How Our Amazon ECS Autoscaling Works
Jon Sully
@jon-sullyOur new autoscaling service for Amazon ECS services and clusters is live! đ
But how does it work? Itâs proprietary, of course... (prepares NDA)
Totally kidding. Weâve gotten several questions around the Judoscale/ECS integration, so we wanted to write a quick post that walks through some of the basics. Letâs start with the adapter.
Adapter and Queue Time
Running Judoscale requires the installation of an adapter into your application, and we offer several: Rails, Express, Django, Flask, and more. Weâre excited to bring them to Amazon ECS! While the adapters do several background operations to track your various systemsâ queue times, tracking queue time from incoming web requests requires a bit more configuration.
Our adapters passively and transparently read a special header present on incoming web requests: X-Request-Start. Amazonâs various routing systems donât add this header for us the way some other platforms do. So we need to add it ourselves!
While there are several ways to accomplish the header addition, and many of them do work with our system, the method we recommend is the Sidecar Container pattern within the Task Definition of the web-server process. If your particular application manages incoming requests and routing in another style, feel free to configure the header there and we can help you determine if itâs working properly.
In a quick walkthrough of the Sidecar pattern, letâs start with a simple Task Definition that just runs a plain Rails Server process. It would look something like this:
In this case, the Task Definition has a single container (the Rails Server process) and that container fields incoming requests on port 80 directly. The Sidecar pattern essentially injects another container (the âsidecarâ) into the Task Definition which acts as a proxy / intermediary before the request makes it to the application. That looks more like this:
The NGINX config at play here is extremely minimal:
server {
listen 80;
location / {
proxy_set_header X-Request-Start "t=${msec}";
proxy_pass http://localhost:3000;
}
}
And, if this specific combination (listen on 80, pass to 3000) matches your needs, youâre welcome to use the publicly-available container we prepared here. If you prefer to build your own, you need only two lines of a Dockerfile to build the fully functional container (where nginx.conf is the above config):
FROM nginx:latest
COPY nginx.conf /etc/nginx/conf.d/default.conf
Once your sidecar is running, the Judoscale adapter should start reading the request header and observing request queue times automatically.
AWS Permissions and ENV
The second piece of the how-it-works puzzle revolves around AWS platform-level setup. This consists of three steps that deal less with your application code and more with your infrastructure itself, but all three steps are guided and automated by Judoscale (though not required to be if you prefer custom).
ECS Read Permissions
When you create a new Amazon ECS team in Judoscale, youâll be greeted with this screen:
This is our default automation step that offers to run our pre-fab CloudFormation template for you. That template is linked directly in the view and you can see it here.
The tl;dr: is that this script simply creates âallowâ permission rules, specifically for Judoscale, for ecs:Describe*, ecs:List*, iam:ListAccountAliases, and account:ListRegions. These permissions allow us to populate the clusters list in the screen that follows:
And, upon clicking âLinkâ for a cluster, the same permissions allow us to list out and prepare the services within that cluster:
Itâd be tough to autoscale an app we canât read!
Judoscale ENV
Once you select a Service to link and get your framework-specific Judoscale adapter installed, youâll be given a unique ENV value. Thatâll look something like this in the UI:
This ENV value needs to be present in any task/container running a Judoscale adapter, but Judoscale doesnât dictate the means by which you implement that requirement. Weâve worked with teams that hard-code the value into their Task Definitions, teams that add the key-value pair into their Terraform setups, teams that use a Parameter/Secrets Manager structure, and plenty of others. We leave that up to you, but weâre here to help if youâre not sure which path to take! (Did you know we have open office hours?)
Once you have the Judoscale adapter running and the environment variable in place, both the âFinished and Deployedâ button and the page background will be your feedback confirmation. Clicking âFinished and Deployedâ will either give you an error message of âWe havenât quite seen data come in yet...â or it will confirm that we are seeing data come in from your Service. Similarly, the charts in the background will begin moving and changing in real-time to reflect your Serviceâs traffic and queue times once your setup is working properly.
Write Permissions
Alright, so at this point weâve got our Secret Sauce (â˘ď¸) mostly formed â we have the AWS read-permissions we need to know about your clusters/services, we have the Judoscale adapter running in your applicationâs runtime, and weâve confirmed the adapter is successfully reporting queue times... now we just need to scale! Automatically, even đ
Changing your serviceâs scale count requires the last piece of first-time setup: AWS write permissions for your Service(s).
The first time you click the âAutoscaling Onâ switch for a given service, youâll be presented with the final modal: another automation to add write permissions:
Once again that script is linked in the view and you can see the raw source here.
But the tl;dr: on this one is that we update the same permission (role) we created in the original âread permissionsâ script and add an âallowâ for ecs:UpdateService only. That singular permission is what authorizes our platform to change your serviceâs scale count, and we do that by simply setting the serviceâs âDesired Scale Countâ field. Thatâs it!
The Fully Working Machine
Weâve got all the permissions and data sorted out, and autoscaling is running smoothly at this point! So letâs get back to the primary question; how does it work?
Letâs take an illustrative approach... letâs say youâve got a small ECS cluster â just a web service and a single worker service:
But letâs not be too simple â we have multiple task instances running in each of those services, so our model might be better represented as so:
The first layer weâll add here is the Judoscale adapter: its job is to transparently report queue time data from each individual instance in any given service to Judoscale:
As the data reaches Judoscale, itâs continuously scanned and monitored at a per-service level to ensure that the service is staying within its set scaling parameters. That data is also exposed in the real-time Judoscale UI so you can observe and understand your system health directly:
And as soon as one of your services begins reporting queue times that breach your chosen autoscaling settings, Judoscale automatically adjusts your scale count on AWS to compensate.. quickly. We generally prompt AWS to upscale within 10-20 seconds of detected slow-downs! Letâs illustrate that like this:
And thatâs essentially it. The fully operational autoscaling machine is simple at its core: receive lots of data, continuously scan it all in real time, find breaches and outliers, and adjust the scale for services that need more (or less) instances depending on their reported queue times (the only truly reliable metric to scale on). Smooth and simple.
Thanks for tuning in to this little how-it-works! Weâre really excited to GA this integration and weâre looking forward to supporting the teams that have been asking for it. Amazon ECS on Judoscale is a new frontier for fast, extremely-responsive infrastructure, and itâs ready right now. Scale on, friends!