AWS Services

Amazon ECS And AWS Fargate

Understand ECS and Fargate for running containers on AWS, including clusters, task definitions, services, launch types, networking, scaling, and exam signals.

foundation6 min readUpdated 2026-06-02CloudCertificationOperationsCapacity
Amazon ECSAWS FargateClusterTask DefinitionTaskServiceCapacity ProviderContainer Orchestration

After this, you will understand

ECS and Fargate become straightforward once you separate container orchestration from who manages the compute capacity.

Plain version

ECS runs and manages containers; Fargate lets ECS run those containers without you managing EC2 instances.

Decision pressure

Learners think Fargate replaces ECS, or that containers remove the need for VPC, IAM, load balancing, and scaling design.

Exam-ready model

Use ECS services for long-running containers, task definitions for container configuration, and Fargate when the requirement says no server management.

Think before readingWhat is the difference between ECS and Fargate in one sentence?
ECS is the container orchestrator; Fargate is a serverless compute option ECS can use to run tasks.

Reading in progress

This page is saved in your local study history so you can continue later.

Next: Amazon Elastic Container Registry

Study path

Read these in order

Start with the mechanics, then move into the patterns that explain why the system is shaped this way.

  1. 1Amazon Elastic Container Registryaws-services
  2. 2Amazon API Gatewayaws-services

Concepts Covered

  • Container orchestration
  • Amazon ECS
  • AWS Fargate
  • Clusters
  • Task definitions
  • Tasks
  • Services
  • Capacity providers
  • Application Load Balancers
  • ECS versus Lambda and EC2

1. Plain-English Mental Model

Amazon Elastic Container Service, or ECS, is AWS's managed container orchestration service.

AWS Fargate is a serverless compute option for containers. With Fargate, you run ECS tasks without managing EC2 container instances.

The simple model is:

container image -> ECS task definition -> ECS task or service -> EC2 or Fargate capacity

ECS decides what containers should run, how many copies should exist, how they are deployed, and how they connect to load balancers and networking. Fargate decides who manages the underlying compute. If you choose Fargate, AWS manages the server capacity. If you choose EC2 launch type or EC2 capacity providers, you manage the EC2 instances that host containers.

ECS does not remove the need for IAM, VPC, security groups, logs, load balancing, or scaling design.

2. Why This Service Exists

Containers package applications and dependencies into portable images. But running containers in production requires orchestration: starting tasks, restarting failed containers, spreading work across capacity, deploying new versions, connecting services to load balancers, and scaling.

ECS exists to provide AWS-managed orchestration for containers.

Fargate exists to remove host management from container workloads. You specify CPU, memory, networking, and containers. AWS runs the task without you patching or scaling EC2 container instances.

For SAA-C03, ECS/Fargate appears when a question mentions containers, Docker images, task definitions, long-running services, scheduled tasks, no server management, container scaling, or migrating containerized applications to AWS.

The exam often distinguishes Lambda from ECS/Fargate. Lambda is event-driven functions. ECS/Fargate is better when you have containerized services, custom runtimes, long-running processes, or more control over container shape.

3. The Naive Approach And Where It Breaks

The naive container design is to SSH into an EC2 instance and run Docker manually:

EC2 instance -> docker run app

That works for a demo but breaks in production. Who restarts failed containers? How are deployments rolled out? How do you spread across AZs? How do you drain old tasks? How do you register targets with a load balancer?

Another naive design is to choose Fargate and assume no architecture remains. Fargate removes server management, but tasks still need subnets, security groups, IAM roles, logs, secrets, load balancer integration, and scaling policies.

Another mistake is using Lambda for a workload that is really a long-running container service. If the app needs a full HTTP server, background daemon, custom runtime, or long-running process, ECS may fit better.

4. Core Primitives

A cluster is a logical grouping of ECS resources.

A task definition is a blueprint for one or more containers. It defines image, CPU, memory, ports, environment variables, logging, IAM roles, secrets, and runtime settings.

A task is a running copy of a task definition.

A service maintains a desired number of tasks. It can integrate with an Application Load Balancer or Network Load Balancer and perform rolling deployments.

A launch type or capacity provider decides where tasks run: Fargate or EC2 capacity. Fargate requires no EC2 host management. EC2 gives more control over instances, placement, specialized hardware, and cost tuning.

Task role grants AWS API permissions to the application. Task execution role lets ECS pull images and write logs.

5. Architecture Use Cases

Use ECS services for containerized web apps, APIs, workers, internal services, and long-running background processes.

Use Fargate when the requirement emphasizes low operational overhead, no EC2 management, isolated task compute, and simple container scaling.

Use EC2 capacity when you need more control over hosts, specialized instances, GPU, daemon sidecars, high utilization bin packing, or cost optimization through instance commitments.

A common public service architecture:

users -> ALB -> ECS service on Fargate in private subnets -> RDS or DynamoDB

A worker architecture:

SQS queue -> ECS service workers -> database or storage

Use ECR as the container image registry for deployment pipelines.

7. Security Model

Run tasks in private subnets when they do not need direct internet exposure. Put the load balancer in public subnets for public services.

Use security groups to allow traffic from the load balancer to tasks and from tasks to downstream services.

Use task roles for application AWS permissions. Do not bake credentials into images.

Use task execution roles for ECS agent operations such as pulling images from ECR and writing logs.

Store secrets in Secrets Manager or Parameter Store and inject them safely.

Use ECR image scanning and signed image workflows where required. Keep container base images patched.

8. Reliability And Resilience

ECS services maintain desired count. If a task stops, ECS starts another one.

Spread services across multiple subnets and Availability Zones. Use load balancer health checks and container health checks to replace unhealthy tasks.

Use deployment configuration to control rolling updates, minimum healthy percentage, and maximum percentage.

For Fargate, AWS manages host availability, but your service still needs multiple tasks across AZs.

Use CloudWatch Logs and metrics for task visibility. Use alarms on service health, task count, load balancer errors, and queue backlog.

Design graceful shutdown so tasks can drain connections during deployment or scale-in.

9. Performance And Scaling

Scale ECS services based on CPU, memory, request count per target, SQS queue depth, or custom metrics.

Choose task CPU and memory deliberately. Under-sized tasks throttle or crash. Over-sized tasks waste money.

Fargate scales at the task level. EC2 capacity can scale both service tasks and the underlying container instance fleet.

For web services, put an ALB in front and monitor latency and target response metrics.

For workers, scale based on backlog and processing time, not only CPU.

Image size affects deployment speed. Smaller images pull faster and reduce cold deployment friction.

10. Cost Model

Fargate charges based on task CPU, memory, duration, and related options. It reduces operational overhead but may cost more than highly optimized EC2 capacity for steady dense workloads.

EC2 launch type can be cheaper at scale if you manage bin packing, instance purchasing, and capacity well. It also adds operational work.

Load balancers, NAT gateways, CloudWatch Logs, ECR storage, data transfer, and database services are part of the full cost.

Right-size tasks and scale down idle services where possible.

Use capacity providers and Savings Plans where appropriate.

12. SAA-C03 Exam Signals

"Run containers without managing servers" points to ECS with Fargate.

"Containerized application with low operational overhead" points to ECS/Fargate.

"Need full control over container host instances" points to ECS on EC2.

"Run long-running container service behind ALB" points to ECS service.

"Image registry for ECS deployment" points to ECR.

"Event-driven short function" points to Lambda, not ECS.

"Need Kubernetes specifically" points to EKS, not ECS.

13. Common Exam Traps

Do not say Fargate replaces ECS. Fargate is a compute option used by ECS.

Do not confuse task role and task execution role.

Do not put public IPs on every task when a public load balancer can front private tasks.

Do not assume containers remove patching. You still patch images and dependencies.

Do not use Lambda for long-running container services that exceed Lambda's model.

Do not forget log configuration. Containers can disappear quickly.

Review Amazon Elastic Container Registry, Amazon EC2, Application Load Balancer vs Network Load Balancer vs Gateway Load Balancer, and AWS Lambda.

Official AWS references:

What to study next

These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.