Forem: Deepak Pakhale

Maximizing Container Density on Amazon ECS

Deepak Pakhale — Sun, 28 Jan 2024 11:30:33 +0000

Introduction

If you're leveraging Amazon Elastic Container Service (ECS) with EC2 instances for your containerized workloads, optimizing your resource utilization is crucial. In this article, we'll explore the importance of profiling your application and selecting the right EC2 instance type based on your app's resource requirements. Specifically, we'll delve into a game-changing feature called ENI (Elastic Network Interface) trunking, designed to enhance container density on your EC2 instances.

Understanding ENI Attachment Limits

Each EC2 instance type supports a limited number of ENI attachments. This is a critical factor to consider when provisioning your ECS cluster. Larger instance types naturally support more ENIs, allowing for a greater number of concurrently running tasks. But larger instances also costs more.

ECS Simplifies Container Orchestration

ECS abstracts away the complexities of setting up containerized environments, providing a streamlined solution for running tasks. In ECS, each task consumes one IP address, equivalent to one ENI attachment. For example, if you're running an ECS cluster on an m5.xlarge instance, supporting three ENI attachments, you may find yourself underutilizing the instance, limiting you to running only three tasks.

ENI Trunking Unleashes Container Density

ENI trunking, a feature enabled by the awsvpc network mode. ENI trunking resolves the limitation on the total number of ENIs that can be attached to an EC2 instance, allowing for a more efficient use of resources.

How ENI Trunking Works

With ENI trunking, an EC2 instance undergoes two ENI attachments: the primary ENI and the Trunk ENI. The addition of the Trunk ENI empowers the EC2 instance to host a greater number of containers, effectively maximizing container density.

Managing IP Address Exhaustion

It's important to note that even with ENI trunking, IP addresses are still allocated from the subnet. Small subnets could lead to IP exhaustion issues. To mitigate this, Amazon VPC Container Network Interface (CNI) can be configured to utilize a different IP space than the host network, preventing potential challenges related to IP address limitations.

Conclusion

ENI trunking is a powerful feature that enables ECS users to break free from the constraints of ENI attachment limits, unlocking the potential for higher container density on EC2 instances. By understanding and leveraging this feature, you can optimize your ECS cluster, ensuring efficient resource utilization and maximizing the benefits of containerization on AWS.

References

https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/networking-networkmode-awsvpc.html

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-eni.html?icmpid=docs_ecs_hp_account_settings

Decision flow to save compute cost in AWS

Deepak Pakhale — Thu, 15 Sep 2022 06:58:56 +0000

Choose the correct S3 storage class

Deepak Pakhale — Mon, 12 Sep 2022 08:52:57 +0000

Threat Modelling Simplified

Deepak Pakhale — Sat, 12 Mar 2022 00:22:12 +0000

Threat Modelling is a structured approach to identify threats and their impact to the systems in terms of business loss.As part of Threat Modelling System Owners identify various risks/threats and implement mitigation plans.

In this post we will try to understand Threat Modelling terminologies.

Threat Agents
These are the individuals or group of users trying to gain access to the system either by stealing identity of the legitimate users or by tricking the system to believe that they are the real users.It can be determined if Threat Agent is a small group or an organisation depending on the size of the threat and possible gains of exploitation.Very sensitive part of the systems should not be easily accessible to anyone and must have multiple layers of security and user verification mechanisms.

Trust Zones
Different parts of system generates or stores different kinds of data with varied levels of sensitivity.For example, data stored in Database is used by applications and is highly trusted hence usually there is no need for additional validation to be performed at the time of usage.If the Database is compromised then there will be a Very High Impact on the application.

Impact
It is a quantification of potential loss in terms of reputation, finances and user trust.Determining the impact of each possible threat will help the system owners to implement appropriate controls.

Controls
These are the countermeasures put in place to prevent, detect or mitigate the threats.

Preventive Controls totally avoids the threat
Detective Controls observes the running system and determine existence of the threat
Mitigations are the measures put in place to drastically reduce the likelihood of threat occurrence.

Likelihood
Possibility of the threat occurrence depends on how much infrastructure attacker will need to put in place to exploit the system and possible rewards out it.Threat Intelligence available from study of similar systems can also help to determine likelihood and appropriate controls.

Threat Mapping
It is a process to map different paths attacker will follow to take advantage of the missing controls.Data Flow Diagrams is the best way to determine how bad actors can move from one component to another and eventually reach to the most sensitive part of the systems where they can cause maximum damage.Understanding of the system from multiple view points (https://en.wikipedia.org/wiki/4%2B1_architectural_view_model) helps in effective Threat mapping.

Asset Identification
System Owners should have real time tracking of the assets.Any unauthorised addition or removal of the asset could be a possible active threat to the system.

These are the basic Threat Modelling terminologies that every developer, architect or system designer should understand to build secure systems and effectively apply Threat Modelling methodologies.

AWS Instance metadata service(IMDS)

Deepak Pakhale — Sun, 27 Feb 2022 10:15:20 +0000

Instance metadata service(IMDS) exposes three categories of data using linked-local address 169.254.169.254

dynamic
meta-data
user-data

dynamic data exposes instance identity in plaintext JSON format.This gets attached to it whenever instance is either stopped and started, restarted or launched. It is recommended to verify the identity document retrieved from IMDS url.PlainText instance identity document is accompanied by 3 hashed and encrypted signatures.These signatures can be used to verify the origin and authenticity of the instance identity document.AWS releases the regional public certificates. Depending on the region it is mandatory for users to use correct public certificate during verification.Contents of instance-identity document cosnists of details such as imageId, instanceId and privateIp associated with instance.

meta-data exposes the information about the running instance that can be used during automation.If AWS releases new category of the meta-data then it may not be readily available on the running instance.The most sensitive information available in the meta-data is the identity-credentials.STS token that is assigned to instance can be found here and can become a tool for exploitation.

user-data are set of commands that are entered during instance launch time to perform configuration activities.These commands are run with root privileges and it is a best practice to not enter any sensitive information such as credentials in the user data sections as it is available in plain text format.

Introduction of IMDSv2
AWS have released v2 of IMDS to fix the security issues related to original service. Unlike v1 , IMDSv2 requires users to provide additional session token while invoking IMDS url. Also as per default settings of IMDSv2 TTL is set
to 1 which means response from IMDS is now valid only till single hop or local instance.This protects users from accidentally exposing IMDS endpoints via misconfigured reverse-proxies.

Difference between apt, apt-get and apt-cache

Deepak Pakhale — Mon, 21 Feb 2022 23:41:42 +0000

APT or Advanced Package Tool is the command line package manager for Debian based Linux distributions.It provides set of tools to search, add, upgrade or remove linux packages.Some of the tools that users mix and match to achieve end goal of package management are apt, apt-get and apt-cache.

apt

Recent addition to package management tools list compared to its peers
Collection of commands for commonly used package management operations making it one stop solution for common operations
Designed to improve end user experience while working on package management
More suitable for interactive use than in scripts

apt-get

Have more options for package management than apt
Better suited for automation scripts
Internally used by many GUI based package management tools

apt-cache

Displays available information about installed and installable package
Works on the local cache created by commands such as apt-get update or apt update hence output of apt-cache may be outdated depending on time of the last package update.
apt-cache works in offline mode as its input is local cache

Which command should I use for package management ?

My personal preference is apt as it has easy to remember options usually sufficient for regular package management operations.apt also combines commands from apt-get and apt-cache making it a One Stop Solution.