnets across multiple Availability Zones to ensure high availability. Public subnets should house only essential components like load balancers and NAT gateways, while private subnets contain your ECS tasks and services. This separation creates a natural security boundary that limits direct internet exposure.
For production environments, implement a three-tier architecture with dedicated subnets for presentation, application, and data layers. Your ECS services typically run in the application tier, with database resources in the data tier. Each subnet should have carefully planned CIDR blocks that accommodate future growth without overlapping with other network segments.
resource "aws_vpc" "ecs_vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "ecs-production-vpc"
Environment = "production"
}
}
Implementing Security Groups with Least Privilege Principles
Security groups function as virtual firewalls for your ECS tasks, controlling inbound and outbound traffic at the instance level. The key to effective ECS network security lies in applying least privilege principles when configuring these rules.
Create dedicated security groups for each component of your ECS infrastructure. Application Load Balancers need their own security group allowing HTTP/HTTPS traffic from the internet, while ECS services should only accept traffic from the load balancer security group. Database instances require even more restrictive rules, accepting connections solely from application security groups on specific ports.
Never use 0.0.0.0/0 for inbound rules unless absolutely necessary for public-facing services. Instead, reference other security groups to create a chain of trust. This approach makes your infrastructure more maintainable and reduces the risk of accidentally exposing internal services.
| Component | Inbound Rules | Outbound Rules |
|---|---|---|
| ALB Security Group | Port 80, 443 from 0.0.0.0/0 | All traffic to ECS Security Group |
| ECS Security Group | Port 80 from ALB Security Group | All traffic to 0.0.0.0/0 |
| RDS Security Group | Port 5432 from ECS Security Group | None |
Configuring Network Access Control Lists for Defense in Depth
Network ACLs provide subnet-level filtering that complements security groups, creating a robust defense-in-depth strategy for your ECS infrastructure. While security groups are stateful and more commonly used, NACLs offer stateless filtering that can catch threats that bypass other security measures.
Configure custom NACLs for each subnet tier with rules that mirror your security group policies but provide an additional layer of protection. Private subnets hosting ECS services should block all direct inbound traffic from the internet, while allowing necessary communication between internal resources.
Remember that NACL rules are processed in numerical order, so structure your rules carefully with the most specific rules having lower numbers. Default NACL rules typically allow all traffic, so create custom NACLs that explicitly define allowed communication patterns.
Setting Up NAT Gateways for Secure Outbound Connectivity
ECS tasks running in private subnets need secure outbound internet access for downloading container images, installing packages, and communicating with external APIs. NAT Gateways provide this connectivity while keeping your container workloads protected from inbound internet traffic.
Deploy NAT Gateways in each public subnet to ensure high availability across multiple Availability Zones. Each private subnet’s route table should direct internet-bound traffic to the NAT Gateway in the same AZ to minimize latency and data transfer costs.
For cost optimization in development environments, consider using a single NAT Gateway. However, production environments should always use multiple NAT Gateways to prevent a single point of failure. Monitor NAT Gateway bandwidth usage and scale appropriately based on your ECS workload requirements.
resource "aws_nat_gateway" "ecs_nat_gateway" {
count = length(aws_subnet.public)
allocation_id = aws_eip.nat_eip[count.index].id
subnet_id = aws_subnet.public[count.index].id
tags = {
Name = "ecs-nat-gateway-${count.index + 1}"
}
}
Building Production-Ready ECS Clusters
Choosing between EC2 and Fargate launch types for optimal performance
When building production-ready ECS clusters, selecting the right launch type forms the foundation of your container orchestration strategy. EC2 launch type gives you complete control over the underlying compute infrastructure, making it ideal for workloads requiring specific instance types, custom AMIs, or specialized hardware configurations. You manage the EC2 instances directly, which means handling patching, scaling, and maintenance activities.
Fargate operates as a serverless compute engine where AWS manages the underlying infrastructure entirely. This approach eliminates the operational overhead of managing EC2 instances while providing automatic scaling and patching. Fargate works particularly well for microservices architectures and applications with unpredictable traffic patterns.
| Feature | EC2 Launch Type | Fargate Launch Type |
|---|---|---|
| Infrastructure Management | Full control over instances | AWS manages infrastructure |
| Cost Model | Pay for running instances | Pay only for resources used |
| Scaling Speed | Depends on instance availability | Near-instantaneous scaling |
| Customization | High – custom AMIs, instance types | Limited to predefined configurations |
| Operational Overhead | Higher | Lower |
Choose EC2 when you need sustained high-performance computing, have specific compliance requirements, or want to optimize costs through Reserved Instances. Fargate excels for development environments, batch jobs, and applications where operational simplicity outweighs cost considerations.
Configuring auto-scaling policies for dynamic resource management
Auto-scaling policies ensure your ECS infrastructure adapts to changing demand while maintaining performance and cost efficiency. ECS supports multiple scaling dimensions: service auto-scaling for task count adjustment and cluster auto-scaling for underlying compute capacity.
Service auto-scaling responds to CloudWatch metrics like CPU utilization, memory usage, or custom application metrics. Target tracking scaling policies work best for most scenarios, automatically adjusting task counts to maintain your desired metric value:
resource "aws_appautoscaling_target" "ecs_target" {
max_capacity = 10
min_capacity = 2
resource_id = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.app.name}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}
resource "aws_appautoscaling_policy" "cpu_scaling" {
name = "cpu-scaling"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.ecs_target.resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "ECSServiceAverageCPUUtilization"
}
target_value = 70.0
}
}
Step scaling policies provide more granular control, allowing different scaling actions based on alarm severity. Cluster auto-scaling works with capacity providers to add or remove EC2 instances based on resource requirements.
Implementing container insights and CloudWatch monitoring
Container Insights delivers comprehensive monitoring for your ECS clusters, providing visibility into resource utilization, performance metrics, and operational health. Enable Container Insights at the cluster level to collect, aggregate, and analyze metrics from your containerized applications.
Container Insights automatically creates CloudWatch dashboards showing CPU, memory, network, and storage metrics at cluster, service, and task levels. The insights include performance data for running tasks and can help identify bottlenecks or resource constraints:
resource "aws_ecs_cluster" "main" {
name = "production-cluster"
setting {
name = "containerInsights"
value = "enabled"
}
}
Custom metrics enhance monitoring capabilities by tracking application-specific performance indicators. Use CloudWatch custom metrics to monitor business logic, request rates, error counts, or database connection pools. Set up CloudWatch alarms for proactive incident response:
resource "aws_cloudwatch_metric_alarm" "high_cpu" {
alarm_name = "ecs-high-cpu"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = "2"
metric_name = "CPUUtilization"
namespace = "AWS/ECS"
period = "60"
statistic = "Average"
threshold = "80"
alarm_description = "This metric monitors ecs cpu utilization"
dimensions = {
ServiceName = aws_ecs_service.app.name
ClusterName = aws_ecs_cluster.main.name
}
}
Log aggregation through CloudWatch Logs centralizes application logs, enabling search, filtering, and analysis across all container instances.
Setting up capacity providers for cost optimization
Capacity providers offer intelligent resource management by automatically provisioning the right mix of compute resources based on task requirements and cost considerations. They bridge the gap between ECS services and underlying compute infrastructure, supporting both EC2 and Fargate launch types within the same cluster.
EC2 capacity providers integrate with Auto Scaling Groups to manage instance lifecycle and scaling decisions. Configure managed scaling to automatically adjust cluster capacity based on resource utilization and pending tasks:
resource "aws_ecs_capacity_provider" "ec2_capacity_provider" {
name = "ec2-capacity-provider"
auto_scaling_group_provider {
auto_scaling_group_arn = aws_autoscaling_group.ecs.arn
managed_scaling {
maximum_scaling_step_size = 10
minimum_scaling_step_size = 1
status = "ENABLED"
target_capacity = 80
}
managed_termination_protection = "ENABLED"
}
}
resource "aws_ecs_cluster_capacity_providers" "example" {
cluster_name = aws_ecs_cluster.main.name
capacity_providers = [
aws_ecs_capacity_provider.ec2_capacity_provider.name,
"FARGATE",
"FARGATE_SPOT"
]
default_capacity_provider_strategy {
base = 2
weight = 100
capacity_provider = aws_ecs_capacity_provider.ec2_capacity_provider.name
}
default_capacity_provider_strategy {
base = 0
weight = 1
capacity_provider = "FARGATE_SPOT"
}
}
Mixed capacity strategies combine different compute options for optimal cost-performance balance. Use EC2 instances for baseline capacity and Fargate Spot for burst workloads, achieving significant cost reductions while maintaining reliability. Capacity provider strategies define how tasks distribute across available compute resources, with base values ensuring minimum capacity and weights determining proportional allocation.
Implementing Robust Security Controls
Encrypting Data at Rest and in Transit Across All Services
Data encryption forms the backbone of any secure ECS architecture design. When building your ECS infrastructure security with Terraform, you need to encrypt data both when it’s stored and when it moves between services.
For data at rest, start with EBS volume encryption for your ECS instances. Configure your Terraform ECS cluster setup to enable encryption by default:
resource "aws_launch_template" "ecs_template" {
block_device_mappings {
device_name = "/dev/xvda"
ebs {
encrypted = true
kms_key_id = aws_kms_key.ecs_key.arn
volume_size = 30
volume_type = "gp3"
}
}
}
EFS volumes require similar attention. Enable encryption for any shared storage your containers use:
resource "aws_efs_file_system" "ecs_storage" {
encrypted = true
kms_key_id = aws_kms_key.ecs_key.arn
}
For data in transit, configure your Application Load Balancer to use SSL/TLS certificates. Set up HTTPS listeners and redirect HTTP traffic automatically:
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.main.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
certificate_arn = aws_acm_certificate.main.arn
}
Create dedicated KMS keys for different service layers. This approach gives you granular control over who can decrypt what data.
Managing Secrets and Sensitive Data with AWS Systems Manager
AWS Systems Manager Parameter Store integrates seamlessly with ECS for secure secret management. Your containers shouldn’t store database passwords, API keys, or certificates in environment variables or configuration files.
Set up your sensitive parameters in Terraform:
resource "aws_ssm_parameter" "db_password" {
name = "/myapp/production/db_password"
type = "SecureString"
value = var.database_password
tags = {
Environment = "production"
Service = "myapp"
}
}
Configure your ECS task definitions to pull secrets at runtime. This approach keeps sensitive data out of your container images:
resource "aws_ecs_task_definition" "app" {
container_definitions = jsonencode([{
name = "myapp"
secrets = [
{
name = "DATABASE_PASSWORD"
valueFrom = aws_ssm_parameter.db_password.arn
}
]
}])
}
Your ECS task execution role needs specific permissions to access these parameters. Grant the minimum required access:
data "aws_iam_policy_document" "task_secrets" {
statement {
actions = [
"ssm:GetParameter",
"ssm:GetParameters"
]
resources = [
"arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/myapp/*"
]
}
}
For highly sensitive data, consider AWS Secrets Manager instead of Parameter Store. Secrets Manager provides automatic rotation capabilities for database credentials and other secrets.
Implementing Container Image Scanning and Vulnerability Management
Container image security starts before your images reach production. Amazon ECR provides built-in vulnerability scanning that integrates with your AWS container orchestration workflow.
Enable scan-on-push for your ECR repositories:
resource "aws_ecr_repository" "app" {
name = "myapp"
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}
Set up lifecycle policies to automatically remove old or vulnerable images:
resource "aws_ecr_lifecycle_policy" "app_policy" {
repository = aws_ecr_repository.app.name
policy = jsonencode({
rules = [{
rulePriority = 1
description = "Keep only 10 tagged images"
selection = {
tagStatus = "tagged"
countType = "imageCountMoreThan"
countNumber = 10
}
action = {
type = "expire"
}
}]
})
}
Create EventBridge rules to respond to scan results automatically. You can stop deployments or send alerts when critical vulnerabilities are found:
resource "aws_cloudwatch_event_rule" "ecr_scan_results" {
name = "ecr-scan-findings"
event_pattern = jsonencode({
source = ["aws.ecr"]
detail-type = ["ECR Image Scan"]
detail = {
scan-status = ["COMPLETE"]
finding-counts = {
CRITICAL = [{
exists = true
}]
}
}
})
}
Complement ECR scanning with third-party tools like Trivy or Anchore for more comprehensive vulnerability detection. Run these scans in your CI/CD pipeline before pushing images to ECR.
Configuring AWS WAF and Application Load Balancer Security Features
AWS WAF provides your first line of defense against common web attacks. Configure WAF rules that protect your ECS services from SQL injection, cross-site scripting, and other threats.
Create a WAF web ACL with essential protections:
resource "aws_wafv2_web_acl" "main" {
name = "ecs-protection"
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "CommonRuleSetMetric"
sampled_requests_enabled = true
}
}
}
Attach the WAF to your Application Load Balancer:
resource "aws_wafv2_web_acl_association" "main" {
resource_arn = aws_lb.main.arn
web_acl_arn = aws_wafv2_web_acl.main.arn
}
Configure your ALB security groups to only accept traffic from necessary sources. Implement least-privilege access:
resource "aws_security_group" "alb" {
name_prefix = "alb-"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
security_groups = [aws_security_group.ecs.id]
}
}
Enable ALB access logging to track all requests. Store logs in S3 with proper lifecycle policies:
resource "aws_lb" "main" {
load_balancer_type = "application"
security_groups = [aws_security_group.alb.id]
subnets = aws_subnet.public[*].id
access_logs {
bucket = aws_s3_bucket.alb_logs.id
enabled = true
prefix = "alb-logs"
}
}
Set up rate limiting rules in WAF to prevent abuse and DDoS attacks. Monitor these metrics through CloudWatch to understand your application’s traffic patterns and adjust rules accordingly.
Achieving High Availability and Fault Tolerance
Distributing services across multiple availability zones
Multi-AZ deployment sits at the heart of any resilient ECS infrastructure. When you spread your container workloads across different availability zones, you’re essentially building protection against entire data center failures. Your Terraform configuration needs to account for this from the ground up.
Start by defining your subnets across at least three availability zones. ECS services can automatically distribute tasks across these zones when you configure them properly. The key lies in your service definition – set the desired count to match or exceed your number of zones, and ECS will spread tasks evenly.
resource "aws_ecs_service" "app" {
name = "my-app"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.app.arn
desired_count = 6
deployment_configuration {
maximum_percent = 200
minimum_healthy_percent = 50
}
placement_strategy {
type = "spread"
field = "attribute:ecs.availability-zone"
}
}
The placement strategy ensures tasks get distributed across zones rather than clustering in one location. This approach protects your application even when an entire AWS availability zone goes offline.
Implementing health checks and automatic failover mechanisms
Health checks act as the nervous system of your containerized applications. Without proper health monitoring, your load balancer might keep sending traffic to failing containers, creating a poor user experience.
ECS integrates seamlessly with Application Load Balancers to provide sophisticated health checking. Configure both target group health checks and container-level health checks in your task definition. The load balancer health check determines if the container can receive traffic, while the container health check tells ECS when to restart unhealthy tasks.
Your Terraform configuration should include detailed health check parameters:
resource "aws_lb_target_group" "app" {
name = "app-tg"
port = 80
protocol = "HTTP"
vpc_id = var.vpc_id
health_check {
enabled = true
healthy_threshold = 2
interval = 30
matcher = "200"
path = "/health"
port = "traffic-port"
protocol = "HTTP"
timeout = 5
unhealthy_threshold = 2
}
}
Configure your container health checks in the task definition as well. ECS will automatically restart containers that fail health checks, but you want to catch issues before they affect users. Set appropriate timeouts and retry counts – too aggressive and you’ll get false positives, too lenient and you’ll miss real problems.
Configuring load balancing for optimal traffic distribution
Load balancing transforms your multi-AZ deployment from a collection of isolated containers into a unified, resilient service. Application Load Balancers work hand-in-glove with ECS to route traffic intelligently across your healthy containers.
The magic happens in how you configure your target groups and listener rules. ECS automatically registers and deregisters containers as they start and stop, but you need to tune the deregistration delay to match your application’s needs. A web API might need only 30 seconds, while a long-running process might need several minutes to finish current requests.
Cross-zone load balancing ensures traffic gets distributed evenly across all availability zones, not just within individual zones. Enable this feature to prevent hot spots and ensure consistent performance regardless of which zone receives the initial request.
| Load Balancer Feature | Configuration | Benefit |
|---|---|---|
| Cross-zone load balancing | Enabled | Even traffic distribution |
| Connection draining | 300 seconds | Graceful container shutdowns |
| Health check grace period | 0 seconds | Fast detection of issues |
Your listener rules can route traffic based on path, host headers, or other request attributes. This flexibility lets you deploy multiple versions of your application or route different types of requests to specialized containers. Blue-green deployments become straightforward when you can shift traffic percentages between different target groups.
Sticky sessions work when needed, but design your applications to be stateless when possible. Stateless containers scale better and recover faster from failures. When you must maintain session state, use external storage like Redis or DynamoDB rather than local container storage.
Optimizing for Scale and Performance
Implementing horizontal pod autoscaling based on metrics
ECS services can automatically scale based on various CloudWatch metrics to handle traffic fluctuations efficiently. The most effective approach combines CPU and memory utilization metrics with custom application-specific metrics like request count or queue depth.
Start by configuring Application Auto Scaling policies in your Terraform configuration. Create target tracking policies that adjust task count based on CPU utilization thresholds, typically maintaining 60-70% CPU usage:
resource "aws_appautoscaling_policy" "ecs_cpu_scale_up" {
name = "cpu-scale-up"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.ecs_target.resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "ECSServiceAverageCPUUtilization"
}
target_value = 70.0
}
}
Memory-based scaling proves particularly valuable for memory-intensive applications. Set memory utilization targets around 80% to prevent out-of-memory errors while maximizing resource efficiency.
Custom metrics scaling provides the most granular control. ALB request count per target offers excellent responsiveness for web applications, while SQS queue depth works perfectly for background processing services. These metrics often predict load changes more accurately than CPU or memory alone.
Configuring efficient resource allocation and limits
Proper resource allocation prevents resource contention and ensures consistent application performance. ECS task definitions require careful CPU and memory specification to optimize cluster utilization without sacrificing stability.
Define CPU units in your task definitions using a combination of hard limits and reservations. Reserve the minimum required resources while setting limits that prevent runaway processes from affecting other tasks:
container_definitions = jsonencode([{
name = "app"
image = "your-app:latest"
cpu = 256
memory = 512
memoryReservation = 256
}])
Memory reservations guarantee minimum available memory while soft limits allow burst capacity when cluster resources permit. This approach maximizes cluster efficiency while maintaining application reliability.
Container resource allocation strategies vary by workload type. CPU-intensive applications benefit from higher CPU allocation relative to memory, while data processing tasks require substantial memory reserves. Web applications typically need balanced CPU and memory with burst capacity for traffic spikes.
Implement resource monitoring through CloudWatch Container Insights to identify optimization opportunities. Track memory utilization patterns, CPU throttling events, and task placement failures to refine resource specifications over time.
Setting up CI/CD pipelines for seamless deployments
AWS CodePipeline integrates seamlessly with ECS for automated deployments, enabling rapid iteration while maintaining production stability. The pipeline orchestrates code compilation, image building, security scanning, and progressive deployment strategies.
Structure your pipeline with distinct stages for source, build, test, and deploy phases. The build stage should compile application code, run unit tests, build Docker images, and push them to Amazon ECR:
resource "aws_codebuild_project" "app_build" {
name = "app-build"
service_role = aws_iam_role.codebuild_role.arn
artifacts {
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_MEDIUM"
image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
type = "LINUX_CONTAINER"
privileged_mode = true
}
source {
type = "CODEPIPELINE"
buildspec = "buildspec.yml"
}
}
Blue-green deployments minimize downtime and risk during updates. CodeDeploy manages traffic shifting between task sets, allowing gradual migration from old to new versions with automatic rollback capabilities.
Security scanning integration catches vulnerabilities before deployment. Tools like Amazon Inspector or third-party solutions scan container images during the build process, preventing insecure images from reaching production.
Monitoring and alerting for proactive performance management
Comprehensive monitoring enables proactive issue resolution before users experience problems. CloudWatch provides extensive metrics for ECS clusters, services, and individual tasks, while Application Performance Monitoring tools offer deeper application insights.
Essential ECS metrics include service CPU and memory utilization, task placement failures, service discovery health checks, and load balancer target health. Create CloudWatch dashboards that visualize these metrics alongside application-specific indicators.
Configure intelligent alerting thresholds based on historical patterns rather than arbitrary values. CPU utilization alerts should trigger when sustained high usage occurs, not during brief spikes. Memory alerts need immediate attention since ECS terminates tasks that exceed memory limits.
Custom application metrics provide the most valuable insights. Track response times, error rates, database connection pools, and business-specific indicators. These metrics often predict performance issues more accurately than infrastructure metrics alone.
Set up notification channels that reach the right teams with appropriate urgency. High-priority alerts should page on-call engineers through services like PagerDuty, while informational alerts can use email or Slack. Alert fatigue reduces response effectiveness, so tune thresholds carefully to minimize false positives.
Setting up a robust ECS infrastructure on AWS doesn’t have to be overwhelming when you break it down into manageable steps. We’ve covered everything from preparing your AWS environment and mastering Terraform basics to designing secure networks and building production-ready clusters. The key is starting with a solid foundation—proper network design, security controls, and high availability planning—before moving on to performance optimization.
Your ECS journey starts now. Begin with a small pilot project to test these concepts, then gradually expand your infrastructure as you gain confidence. Remember that security and scalability aren’t afterthoughts—they need to be baked into your design from day one. With Terraform managing your infrastructure as code, you’ll have the flexibility to iterate and improve while maintaining consistency across your environments. Take it one component at a time, and you’ll soon have a bulletproof container platform that can handle whatever your applications throw at it.
