What Is AWS EKS?

Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) is a fully managed service that lets you run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

Aqua for AWS SecurityFargate Security Challenges Webinar
Amit ShepsDecember 27, 2023

What Is AWS EKS?

AWS EKS simplifies the process of running Kubernetes in the cloud, eliminates the need for manual cluster management, and offers a seamless experience for developers. EKS also makes it easy to use AWS services such as AWS Identity and Access Management (IAM), Amazon RDS, and Amazon S3 with your Kubernetes applications.

What Is AWS Fargate?

AWS Fargate is a serverless compute engine for containers that eliminates the need to manage the underlying infrastructure.  Fargate provides a way to run containers while abstracting away the underlying hosting. With Fargate, there is no need to provision, configure, and scale virtual machines to run containers. There is also no need to choose server types, decide when to scale your clusters, or optimize cluster packing.

Fargate uses Amazon Elastic Compute Cloud (EC2) instances behind the scenes, but users do not need to manage the underlying EC2 instances. They are billed according to the exact resources their containers consume, not for entire EC2 instances.

This is part is a part of a series of articles about container platforms

In this article:

How EKS Runs on Fargate 

EKS on Fargate is an integration that allows Fargate to be used as a computing option for EKS clusters. It means that you can leverage the serverless nature of Fargate in your EKS environment. When you run EKS on Fargate, it abstracts the server and infrastructure management, which simplifies the process of running Kubernetes applications on AWS.

When a pod is to be deployed in EKS, it goes through the Kubernetes scheduler, which decides where the pod should run depending on the resources requested by the pod. In a traditional EKS setup, this would be on an EC2 instance. However, with Fargate, this pod is wrapped into a Fargate task, which is then run on the Fargate infrastructure.

Benefits of Running Amazon EKS Clusters on Fargate

Running Amazon EKS clusters on Fargate offers several benefits:

  • Simplified operations: Fargate eliminates the need for cluster administrators to manage underlying nodes, reducing operational overhead.
  • Cost efficiency: With Fargate, you pay only for the resources your containers use. This model can be more cost-effective compared to paying for entire EC2 instances, particularly for applications with variable or unpredictable workloads.
  • Improved security: Fargate runs each pod in a separate runtime environment, without sharing any resources between pods, which improves security. This isolation helps prevent one application from affecting or accessing the resources of another.
  • Easier scalability: Fargate scales compute to match the resource requirements of your containers, without manual intervention.

Getting Started with Amazon EKS on Fargate 

Here are the steps involved in creating a new Amazon EKS cluster running on Fargate.

Prerequisites: You should have an existing Amazon account and install eksctl on your local machine.

Step 1: Create Your Amazon EKS Cluster and Nodes

To quickly start with Amazon EKS and Fargate, use eksctl, a command-line utility for creating and managing Kubernetes clusters on Amazon EKS. This tool automates several tasks, making it simpler to set up your cluster.

Use the following command to create your EKS cluster with Fargate:

eksctl create cluster --name <my-cluster> --region <region-code> --fargate

Replace my-cluster with your desired cluster name and region-code with your preferred AWS region.

Note: If you have a cluster with existing nodes, ensure that these nodes can communicate with pods running on Fargate. Fargate pods automatically use the cluster security group, so check that your existing nodes can send and receive traffic to and from this group.

Step 2: Create a Fargate Pod Execution Role

Fargate requires an IAM role to make AWS API calls on your behalf. Because we created the cluster with eksctl using the --fargate option, a pod execution role is already set up, and you can find it in the IAM console with a name pattern like this: 

eksctl-my-cluster-FargatePodExecutionRole-ABCDEFGHIJKL

If you need to create a pod execution role, see the instructions in the EKS documentation.

Step 3: Create a Fargate Profile for Your Cluster

Before scheduling pods on Fargate in your cluster, define a Fargate profile that specifies which pods use Fargate. Because our cluster was created with eksctl and the --fargate option, a default Fargate profile is already created for the kube-system and default namespaces. 

If you need to use Fargate with other namespaces, see instructions on how to create additional Fargate profiles.

Note: In EKS by default, CoreDNS runs on EC2, not on Fargate. If you want to run CoreDNS on Fargate, there are a few additional configuration steps.

Step 4: Migrate Applications to the EKS Fargate Cluster

To migrate existing applications, you should first create a Fargate profile that matches the original Kubernetes namespace and Kubernetes labels used by your applications.

Then, delete and recreate any existing pods to have them scheduled on Fargate. Additional optional steps include:

  • Deploy load balancing on Amazon EKS to create Ingress objects for pods running on Fargate.
  • Use Vertical Pod Autoscaler (VPA) to set the initial CPU and memory for your Fargate Pods, and then use Horizontal Pod Autoscaler (HPA) to scale the pods. 

Note: In order to have VPA re-deploy pods to Fargate with higher CPU and memory combinations, set VPA mode to either Auto or Recreate.

AWS Container Security with Aqua

Aqua provides the most complete security across the application lifecycle, from development to production, protecting all cloud native applications running on AWS including, Amazon ECS for container orchestration, Amazon EKS for Kubernetes-based deployments, AWS Fargate for on-demand container scaling, AWS Lambda for serverless functions, and Amazon ECR for storing and managing container images.

If you are running cloud native workloads on AWS, Aqua can help with:

  • Image vulnerability scanning & assurance
    Preventing unauthorized images from running in the AWS environment Aqua Continuously scan images stored in Amazon ECR to ensure that no vulnerabilities, bad configurations, or secrets are introduced into container images.
  • Protecting workloads running on Amazon ECS and EKS
    Prevent unvetted containers from running on Amazon ECS, EKS and Fargate environments. Automatically create security policies based on container behavior and ensure that containers only do what they are supposed to do in the application context. Detect and prevent activities that violate policy, and defend against container-specific attack vectors.
  • Securing applications on AWS Fargate
    Aqua embeds the MicroEnforcer into your containers to ensure that workloads are only performing their intended function, while detecting vulnerable or compromised containers.
  • Protecting AWS Lambda Functions
    Discovering over-provisioned permissions and roles, vulnerabilities, and embedded credentials and keys. Monitoring functions at runtime, preventing code injection and malicious activity.
  • Cloud VM Security and Compliance
     Protect workloads running on Amazon EC2 instances and ensure they are properly hardened. Scan for vulnerabilities and malware, apply File Integrity Monitoring (FIM), check configuration against the CIS Benchmark for Linux, and monitor user access and activity. Create command-level audit trail for compliance and forensics.

The full-featured Aqua platform is available for on-demand consumption on the AWS Marketplace:

Get Aqua from the AWS Marketplace >

Learn more about Aqua for AWS security

Amit Sheps
Amit is the Director of Technical Product Marketing at Aqua. With an illustrious career spanning renowned companies such as CyberX (acquired by Microsoft) and F5, he has played an instrumental role in fortifying manufacturing floors and telecom networks. Focused on product management and marketing, Amit's expertise lies in the art of transforming applications into cloud-native powerhouses. Amit is an avid runner who relishes the tranquility of early morning runs. You may very well spot him traversing the urban landscape, reveling in the quietude of the city streets before the world awakes.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links