Deploying a web application on AWS Fargate

AWS Fargate is a nifty feature to run your Docker containers on AWS without first provisioning an EC2 virtual machine, on which your container would then run. It’s a great way to pay less make your administration of the entire thing much better.

We assume that we will be deploying a Docker-containerized solution that does not require a relational database (if it does, it will be presented at the end of the article what considerations need apply). It will be accepting HTTP traffic at port 8000.

Bare necessities

You will need a Docker registry. Enable the Amazon Elastic Container Registry, set up the AWS CLI on your workstation. Authenticate and log in to the AWS. Then issue the following command:

docker login -u AWS -p $(aws ecr get-login-password)
docker push

At first, you’ll need to create a new VPC for your application to run in. VPC is essentially a virtual LAN network your application will run inside. This will be handled for you in cluster creation wizard.

First thing, create an Amazon Cluster. Move over to the Amazon ECS console, select Amazon ECS -> Clusters and hit Create Cluster. Leave defaults and proceed to the page that’s asking about Networking. Now hit the Create VPC button and leave everything at default. Obviously don’t forget to name your cluster. Enable CloudWatch Container Insights.

Next proceed to Task Definitions and define your task. Obviously, you need to make it compatible with Fargate. You will also need to expose the port 8000.

The issue

Now we need to preconfigure load balacing, seeing as we will be using Amazon’s Application Level Load Balancing. Navigate to your EC2 Console -> Load Balancing -> Target Groups. Hit Create target group. Choose target type as IP addresses. Specify your container exposed port (in this case 8000).

Remove all entries from the IP addresses tab.

Now add a Load Balancer. Navigate to relevant submenu and click Create Load Balancer. Choose Application Load Balancer. Choose all possible mappings, and from the list of target groups choose that one you previously created.

At this point make sure that your load balancer is created and is not in PROVISIONING state.

Choose it in Load Balancing menu and open Listeners tab. Delete the only listener that this load balancer has.

Now you’re ready to define a service. Proceed to your target Cluster and hit Services -> Create. Select your default VPC, and then select all possible subnets. Make sure to keep auto-assign public IP enabled. When prompted to specify a load balancer, choose Application Load Balancer. Choose your load balancer from the list, and click Add to load balancer. Select the only possible option from production listener, and fill it out with the second possible one in container. It should look something like this:

Assuming that yout put the target group name exactly as created previously.

Do not choose autoscaling. Proceed until Create service is called for. Press it now. Make sure you provide it with plenty of time to start up (before healthcheck is OK).

At this moment you should be able to visit your Load Balancer, copy it’s DNS name, and you app should be reachable under the provided domain name.

Visit the Troubleshooting section if something doesn’t quite work (in my case the security group settings were busted).


Health issues. Visit your target group to see if they are having any problems with actually keeping enough healthy targets. Tweak with healthcheck settings to do that.

Service visibility problems. Navigate to your task and follow the link about it’s ENI. Select it’s public DNS name and navigate to http://public-dns-name:8000/.

Invalid security group settings. Navigate to your service and click it’s security group. Make sure that port 8000 is allowed.

ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed. Make sure that Auto-assign public IP is enabled. Otherwise the container won’t have any way to connect to Amazon ECR, if you insist for storing your images there.

Adding a database

Just provision an instance of Amazon RDS, and allow it access to your default VPC. Just be ever mindful of security group settings.


By Piotr Maślanka

Programmer, paramedic, entrepreneur, biotechnologist, expert witness. Your favourite renaissance man.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.