At re:Invent 2017 in Las Vegas, AWS launched AWS Fargate. Fargate is their latest offering in the container infrastructure space. Since the launch, there has been a lot of buzz around Fargate. There has also been some confusion around what the offering means to businesses and what current problems the service can help address. In this blog, I will attempt to address those questions and points of confusion.
Let’s start by briefly looking into the impact that containers are having on the infrastructure and the business trends it has jumpstarted. Containers have forced business leaders to rethink and introspect public cloud infrastructure and their strategy.
If you are a business leader and are using a public cloud service, what was the primary reason for you to subscribe to such a service? It was to solve three primary challenges:
- Having to maintain your own data centers
- Translating capital expenditure to operating expenditure, and
- Optimizing infrastructure usage.
In other words, all you wanted to do was to focus on building business functionality, focus on just the application layer and the business data.
How’s that going for you? Even after over a decade of public cloud adoption, you still have a pretty significant staff to manage that software infrastructure. Even though you don’t have to maintain your own data centers, you’re still provisioning Virtual Machine (VM) clusters, ensuring that they are live, available, secure and optimally utilized.
Containers to the Rescue?
When containers burst onto the infrastructure scene, you thought containerizing your applications, and the underlying infrastructure to support them, would finally help you achieve those goals. A couple of years into that journey and you see that nothing much has changed. You are still managing the software stack and the VM clusters. In fact, there is now an additional task of ensuring that each VM instance is optimally packed with enough container instances (the Bin Packing problem) for optimal utilization of the compute resources. This is in addition to developers ramping up very quickly to gain expertise in the rapidly changing container ecosystem. In his IEEE Cloud Container article, Asif Khan, Tech Lead for Developer Technologies and Applications at AWS, highlights a set of key characteristics of a Container Orchestration platform.
Could a managed Kubernetes service help? Not right now, but I hope in the near future. Kubernetes is a container orchestration layer which itself has to be managed, which is not an easy task. Hence, the proliferation of managed services for that orchestration layer. In fact, in the context of AWS, ECS already provides such a managed container orchestration layer, though not based on Kubernetes. Even with a managed orchestration layer, be it ECS or EKS, you still have to manage the underlying VM-based clusters and have to deal with the optimization problem.
What About Immutable Infrastructure?
How does immutable infrastructure help with any of these problems, or does it? Since application containers pack all they need for the rest of their lifetime, the dependency on the underlying infrastructure becomes very minimal. This makes the supporting infrastructure very simple — pretty much just a simple kernel — and hence immutable. Just rip and replace rather than manage the infrastructure. Immutable infrastructure does make the task of managing the software stack in the VM clusters much easier, but doesn’t address any of the problems mentioned above.
So how do you achieve the business goals that you started out with?
Enter Fargate. Indeed, Fargate lets you achieve those business goals. With AWS Fargate, all you have to do is bring your application container workloads. The service abstracts the management of underlying VM clusters, Bin Packing, and container orchestration layer. With simple task definitions, you can define the deployment, scalability, and availability requirements of your applications. AWS Fargate takes care of the rest.
Fargate is a true serverless Container-as-a-Service (CaaS), as it takes on the responsibility of managing the servers. It provides additional flexibility compared to AWS Lambda, including:
- No time restriction on how long tasks could run,
- Support beyond Function-as-a-Service (FaaS), and
- Provides a clean abstraction in which the business owner needs to be only concerned about the applications and not the infrastructure.
Isn’t that what the original business goals to move to the public cloud were?
The Benefits of AWS Fargate
There’s also tangible, bottom-line benefits in moving to AWS Fargate, including:
- You are charged only for the time when your application container workloads are running — not for the time the underlying VM cluster instances are running; that itself should save you 5% to 10% in the compute bill from AWS
- With bin packing problem offloaded to Fargate, you would be saving an additional 10% to 15% which is typically the cost attributed to the over-provisioning of the compute resources, and
- Application simplification gains whereby you can now use the freed cognitive equity and apply it to build better applications.
A subscription to AWS Fargate has additional benefits, in terms of making your business applications’ dependency on infrastructure future-proof. If AWS were to offer Fargate on bare-metal containers (containers running directly on the host OS rather than inside VMs), that transition would be completely abstracted from your business applications and hence would have zero impact on the applications.
Security and Monitoring on AWS Fargate
Since Fargate completely abstracts the underlying infrastructure from business application owners, the service doesn’t allow host-based agents or Privileged Container based solutions for monitoring and securing the applications. Such solutions are a security nightmare. If a malicious actor were to compromise such a security solution, the result would be catastrophic. A complete compromise of the entire cluster and hence all the application containers.
The traditional agent-based approaches mean the business owners have to own the infrastructure, which obviously conflicts with the primary reason for adopting Fargate. You can’t wish to move away from owning and managing the infrastructure, have AWS be responsible for it (SLA et al.), but also want to muck with the infrastructure.
Layered Insight’s Container Native Application Protection solutions are ideally suited for a service like AWS Fargate. Our patent-pending approach provides deep application telemetry and complete protection from within the application. This approach is zero touch to the developers and DevOps and fully automatic to the SecOps. Layered Insight’s solutions run completely in the user space, require no host agents or Privileged Containers to be installed, and doesn’t require any changes to your application deployment scripts. It’s the only such solution on AWS Fargate for monitoring and securing your applications.