Tutorial: Using FSx for Windows File Server file systems with Amazon ECS – Amazon Elastic Container Service
Nội Dung Chính
Tutorial: Using FSx for Windows File Server file systems with
Amazon ECS
FSx for Windows File Server provides fully managed Microsoft Windows file servers, that are backed by a
fully native Windows file system. When using FSx for Windows File Server together with Amazon ECS, you can
provision your Windows tasks with persistent, distributed, shared, static file storage. For
more information, see What Is FSx for Windows File Server? in the FSx for Windows File Server User
Guide.
You can use FSx for Windows File Server to deploy Windows workloads that require access to shared
external storage, highly available regional storage, or high-throughput storage. You can
mount one or more FSx for Windows File Server file system volumes to an ECS container running on an ECS
Windows instance. You can share FSx for Windows File Server file system volumes among multiple ECS
containers within a single ECS task.
Note
FSx for Windows File Server might not be available in all Regions. For more information about which
Regions support FSx for Windows File Server, see Amazon FSx Endpoints and Quotas in the
AWS General Reference.
In this tutorial, you launch an ECS Optimized Windows instance that hosts an FSx for Windows File Server
file system and containers that can access the file system. To do this, you first create an
AWS Directory Service AWS Managed Microsoft Active Directory. Then, you create an Amazon FSx for Windows
File Server file system and an ECS cluster with an ECS instance and an ECS task definition.
You configure the task definition for your containers to use the FSx for Windows File Server file system.
Finally, you test the file system.
It takes 20 to 45 minutes each time you launch or delete either the Active Directory or
the FSx for Windows File Server file system. Be prepared to reserve at least 90 minutes to complete the
tutorial or complete the tutorial over a few sessions.
Prerequisites for the tutorial
-
An administratice user. See Set up to use Amazon ECS.
-
(Optional) A pem key pair for connecting to your EC2 Windows instance through
RDP access. For information about how to create key pairs, see Amazon EC2 key pairs and Windows instances in the User
Guide for Windows Instances. -
A VPC with at least one public and one private subnet, and one security group.
You can use your default VPC. You don’t need a NAT gateway or device. AWS Directory Service
doesn’t support Network Address Translation (NAT) with Active Directory. For
this to work, the Active Directory, FSx for Windows File Server file system, ECS Cluster, and
ECS instance must be located within your VPC. For more information regarding
VPCs and Active Directories, see Amazon VPC console wizard
configurations and AWS Managed Microsoft AD Prerequisites. -
The IAM ecsInstanceRole and ecsTaskExecutionRole permissions are associated with your
account. These service-linked roles allow services to make API calls and access
containers, secrets, directories and file servers on your behalf.
Step 1: Create IAM access roles
Create a cluster with the AWS Management Console.
-
See Amazon ECS container instance IAM role to
check whether you have an ecsInstanceRole and to see how you can create one if
you don’t have one. -
We recommend that role policies are customized for minimum permissions in an
actual production environment. For the purpose of working through this tutorial,
verify that the following AWS managed policy is attached to your
ecsInstanceRole. Attach the policy if it is not already attached.-
AmazonEC2ContainerServiceforEC2Role
To attach AWS managed policies.
-
Open the IAM
console. -
In the navigation pane, choose Roles.
-
Choose an
AWS managed
role -
Choose Permissions, Attach policies..
-
To narrow the available policies to attach, use
Filter. -
Select the appropriate policy and choose Attach
policy.
-
-
See Amazon ECS task execution IAM role to check whether you have an
ecsTaskExecutionRole and to see how you can create one if you don’t have
one.We recommend that role policies are customized for minimum permissions in an
actual production environment. For the purpose of working through this tutorial,
verify that the following AWS managed policies are attached to your
ecsTaskExecutionRole. Attach the policies if they are not already attached. Use
the procedure given in the preceding section to attach the AWS managed
policies.-
SecretsManagerReadWrite
-
AmazonFSxReadOnlyAccess
-
AmazonSSMReadOnlyAccess
-
AmazonECSTaskExecutionRolePolicy
-
Step 2: Create Windows Active Directory (AD)
-
Follow the steps described in Create Your AWS Managed AD Directory in the AWS
Directory Service Administration Guide. Use the VPC you
have designated for this tutorial. On Step 3 of Create Your AWS
Managed AD Directory, save the user name and password for use in
a following step. Also, note the fully qualified domain name for future steps.
You can go on to complete the following step while the Active Directory is being
created. -
Create an AWS Secrets Manager secret to use in the following steps. For more
information, see Getting Started
with AWS Secrets Manager in the AWS Secrets Manager
User Guide.-
Open the Secrets Manager
console. -
Click Store a new secret.
-
Select Other type of secrets.
-
For Secret key/value, in the first row, create a
keyusernamewith value
admin. Click on + Add
row. -
In the new row, create a key
password. For
value, type in the password you entered in Step 3 of Create
Your AWS Managed AD Directory. -
Click on the Next button.
-
Provide a secret name and description. Click
Next. -
Click Next. Click
Store. -
From the list of Secrets page, click on the
secret you have just created. -
Save the ARN of the new secret for use in the following steps.
-
You can proceed to the next step while your Active Directory is being
created.
-
Step 3: Verify and update your security group
In this step, you verify and update the rules for the security group that you’re
using. For this, you can use the default security group that was created for your
VPC.
Verify and update security group.
You need to create or edit your security group to send data from and to the ports,
which are described in Amazon VPC Security Groups in the FSx for Windows File Server User
Guide. You can do this by creating the security group inbound rule
shown in the first row of the following table of inbound rules. This rule allows
inbound traffic from network interfaces (and their associated instances) that are
assigned to the security group. All of the cloud resources you create are within the
same VPC and attached to the same security group. Therefore, this rule allows
traffic to be sent to and from the FSx for Windows File Server file system, Active Directory, and
ECS instance as required. The other inbound rules allow traffic to serve the website
and RDP access for connecting to your ECS instance.
The following table shows which security group inbound rules are required for this
tutorial.
Type
Protocol
Port range
Source
All traffic
All
All
sg-securitygroup
Custom TCP
TCP
8080
0.0.0.0/0
RDP
TCP
3389
your EC2 instance public IP address
The following table shows which security group outbound rules are required for
this tutorial.
Type
Protocol
Port range
Destination
All traffic
All
All
0.0.0.0/0
-
Open the EC2 console and select
Security Groups from the left-hand menu. -
From the list of security groups now displayed, select check the check-box to
the left of the security group that you are using for this tutorial.Your security group details are displayed.
-
Edit the inbound and outbound rules by selecting the Inbound
rules or Outbound rules tabs and choosing
the Edit inbound rules or Edit outbound
rules buttons. Edit the rules to match those displayed in the
preceding tables. After you create your EC2 instance later on in this tutorial,
edit the inbound rule RDP source with the public IP address of your EC2 instance
as described in Connect
to your Windows instance from the Amazon EC2 User Guide
for Windows Instances.
Step 4: Create an FSx for Windows File Server file system
After your security group is verified and updated and your Active Directory is created
and is in the active status, create the FSx for Windows File Server file system in the same VPC as your
Active Directory. Use the following steps to create an FSx for Windows File Server file system for your
Windows tasks.
Create your first file system.
-
Open the Amazon FSx console.
-
On the dashboard, choose Create file system to start the
file system creation wizard. -
On the Select file system type page, choose
FSx for Windows File Server, and then choose
Next. The Create file system page
appears. -
In the File system details section, provide a name for
your file system. Naming your file systems makes it easier to find and manage
your them. You can use up to 256 Unicode characters. Allowed characters are
letters, numbers, spaces, and the special characters plus sign (+). minus sign
(-), equal sign (=), period (.), underscore (_), colon (:), and forward slash
(/). -
For Deployment type choose Single-AZ
to deploy a file system that is deployed in a single Availability Zone.
Single-AZ 2 is the latest generation of single
Availability Zone file systems, and it supports SSD and HDD storage. -
For Storage type, choose
HDD. -
For Storage capacity, enter the minimum storage capacity.
-
Keep Throughput capacity at its default
setting. -
In the Network & security section, choose the same
Amazon VPC that you chose for your AWS Directory Service directory. -
For VPC Security Groups, choose the security group that
you verified in Step 3: Verify and update your security
group. -
For Windows authentication, choose AWS
Managed Microsoft Active Directory, and then choose your AWS Directory Service
directory from the
list. -
For Encryption, keep the default Encryption
key setting of aws/fsx (default). -
Keep the default settings for Maintenance
preferences. -
Click on the Next button.
-
Review the file system configuration shown on the Create file
system page. For your reference, note which file system settings
you can modify after file system is created. Choose Create file
system. -
Note the file system ID. You will need to use it in a later step.
You can go on to the next steps to create a cluster and EC2 instance while the
FSx for Windows File Server file system is being created.
Step 5: Create an Amazon ECS cluster
Create a cluster using the classic Amazon ECS console
-
Open the Amazon ECS console.
-
In the navigation pane, choose Clusters.
-
On the Clusters page, choose Create
Cluster. -
Choose EC2 Windows + Networking and choose Next
step. -
For Cluster name enter
windows-fsx-cluster. -
Click the check-box under the name of the cluster to create an empty
cluster. -
Click the Create button on the lower right corner.
-
Click the View Cluster button when the cluster is
successfully created.You are now on a page where you can view the details of your cluster.
Step 6: Create an Amazon ECS instance
Launch an ECS Optimized Windows EC2 instance into the ECS cluster you just created using
the AWS Management Console and the classic Amazon ECS console
-
Go to Amazon
ECS-optimized AMI in the Amazon ECS Developer Guide
to find the latest version of the Windows Server 2019 Full AMI in the same
Region as your VPC. -
You can get the latest version using one of the following steps.
Scroll down to the Windows Server 2019 Full AMI table.
-
Find the latest version in the table for your Region. Click
View AMI ID link to a page where you’ll find
the AMI ID of the latest version. Save a copy of the AMI ID for the next
steps. -
Run the given Systems Manager command using the AWS CLI and save a copy
of the AMI ID that is returned.
-
-
Open the Amazon EC2 console.
-
Click on the Launch Instance button and select
Launch Instance.You are now on a page that lists available EC2 instances.
-
Select an AMI for your EC2 instance.
-
Under Quick Start, click on Community
AMIs. -
In the search field, enter the AMI ID that you
saved from the previous step and press return. -
Select the Windows Server 2019 Full AMI that matches the AMI ID that
you saved in the previous step.You are now on a page listing instance types.
-
-
For Instance type page, choose t2.medium or t2.micro and
click on Next: Configure Instance Details. -
Configure instance details.
-
On the Configure Instance Details page, enter 1
for Number of Instances. -
For Network select your VPC.
-
For Subnets select a public subnet.
-
Select
Enablefor Auto-assign Public
IP. -
For Domain join directory, select the ID of the
Active Directory that you created. This option domain joins your AD when
the EC2 instance is launched. -
For IAM role, select your
ecsInstanceRole from the drop-down menu. -
Scroll to the bottom of the page and enter the following into the
User data text field.<powershell> Initialize-ECSAgent -Clusterwindows-fsx-cluster-EnableTaskIAMRole </powershell> -
Click Next: Add Storage button.
-
Click Next: Add Tags button.
-
Click Next: Configure Security Group
button.
-
-
On the Configure Security Group page, select the security
group that you verified and updated in Step 3: Verify and update your
security group. If it doesn’t already exist, add an inbound RDP
TCP rule to allow traffic from your EC2 instance IP address through port 3389 if
you want to be able to RDP into your instance. -
Click on Review and Launch button.
-
On the Review Instance Launch page, click the
Launch button. -
For Key pair, choose an Amazon EC2 key pair to use with your
container instances for RDP access. If you don’t specify a key pair, you can’t
connect to your container instances with RDP. For more information, see Prerequisites for the tutorial. -
Click on View instance to see the new instance status
among your list of instances. -
Open the classic Amazon ECS console and select
Clusters. -
Select your fsx-windows-cluster cluster.
-
Select the ECS Instances tab and verify that your ECS
instance has been registered in the fsx-windows-cluster
cluster.
Step 7: Register a Windows task
definition
Before you can run Windows containers in your Amazon ECS cluster, you must register a task
definition. The following task definition example displays a simple web page on port
8080 of a container instance. The task launches two containers that have access to the
FSx file system. The first container writes an HTML file to the file system. The second
container downloads the HTML file from the file system and serves the webpage.
Register the sample task definition with the classic Amazon ECS console
-
Open the Amazon ECS console.
-
In the navigation pane, choose Task Definitions.
-
On the Task Definitions page, choose Create new
Task Definition. -
On the Select launch type compatibilities page, choose
EC2 and then Next step.Note
The Fargate launch type isn’t compatible with Windows
containers. -
On the Create new Task Definition page, scroll to the
bottom of the page and choose Configure via JSON. -
Use the following sample task definition JSON. Replace the values for your task execution
role and the details about your FSx file system and then choose
Save.{
"containerDefinitions": [{
"entryPoint": [ "powershell", "-Command" ], "portMappings": [], "command": ["New-Item -Path C:\\fsx-windows-dir\\index.html -ItemType file -Value '<html> <head> <title>Amazon ECS Sample App</title> <style>body{
margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>It Works!</h2> <p>You are using Amazon FSx for Windows File Server file system for persistent container storage.</p>' -Force"], "cpu": 512, "memory": 256, "image": "mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019", "essential": false, "name": "container1", "mountPoints": [{
"sourceVolume": "fsx-windows-dir", "containerPath": "C:\\fsx-windows-dir", "readOnly": false } ] },{
"entryPoint": [ "powershell", "-Command" ], "portMappings": [{
"hostPort": 8080, "protocol": "tcp", "containerPort": 80 } ], "command": ["Remove-Item -Recurse C:\\inetpub\\wwwroot\\* -Force; Start-Sleep -Seconds 120; Move-Item -Path C:\\fsx-windows-dir\\index.html -Destination C:\\inetpub\\wwwroot\\index.html -Force; C:\\ServiceMonitor.exe w3svc"], "mountPoints": [{
"sourceVolume": "fsx-windows-dir", "containerPath": "C:\\fsx-windows-dir", "readOnly": false } ], "cpu": 512, "memory": 256, "image": "mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019", "essential": true, "name": "container2" } ], "family": "fsx-windows", "executionRoleArn": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole", "volumes": [{
"name": "fsx-windows-vol", "fsxWindowsFileServerVolumeConfiguration":{
"fileSystemId": "fs-0eeb5730b2EXAMPLE", "authorizationConfig":{
"domain": "example.com", "credentialsParameter": "arn:arn-1234" }, "rootDirectory": "share" } } ] } -
Click on container1 under Container
Definitions. -
Scroll to STORAGE AND LOGGING and, for Mount
points Source volume, select
fsx-windows-vol from the drop-down menu. -
For Container path, enter
C:\fsx-windows-dir. -
Click on Update button.
-
Repeat the last four steps for container2 under
Container Definitions. -
For Task execution role, choose your
ecsTaskExecutionRole from the drop-down menu. -
Verify your information and click on Create
button.
Step 8: Run a task and view the results
Before running the task, verify that the status of your FSx for Windows File Server file system is
Available. After it is available, you can run a task using the
task definition that you created. The task starts out by creating containers that
shuffle an HTML file between them using the file system. After the shuffle, a web server
serves the simple HTML page.
Note
You might not be able to connect to the website from within a VPN.
Run a task and view the results with the classic console.
-
Open the Amazon ECS console.
-
Choose your fsx-windows-cluster cluster.
-
Choose Tasks tab, and then Run new
task. -
For Launch Type, select EC2.
-
For Task Definition, choose the
fsx-windows task definition that you created, and then
choose Run
Task. -
Under the Tasks tab, choose the task that you just ran.
Your task appears in the list of tasks. -
When your task status is RUNNING, click on the task
ID. -
Expand container2.
-
Scroll down and click on the external IP address that is associated with the
container. Your browser will open and display the following message.Note
If you don’t see this message, check that you aren’t running in a VPN and
make sure that the security group for your container instance allows inbound
network HTTP traffic on port 8080.
Step 9: Clean up
Note
It takes 20 to 45 minutes to delete the FSx for Windows File Server file system or the AD. You
must wait until the FSx for Windows File Server file system delete operations are complete before
starting the AD delete operations.
Remove FSx for Windows File Server file system.
-
Open the Amazon FSx console
-
Click the radio button to the left of the FSx for Windows File Server file system that you
just created. -
Click on Actions.
-
Select Delete file system.
Remove AD.
-
Open the AWS Directory Service
console. -
Click the radio button to the left of the AD you just created.
-
Click on Actions.
-
Select Delete directory.
Remove ECS cluster.
-
Open the Amazon ECS console.
-
Select Clusters.
-
Select the cluster you just created.
-
Click the Delete Cluster button.
Remove ECS instance.
-
Open the Amazon EC2 console.
-
From the left-hand menu, select Instances.
-
Check the check-box to the left of the EC2 instance you created during this
exercise. -
Click the Instance state and then Terminate
instance.
Remove secret.
-
Open the Secrets Manager
console. -
Select the secret you created for this walk through.
-
Click Actions.
-
Select Delete secret.
