Skip to main content

Amazon Web Services (AWS)

Why should you use Defang with AWS? Defang allows you to easily create and manage full, scalable applications with AWS. Defang aims to make it easier to deploy your services to the cloud. Don't waste your time learning the ins and outs of AWS, deciding which of the 200+ services to use, and then writing the infrastructure code to deploy your services, and making sure they are properly secured. Defang does all of that for you.

Getting Started

Getting started with the Defang BYOC AWS Provider is easy. The first step is to authenticate your shell with AWS as an admin user. The authenticated user should be an IAM admin because Defang will need permission to create resources and IAM roles in your account.

tip

If you have the AWS CLI installed, you should be able to successfully run aws sts get-caller-identity and see your account ID.

Use the --provider=aws flag to tell the Defang CLI to use the AWS Provider or set the DEFANG_PROVIDER environment variable to aws.

$ defang compose up --provider=aws
# or
$ export DEFANG_PROVIDER=aws
warning

Because Defang creates roles, you need to have the appropriate permissions to create roles in your cloud provider account, typically the AdministratorAccess policy in AWS.

tip

The Defang CLI does not depend on the AWS CLI. It uses the AWS SDK for Go to interact with your AWS account. In most cases, if you can run the aws sts get-caller-identity from the tip above, you should be good to go. However, due to a difference between the AWS CLI and the AWS SDK for Go, there is at least one case where they behave differently: if you are using aws sso login and have clashing profiles in your .aws/config and .aws/credentials files, the AWS CLI will prioritize SSO profiles and caches over regular profiles, but the AWS SDK for Go will prioritize the credentials file, and it may fail.

Region

The Defang BYOC AWS Provider will use the region specified in the AWS_REGION environment variable, or a profile in the ~/.aws/config file exactly as the AWS CLI would.

Architecture

Defang uses resources that are native to the cloud provider you are using. The following describes the current state of Defang's support for AWS, the specific resources that Defang uses, and the roadmap for future support.

Secrets

Defang allows you to configure your services with sensitive config values. Sensitive values are stored in AWS Systems Manager Parameter Store, and are encrypted.

Deployment

To deploy your services, the Defang CLI packages your code and uploads it to an S3 bucket in your account. The CLI then deploys an ECS task that uses Pulumi to build your container image and run your service.

Runtime

The provider runs your workloads using ECS using Fargate. It provisions a VPC with public and private subnets, and deploys your services to the private subnets. It then provisions an Application Load Balancer (ALB) and routes traffic to your services.

Service Discovery

Defang uses a Route53 private hosted zone for service discovery. Each (private) service in the Compose file will get a CNAME or A record which resolves to the service's AWS domain name or IP, respectively. To update the A records for the dynamically assigned IP addresses, Defang will add a Route53 sidecar alongside your container.

Managed Storage

Defang can help you provision managed storage services. The following managed storage services are supported on AWS:

Managed Postgres

When using Managed Postgres, the Defang CLI provisions an RDS Postgres instance in your account.

Managed Redis

When using Managed Redis, the Defang CLI provisions an ElastiCache Redis cluster in your account.

Managed Resources

Defang will create and manage the following resources in your AWS account from its bootstrap CloudFormation template:

Resource TypeExample Resource Name
s3/Bucketdefang-cd-bucket-cbpbzz8hzm7
ecs/ClusterCapacityProviderAssociationsdefang-cd-Cluster-pqFhjwuklvm
ecs/Clusterdefang-cd-ClusterpJqFhjwuklvm
iam/Roledefang-cd-ExeutionRole-XE7RbQDfeEwx
ec2/InternetGatewayigw-05bd7adc92541ec3
ec2/VPCGatewayAttachmentIGW
logs/LogGroupdefang-cd-Logroup-6LSZet3tFnEy
ecr/PullThroughCacheRuledefang-cd-ecrpublic
ec2/Routertb-08f3f5afc9e6c8c8
ec2/RouteTablertb-08f3f5ffc9e6c8c8
ec2/VPCEndpointvpce-02175d8d4f47d0c9
ec2/SecurityGroupsg-032b839c63e70e49
ec2/Subnetsubnet-086bead399ddc8a0
ec2/SubnetRouteTableAssociationrtbassoc-02e200d45e7227fe
ecs/TaskDefinitionarn:aws:ecsus-west-2:381492210770:task-definition/defang-cd-TaskDefinition-RXd5tf9TaN38:1
iam/Roledefang-cd-askRole-gsEeDPd6sPQY
ec2/VPCvpc-0cbca64f13435695

Then, for each project you deploy, Defang will create and manage the following resources:

Resource TypeExample Resource Name
ecr/Repositoryproject1/kaniko-build
ecr/LifecyclePolicyproject1/kaniko-build
acm/Certificate*.project1.tenant1.defang.app
ecr/Repositoryproject1/kaniko-build/cache
ecr/LifecyclePolicyproject1/kaniko-build/cache
iam/InstanceProfileecs-agent-profile
iam/Roleecs-task-execution-role
cloudwatch/EventRuleproject1-ecs-lifecycle-rule
cloudwatch/EventTargetproject1-ecs-event-cw-target
route53/Recordvalidation-project1.tenant1.defang.app
acm/CertificateValidation*.project1.tenant1.defang.appValidation
ec2/VpcDhcpOptionsAssociationdhcp-options-association
cloudwatch/LogGroupbuilds
iam/Rolekaniko-task-role
ecs/TaskDefinitionkanikoTaskDefArm64
ecs/TaskDefinitionkanikoTaskDefAmd64
s3/Bucketdefang-build
s3/BucketPublicAccessBlockdefang-build-block
ecs/Clustercluster
ecs/ClusterCapacityProviderscluster-capacity-providers
ec2/SecurityGroupproject1_app-sg
ec2/SecurityGroupbootstrap
ec2/VpcDhcpOptionsdhcp-options
cloudwatch/LogGrouplogs