ECS, EKS, and Fargate

AWS Container Services: ECS, EKS, and Fargate

AWS offers two container orchestrators (ECS and EKS) and two compute modes (EC2 launch type and Fargate). Picking the right combination depends on your team's familiarity with Kubernetes and how much of the cluster you want to manage.

Amazon ECS (Elastic Container Service):

AWS-proprietary orchestrator — simpler than Kubernetes, tightly integrated with IAM, CloudWatch, ALB, and App Mesh.
Concepts: Task Definition (container blueprint), Task (running instance), Service (maintains N tasks behind a load balancer), Cluster (logical grouping).
Best when your team wants containers without Kubernetes' operational overhead.

Amazon EKS (Elastic Kubernetes Service):

Managed upstream Kubernetes control plane with AWS integrations (IAM for Service Accounts, VPC CNI, EBS CSI, Load Balancer Controller).
Kubernetes API is 100% compliant, so off-the-shelf Helm charts, operators, and tooling work as-is.
Best when you already run Kubernetes, want portability across clouds, or need Kubernetes-native ecosystem tools.

AWS Fargate:

Serverless compute for containers — you specify CPU and memory per task/pod, AWS provisions the underlying infrastructure.
No EC2 instances to patch, scale, or right-size; billed per vCPU-second and GB-second.
Works as a launch type under both ECS and EKS.
Trade-offs: higher per-hour cost than equivalent EC2, no privileged containers, no daemonsets in EKS, no GPU support.

Choosing the Combination:

ECS + Fargate: Simplest path — no cluster nodes, no Kubernetes. Great default for small teams.
ECS + EC2: More control and lower cost at scale; use Spot for batch workloads.
EKS + Fargate: Kubernetes API without managing nodes — good for stateless web services.
EKS + EC2 (or Karpenter): Full Kubernetes flexibility with managed node groups or Karpenter for just-in-time node provisioning across instance types and Spot.

Related Services:

ECR (Elastic Container Registry): Private Docker/OCI registry with IAM auth, image scanning, and pull-through cache from Docker Hub/GitHub.
App Runner: Even simpler than ECS+Fargate — hand AWS a Dockerfile or source repo and get a URL. Limited configurability; fine for stateless web apps.
App Mesh / VPC Lattice: Service mesh for cross-service networking, observability, and mTLS.

Service Limits & Quotas:

ECS: Default soft limits — 10,000 clusters per region, 5,000 services per cluster, 5,000 tasks per service. Task definition can have up to 10 containers.
EKS: 100 clusters per region (soft), up to 450 nodes per managed node group, 110 pods per node by default (depends on instance ENI/IP capacity with VPC CNI).
Fargate: Task sizing from 0.25 vCPU / 0.5 GB up to 16 vCPU / 120 GB; ephemeral storage default 20 GB, configurable up to 200 GB. Default On-Demand vCPU quota starts at 1,000 per region.
ECR: 10,000 repositories per region (soft), 10,000 images per repo, max image size 10 GiB.
EKS Kubernetes versions: AWS supports the latest 4 minor versions; older versions enter extended support with surcharge.

Pricing Model:

ECS on EC2: No charge for ECS itself — you pay only for the underlying EC2 + EBS.
ECS on Fargate / EKS on Fargate: Per vCPU-second and per GB-second of memory, billed from image pull start to task termination (1-minute minimum). ARM Graviton tasks are ~20% cheaper.
EKS control plane: Flat ~$0.10/hour per cluster (~$73/month) regardless of size; extended-support K8s versions add a surcharge per hour.
ECR: $0.10/GB-month for storage; data transfer OUT applies.
Common cost surprises: running many small EKS clusters multiplies the $73/month flat fee; Fargate is significantly more expensive than reserved EC2 for steady workloads; cross-AZ pod-to-pod traffic in EKS; NAT Gateway charges for image pulls if not using ECR endpoints or pull-through cache.

Code Example:

An ECS task definition (JSON) for a Fargate service running a Python API:

{
  "family": "api-service",
  "networkMode": "awsvpc",
  "requiresCompatibilities": ["FARGATE"],
  "cpu": "512",
  "memory": "1024",
  "executionRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",
  "taskRoleArn": "arn:aws:iam::123456789012:role/api-task-role",
  "containerDefinitions": [{
    "name": "api",
    "image": "123456789012.dkr.ecr.us-west-2.amazonaws.com/api:v1.4.2",
    "portMappings": [{"containerPort": 8080, "protocol": "tcp"}],
    "essential": true,
    "environment": [{"name": "LOG_LEVEL", "value": "INFO"}],
    "secrets": [{
      "name": "DB_PASSWORD",
      "valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:prod/db-AbCdEf"
    }],
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/api-service",
        "awslogs-region": "us-west-2",
        "awslogs-stream-prefix": "api"
      }
    }
  }]
}

aws ecs register-task-definition --cli-input-json file://taskdef.json
aws ecs update-service \
  --cluster prod \
  --service api-service \
  --task-definition api-service \
  --force-new-deployment

Common Interview Questions:

When would you choose EKS over ECS?

Choose EKS when the team already runs Kubernetes elsewhere, you need cloud portability, you want Kubernetes-native ecosystem tools (Helm, Argo CD, Istio, Karpenter, operators), or you have complex workload patterns (StatefulSets, DaemonSets, custom schedulers). Choose ECS when the team prefers a simpler control plane, you want tight AWS-native integration with minimal operational overhead, and you don't need K8s features.

Fargate vs. EC2 launch type — what are the tradeoffs?

Fargate removes node management — no patching, no scaling node groups, no right-sizing. You pay per task vCPU/GB-second, which is more expensive per unit than EC2 but eliminates idle capacity and ops cost. EC2 is cheaper at steady scale (especially with Spot or Savings Plans), supports GPUs, privileged containers, and DaemonSets. A common pattern: Fargate for unpredictable or low-volume services, EC2 + Karpenter for production workloads at scale.

How do containers get IAM permissions on ECS and EKS?

On ECS, attach a Task Role to the task definition — the container's AWS SDK calls automatically use those credentials via the task metadata endpoint. On EKS, use IAM Roles for Service Accounts (IRSA): annotate a Kubernetes ServiceAccount with an IAM role ARN and the pod's SDK exchanges its OIDC token for AWS credentials. Both avoid embedding access keys.

What is Karpenter and why is it preferred over Cluster Autoscaler?

Karpenter is an open-source Kubernetes node provisioner from AWS. Unlike Cluster Autoscaler, which scales pre-defined node groups, Karpenter looks at pending pods and provisions exactly the right instance type just-in-time — choosing across hundreds of instance shapes and Spot/On-Demand. Result: faster scale-up (often under a minute), better bin-packing, and lower cost.

How do you do zero-downtime deploys on ECS?

Use rolling update (default) with a load-balancer health check and ECS Service Deployment Circuit Breaker — ECS launches the new task definition, waits for ALB target-group healthy status, then drains the old task. For more control, use Blue/Green deployments via CodeDeploy with two target groups; CodeDeploy shifts traffic at a controlled rate (linear, canary, or all-at-once) and supports automatic rollback on CloudWatch alarms.

What's the EKS pod-per-node limit and how do you raise it?

The default VPC CNI assigns each pod a real VPC IP from the node's ENIs, capping pods at the instance's max-ENI × IPs-per-ENI minus a few reserved. Workarounds: enable VPC CNI prefix delegation (assigns /28 prefixes per ENI, dramatically increasing density), or use a different CNI (Cilium, Calico) with overlay networking.