<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Timur Galeev</title>
    <description>The latest articles on DEV Community by Timur Galeev (@timurgaleev).</description>
    <link>https://dev.to/timurgaleev</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F773619%2Fe3f4a728-09d9-4a2c-a542-1765ba13080d.jpeg</url>
      <title>DEV Community: Timur Galeev</title>
      <link>https://dev.to/timurgaleev</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/timurgaleev"/>
    <language>en</language>
    <item>
      <title>memex: training for the Forward Deployed Engineer era with a private memory brain on AWS</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Fri, 10 Jul 2026 18:14:13 +0000</pubDate>
      <link>https://dev.to/aws-builders/memex-training-for-the-forward-deployed-engineer-era-with-a-private-memory-brain-on-aws-5hb1</link>
      <guid>https://dev.to/aws-builders/memex-training-for-the-forward-deployed-engineer-era-with-a-private-memory-brain-on-aws-5hb1</guid>
      <description>&lt;p&gt;&lt;em&gt;Or: what happens when an engineer gets tired of explaining himself to his own tools.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Before AI, and after
&lt;/h2&gt;

&lt;p&gt;First, the way this job used to look.&lt;/p&gt;

&lt;p&gt;A few years ago, if a company wanted a custom internal tool, the path was long: workshops, a requirements document, a team, a budget, a quarter. I sat somewhere in the middle of that as a cloud engineer - building the infrastructure, watching good ideas die in handover documents. Knowledge lived in people's heads and in wikis nobody read. When someone left, their know-how left with them.&lt;/p&gt;

&lt;p&gt;Then AI tooling got serious, and the math changed. One person who understands both the business problem and the cloud can now sit down with a company, find the process that quietly eats two months a year, and ship a working tool for it in days. Not a slide deck - a running application.&lt;/p&gt;

&lt;p&gt;There's a name floating around for this way of working: Forward Deployed Engineer. Someone who embeds with a company, learns how the place actually works - not how the org chart says it works - and deploys AI where it hurts. Let me be precise, because colleagues read this blog too: that is not my job title, and it's not a description of my day job. It's a hat I've been trying on for about half a year in my own time - side projects, weekend builds for friends' businesses, endless experiments - because I think it's where this profession is heading, and I'd rather learn the way of working before it becomes the job description.&lt;/p&gt;

&lt;p&gt;The most fun engineering I've done. Also a memory shredder.&lt;/p&gt;

&lt;p&gt;One month my evenings are full of warehouse logistics for a friend's company. The next it's a time-tracking tool. Then a Kubernetes upgrade study. Whatever belongs to an employer or to someone else's business stays there - that's the deal, and I don't bend it. But everything &lt;em&gt;around&lt;/em&gt; the work is mine to keep: the architecture patterns that held up, the AWS traps I walked into, my side projects, my notes, the half-finished idea I mumbled into a voice memo at 11pm.&lt;/p&gt;

&lt;p&gt;And here's the embarrassing part. I help companies stop losing knowledge, while my own knowledge lived in twelve places at once. An Obsidian vault. Git history. Old chat sessions. Voice memos. My head, allegedly. Every new AI session started from zero, and there I was again - re-explaining my own infrastructure to a tool that had helped me build that same infrastructure the day before.&lt;/p&gt;

&lt;p&gt;At some point that stopped being funny. So I built memex.&lt;/p&gt;

&lt;h2&gt;
  
  
  What memex is, in plain words
&lt;/h2&gt;

&lt;p&gt;memex is a private memory service. It runs in my own AWS account, it holds whatever I decide to feed it - notes, project docs, source code, and in my own install even my mail and calendar (that part is my personal wiring, not something the public repo ships) - and any AI tool I use can ask it questions.&lt;/p&gt;

&lt;p&gt;If you don't write code, here's the version I'd tell over coffee: imagine a new colleague who has read every note you ever wrote, never forgets any of it, never leaves the company, and answers any question in two seconds - always quoting where they read it. That colleague costs less than your coffee budget. That's memex.&lt;/p&gt;

&lt;p&gt;The technical version: the asking happens over MCP. MCP (Model Context Protocol) is an open standard that lets AI tools call external services - databases, APIs, memory stores - through one common interface. So whether I'm in Claude Code, Cursor, or Codex that day, or asking from my phone on a train, everything talks to the same brain.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fyv785f5vwgmdkkr5zfxp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fyv785f5vwgmdkkr5zfxp.png" alt=" " width="800" height="434"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The name is stolen, and I stole it with pride. In 1945, Vannevar Bush described a hypothetical desk-sized device he called the &lt;em&gt;memex&lt;/em&gt; - a machine where a person would keep all their books, records, and letters, "an enlarged intimate supplement to his memory." Eighty years and one weirdly good embeddings API later, you can actually have one.&lt;/p&gt;

&lt;p&gt;One thing memex refuses to be: a chatbot. It never writes answers. When my coding agent asks it something, memex hands back ranked excerpts from my own notes, each with a pointer to where it came from, and the agent on my laptop writes the answer from those. That split is deliberate. The brain remembers; the agent thinks. It also means every answer comes with receipts - I can always click through to the note it was quoted from.&lt;/p&gt;

&lt;p&gt;Here's a real moment. Fresh session, me typing:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"When did I move memex off PGLite, and why?"&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Claude Code quietly calls memex (simplified):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"method"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"tools/call"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"params"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"search"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"arguments"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"q"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"PGLite migration why moved"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"k"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;And gets back excerpts like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"hits"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"sourcePath"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/vault/20-projects/memex/session-notes.md"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"content"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"PGLite on EFS lost data on SIGKILL - the move
                  to RDS fixed that class of failure..."&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"score"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;29&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe9oj9ylavepw868wmih8.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe9oj9ylavepw868wmih8.gif" alt=" " width="760" height="409"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Two seconds, and I have the decision, the date, and the reason - quoted from a retro note written months ago by a version of me who was sure he'd remember. He never remembers.&lt;/p&gt;

&lt;h2&gt;
  
  
  The moment it clicked
&lt;/h2&gt;

&lt;p&gt;The payoff isn't any single lookup. It's that sessions stopped starting from zero. My kickoff prompt these days boils down to: "You know where everything is - ask the brain." The agent pulls my infrastructure layout, my past decisions, my conventions, and just gets on with it.&lt;/p&gt;

&lt;p&gt;Before memex, a session opened like this: "So, I have this EC2 instance, it runs Docker, the tunnel token is in Secrets Manager... no wait, let me check which account that was."&lt;/p&gt;

&lt;p&gt;After memex: "Add a health check to the morning briefing timer." That's it. It already knows what the morning briefing is, which timer fires it, and that the chat ID deliberately lives outside the repo.&lt;/p&gt;

&lt;p&gt;Fifteen minutes of throat-clearing per session, gone. Multiply by every session, every day.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's actually inside
&lt;/h2&gt;

&lt;p&gt;Under the hood memex is a Bun + TypeScript service sitting in front of Postgres with the pgvector extension. Everything I'm about to describe lives in the open repo at &lt;a href="https://github.com/timurgaleev/memex" rel="noopener noreferrer"&gt;github.com/timurgaleev/memex&lt;/a&gt; - clone it and you get the whole thing: the memory service, the Terraform that builds the AWS setup, the security gates, the docs. The pipeline is boring on purpose:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Ingest.&lt;/strong&gt; I decide what gets indexed - a folder, a repo, another source. New sources never add themselves; the ones I've configured get re-swept on a schedule, and re-indexing the same path replaces the old version. The brain's database is the store it searches; anything indexed from my vault or a repo can be re-ingested from there, and the database itself gets backed up like any Postgres.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Chunking.&lt;/strong&gt; Documents get split into pieces that respect structure - markdown by sections, source code by functions and classes. A sanity gate scores incoming text and quarantines scraper junk before it wastes an embedding.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Embeddings.&lt;/strong&gt; Each chunk becomes a 1024-dimensional vector via Amazon Titan v2. If "embedding" is a new word: it's the meaning of a piece of text written down as a long row of numbers, so that texts about the same thing end up with similar numbers. That's the trick that lets "why did storage keep dying" find a note that never contains the word "dying". Every vector carries a signature (model + dimensions), so if I ever switch embedding models, memex can spot every stale vector - and, with a flag turned on, re-embed them automatically.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hybrid search.&lt;/strong&gt; Every query runs keyword search and vector similarity at the same time, then fuses the rankings. Keyword catches exact identifiers - "t4g.medium", "SIGKILL". Vectors catch meaning - "why did storage keep dying". I tried living with each one alone; each alone misses half of what I actually ask.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That's the base. Above it lives the part I actually show off to people - structured memory. Most of it is opt-in and uses paid model calls, so it's off by default in the repo:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Entity facts.&lt;/strong&gt; memex pulls subject-predicate-object facts out of notes ("memex → runs-on → EC2 t4g.medium") with confidence scores. Facts can supersede each other, decay over time, and keep an audit trail of why something was forgotten. Ask "what do I know about project X" and you get a compiled summary instead of raw search hits - still model-extracted, which is exactly why every fact drags its confidence score along.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A knowledge graph.&lt;/strong&gt; Notes, projects, and people are linked with typed edges. "Show me everything connected to the n8n server" is a single graph walk.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A code call graph.&lt;/strong&gt; When memex indexes a repo, it parses who-calls-what. My agent can ask "what breaks if I change this function" and get an actual blast-radius answer.
Do you need all of that? No. Hybrid search alone covers most days. But each layer got added because the previous layer fumbled a question I cared about - and since the whole thing is mine, adding a layer is a weekend project.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The night shift
&lt;/h2&gt;

&lt;p&gt;The part nobody sees is my favorite part. While I sleep, memex works.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjv7bofr456mgm6vu1nl8.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjv7bofr456mgm6vu1nl8.gif" alt=" " width="720" height="399"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A maintenance cycle of about fifteen phases runs in the background, and the important thing about it: these phases are deterministic - plain code, no language model doing any thinking. The only AI they touch is the cheap embedding call, so a night's work costs cents. What the phases actually do, in order of how much I'd miss them:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Keep embeddings fresh.&lt;/strong&gt; Edited notes get re-embedded when their source is re-swept, and the cycle additionally renews vectors that have grown old (the phase is literally called &lt;code&gt;embed-stale&lt;/code&gt;), so search never quietly goes out of date. Unchanged text keeps its existing vector - an edit only pays for the paragraphs that actually moved.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Reconnect the web.&lt;/strong&gt; If I renamed a project, split a note in two, or linked something new, the connections between notes get reconciled so the knowledge graph follows reality instead of drifting away from it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Take out the trash.&lt;/strong&gt; Entries whose source is long gone get flagged as orphans so they can be swept out instead of haunting search results forever.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Check the vital signs.&lt;/strong&gt; The cycle records a snapshot of the corpus - how many documents, how much of it is embedded, what's pending - so trends are visible over weeks. The actual database backups are managed-Postgres routine, as they should be.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then comes my favorite ritual: every night at 04:30 memex tests its own memory. It replays a golden set of questions - real questions I've asked before, with known good answers - and records how retrieval did: did the right note come back, and how high did it rank. Each run lands as a row of metrics, so if memory quality ever starts drifting, I see it as a falling number on a graph instead of a growing feeling that "search got worse lately." And I can cap what a run is allowed to spend, because I've learned to distrust anything that can burn money unsupervised at 4am.&lt;/p&gt;

&lt;p&gt;When something does need attention - a stalled job, low embedding coverage, a pending migration - a built-in advisor ranks the problems by severity, and for most of them hands me the exact fix command. Less "something looks wrong," more "run this."&lt;/p&gt;

&lt;p&gt;And for the curious: there's a second, optional night crew that I keep switched off most of the time. It's a chain of AI passes that reads recent notes and tries to distill them - pulling out atomic claims, grouping them into concepts, even proposing opinions with confidence grades attached, all written into its own separate store. It runs only in quiet hours and uses paid model calls - which is exactly why it's off by default in the public repo. Nice to have; not load-bearing.&lt;/p&gt;

&lt;p&gt;I wake up, my phone shows the morning briefing (my own wiring again, a small script on the same server), and the brain has already done its chores. Honestly, it's better at maintenance discipline than I am. That was the point.&lt;/p&gt;

&lt;h2&gt;
  
  
  The AWS build, and its trade-offs
&lt;/h2&gt;

&lt;p&gt;The infrastructure fits on a napkin, and I fight to keep it that way.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo5974wkcjsn16kbic13e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo5974wkcjsn16kbic13e.png" alt=" " width="800" height="493"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;One EC2 instance - a $24/month ARM box. One small RDS Postgres. An EFS volume for runtime state, Secrets Manager for credentials, Bedrock for the AI calls. No Kubernetes, no autoscaling group, no load balancer, no message broker. A personal workload doesn't need an orchestrator; the entire runtime survives a &lt;code&gt;docker compose up -d --build&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;All of it is Terraform, sitting in &lt;a href="https://github.com/timurgaleev/memex" rel="noopener noreferrer"&gt;the repo&lt;/a&gt; under an MIT license - take it apart, copy it, run your own:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# What `terraform apply` creates (illustrative - the repo's&lt;/span&gt;
&lt;span class="c1"&gt;# terraform is plain resources, not a module):&lt;/span&gt;
&lt;span class="c1"&gt;#   VPC + single EC2 (t4g.medium) + RDS Postgres (db.t4g.micro)&lt;/span&gt;
&lt;span class="c1"&gt;#   + EFS + Secrets Manager + IAM + optional CloudTrail&lt;/span&gt;
&lt;span class="nx"&gt;instance_type&lt;/span&gt; &lt;span class="err"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"t4g.medium"&lt;/span&gt;   &lt;span class="c1"&gt;# ARM: half the price of x86&lt;/span&gt;
&lt;span class="nx"&gt;db_instance&lt;/span&gt;   &lt;span class="err"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"db.t4g.micro"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A few decisions I'd make again:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;No inbound ports.&lt;/strong&gt; The EC2 security group opens nothing to the internet. Nothing. The only way in is a Cloudflare Tunnel - the sidecar dials &lt;em&gt;out&lt;/em&gt; to Cloudflare, and my requests ride back down that connection. Shell access goes through AWS SSM Session Manager, so there isn't even an SSH port. None of this makes the box unhackable. It means the attack surface is a bearer token and Cloudflare's edge instead of an open-port buffet for scanners.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Private from whom?&lt;/strong&gt; Worth being precise here, because "private" carries a lot of weight in this article. My threat model: SaaS vendors training on my notes, a product shutting down and taking my memory with it, careless token leaks. Not on the list: AWS itself - Bedrock processes my text, that's a trade I make consciously and you should too - and not a nation-state. Draw your own line. The point of self-hosting is that you get to draw it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Layered damage control.&lt;/strong&gt; The public access token rotates every morning, so a leaked token stops working within a day at worst - and there are more layers under it. Even with a valid token, public reads come back with note bodies redacted, and write operations aren't reachable from the public surface at all. And since retrieved notes eventually get fed to language models, memex neutralizes common instruction-injection tokens in retrieved excerpts before they reach a model - which lowers the risk from the well-known tricks, nothing more. Mitigations, all of it. But each one answers a specific failure I didn't want to explain to myself later.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bedrock over API keys.&lt;/strong&gt; Embeddings come from Titan v2. A small Claude Haiku handles query understanding. An optional Claude Sonnet tier does the deeper synthesis work, off by default. Bedrock is AWS-managed, but the calls are authenticated and scoped through my own account's IAM - no third-party API key floating around with my entire note history behind it.&lt;/p&gt;

&lt;p&gt;And the bill, since somebody always asks: fifty-something dollars a month on paper, most of which AWS credits currently eat for me; the steady Bedrock share is coffee money, around thirty cents a day. My one splurge was a $23 afternoon of re-embedding the entire corpus with richer context. Worth it exactly once.&lt;/p&gt;

&lt;h2&gt;
  
  
  Scar tissue
&lt;/h2&gt;

&lt;p&gt;I'll keep this short, but skipping it entirely would turn the article into marketing. The first version kept its database in an embedded Postgres on EFS - a hard SIGKILL ate my index one evening, and that's how RDS earned its place. I once built a full Cognito login setup before admitting that memex serves programs, not people at login forms - tore it out the same week. And retrieval still misses sometimes, when I ask in words I never wrote down. That's exactly what the nightly self-test is for.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why build instead of buy
&lt;/h2&gt;

&lt;p&gt;There are real products in this space - memory SaaS, notes apps growing AI features, vector-database startups. I went the other way, for three reasons:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Ownership is the feature.&lt;/strong&gt; Years of decisions, projects, and half-thoughts is the most personal dataset I have. A memory product that shuts down, changes pricing, or "updates its privacy policy" isn't a tool - it's a landlord.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The interface is a standard.&lt;/strong&gt; MCP means my memory speaks the same protocol AI tools are adopting across the industry. Betting on a protocol beats betting on any single vendor's plugin ecosystem.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The work is the education.&lt;/strong&gt; Every hard problem in this project - chunking, ranking fusion, fact supersession, tenant isolation, cost control - keeps showing up in real conversations within months, wherever AI tooling is on the table.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;For plenty of people, buying is the right call. If your notes live happily in one app and you trust the vendor, go live your life. But if you're the kind of person who reads Terraform for fun, &lt;a href="https://github.com/timurgaleev/memex" rel="noopener noreferrer"&gt;github.com/timurgaleev/memex&lt;/a&gt; is waiting. Expect an afternoon to a day of Terraform, DNS, and reading docs.&lt;/p&gt;

&lt;h2&gt;
  
  
  How my week actually works now
&lt;/h2&gt;

&lt;p&gt;Back to the Forward Deployed Engineer thing, because memex doesn't work alone. Three tools, three jobs, and my week runs through all of them.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/timurgaleev/vibekit" rel="noopener noreferrer"&gt;vibekit&lt;/a&gt; holds the rules - how my AI agents are allowed to behave, what they must never touch, synced into every tool I use from one repo. &lt;a href="https://github.com/timurgaleev/vibestack" rel="noopener noreferrer"&gt;vibestack&lt;/a&gt; holds the workflows - the repeatable loops I run daily: plan a feature, review a diff, ship a release, investigate a bug. And memex holds the memory. Behavior, workflow, recall. Each would survive the others' deletion, which is my working definition of good boundaries.&lt;/p&gt;

&lt;p&gt;A normal day: my phone buzzes at 07:00 with a morning briefing my server composed on its own - calendar, mail, house status. On the train I ask the brain something I half-remember about a side project. Somewhere in a conversation - at work, or around a friend's business - someone describes a process that eats two months a year, and something clicks: I've seen this shape before, and my own stack is where I learned to recognize it. In the evening I open a session on a personal project, the agent asks memex where things stand, and we continue where I left off instead of starting over.&lt;/p&gt;

&lt;p&gt;That last part is the real change AI brought to my engineering life. Before, my evenings-and-weekends work was throwaway - too little time, too much re-explaining, projects abandoned at the setup stage. Now the setup &lt;em&gt;is&lt;/em&gt; remembered, the workflows are one command, and a one-person R&amp;amp;D department is a realistic thing to run before breakfast. Whatever judgment I have about AI tooling - what's actually worth deploying, where it breaks, what it costs - comes from running all of this myself, watching it fail on a Tuesday, and fixing it before work.&lt;/p&gt;

&lt;h2&gt;
  
  
  Takeaways
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;AI tools without memory waste your time at scale.&lt;/strong&gt; The re-explaining tax is invisible until you remove it; then it's obscene.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Retrieval and reasoning should be separate.&lt;/strong&gt; A brain that returns cited evidence works with any agent that speaks the protocol. A chatbot works with nothing but itself.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Small infrastructure is a superpower.&lt;/strong&gt; One ARM box, one managed Postgres, one tunnel. Boring enough to never think about, which is the whole point of infrastructure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Privacy is a spectrum you should place yourself on deliberately&lt;/strong&gt; - decide who you're defending against before you decide what to build or buy.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The repo is at &lt;a href="https://github.com/timurgaleev/memex" rel="noopener noreferrer"&gt;github.com/timurgaleev/memex&lt;/a&gt; - Terraform, docs, and every scar described above. If you build your own brain, or already run one, I genuinely want to hear how you solved the parts I got wrong. Eighty years after Vannevar Bush sketched the memex, the desk-sized memory machine is real, it costs less than a gym membership, and it fits in a &lt;code&gt;t4g.medium&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;What would yours remember?&lt;/p&gt;

</description>
      <category>ai</category>
      <category>aws</category>
      <category>programming</category>
      <category>aitools</category>
    </item>
    <item>
      <title>ECS vs EKS: When You DON'T Need Kubernetes - A Practical Guide to Choosing AWS Container Services</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Sun, 04 Jan 2026 16:20:58 +0000</pubDate>
      <link>https://dev.to/aws-builders/ecs-vs-eks-when-you-dont-need-kubernetes-a-practical-guide-to-choosing-aws-container-services-4dif</link>
      <guid>https://dev.to/aws-builders/ecs-vs-eks-when-you-dont-need-kubernetes-a-practical-guide-to-choosing-aws-container-services-4dif</guid>
      <description>&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;You know what? I see teams spinning up Kubernetes clusters for three microservices all the time. Then they spend two months figuring out pods, ingress controllers, and all that magic. And then they pay $70 per month just for three clusters in different regions, not counting the actual servers.&lt;/p&gt;

&lt;p&gt;Here's the honest truth: Kubernetes is a powerful tool but you don't always need it. Amazon ECS is a simpler alternative that handles most tasks faster and cheaper.&lt;/p&gt;

&lt;p&gt;In this article I'll show you:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;When ECS beats EKS (and saves you tons of money)&lt;/li&gt;
&lt;li&gt;Real scenarios with numbers and examples&lt;/li&gt;
&lt;li&gt;Ready-to-use code snippets for deploying to both platforms&lt;/li&gt;
&lt;li&gt;How to make the decision without headaches&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Let's dive in!&lt;/p&gt;

&lt;h2&gt;
  
  
  Quick Comparison: ECS vs EKS
&lt;/h2&gt;

&lt;p&gt;First let's look at the main differences in a simple table:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Feature&lt;/th&gt;
&lt;th&gt;AWS ECS&lt;/th&gt;
&lt;th&gt;AWS EKS&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Cluster Cost&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;$0&lt;/td&gt;
&lt;td&gt;$0.10/hour (~$70/month)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Setup Complexity&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Low (2-4 hours)&lt;/td&gt;
&lt;td&gt;High (1-2 days)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Learning Curve&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Few days&lt;/td&gt;
&lt;td&gt;Several weeks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Management&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;AWS Console/CLI&lt;/td&gt;
&lt;td&gt;kubectl + AWS Console&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Ecosystem&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;AWS services&lt;/td&gt;
&lt;td&gt;Entire Kubernetes world&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Portability&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;AWS only&lt;/td&gt;
&lt;td&gt;Any cloud/on-prem&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Updates&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Automatic&lt;/td&gt;
&lt;td&gt;Manual (control plane)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Best For&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;1-10 services&lt;/td&gt;
&lt;td&gt;10-100+ services&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Architecture: How It Works
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;ECS Architecture:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Your Application
    ↓
Docker Image (you need this!)
    ↓
Task Definition (container description)
    ↓
ECS Service (manages launch)
    ↓
EC2 or Fargate (where it runs)
    ↓
Container running
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;EKS Architecture:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Your Application
    ↓
Docker Image
    ↓
Kubernetes Pod specification
    ↓
Deployment/StatefulSet
    ↓
Kubernetes Control Plane ($$$)
    ↓
Worker Nodes
    ↓
Container in Pod
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;See the difference? ECS has two fewer steps and each one is easier to understand.&lt;/p&gt;

&lt;h2&gt;
  
  
  When ECS is Your Best Choice
&lt;/h2&gt;

&lt;p&gt;This is where it gets interesting. Many people think Kubernetes is always needed but that's not true. Let's break down real situations where ECS wins.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 1: Multi-Regional Deployment (3-5 Services)
&lt;/h3&gt;

&lt;p&gt;Imagine: you have a simple API and a couple supporting services. You need to deploy them in three regions - Europe, Asia, USA. For redundancy, you know.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;With EKS you pay:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Europe cluster: $70/month&lt;/li&gt;
&lt;li&gt;Asia cluster: $70/month&lt;/li&gt;
&lt;li&gt;USA cluster: $70/month&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Total: $210/month&lt;/strong&gt; just for the right to run containers&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;With ECS you pay:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Cluster is free: $0&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Total: $0&lt;/strong&gt; for management&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In other words, &lt;strong&gt;save $2,520 per year&lt;/strong&gt; just on the control plane! And you still gotta pay for the actual servers.&lt;/p&gt;

&lt;h4&gt;
  
  
  Real Example
&lt;/h4&gt;

&lt;p&gt;I had a project - e-commerce backend. Five services:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;API Gateway (Node.js)&lt;/li&gt;
&lt;li&gt;Order Service (Python)&lt;/li&gt;
&lt;li&gt;Payment Service (Go)&lt;/li&gt;
&lt;li&gt;Notification Service (Node.js)&lt;/li&gt;
&lt;li&gt;Analytics Worker (Python)&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Each service needed a Docker image. Here's a simple Dockerfile example for the Node.js API:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="c"&gt;# Dockerfile for API Gateway&lt;/span&gt;
&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="s"&gt; node:18-alpine&lt;/span&gt;

&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;

&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; package*.json ./&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;npm &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--production&lt;/span&gt;

&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; . .&lt;/span&gt;

&lt;span class="k"&gt;EXPOSE&lt;/span&gt;&lt;span class="s"&gt; 3000&lt;/span&gt;
&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["node", "server.js"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We deployed across three regions using ECS Fargate. &lt;strong&gt;Setup time: 4 hours&lt;/strong&gt; including Terraform code. If we'd done it with EKS - that's minimum a week with Helm charts, ingress controllers and all that kitchen.&lt;/p&gt;

&lt;p&gt;Here's how we defined the task in ECS (simplified):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ECS Task Definition - just the container part&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_task_definition"&lt;/span&gt; &lt;span class="s2"&gt;"api_gateway"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;family&lt;/span&gt;                   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"api-gateway"&lt;/span&gt;
  &lt;span class="nx"&gt;network_mode&lt;/span&gt;             &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"awsvpc"&lt;/span&gt;
  &lt;span class="nx"&gt;requires_compatibilities&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"FARGATE"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
  &lt;span class="nx"&gt;cpu&lt;/span&gt;                      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"256"&lt;/span&gt;
  &lt;span class="nx"&gt;memory&lt;/span&gt;                   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"512"&lt;/span&gt;

  &lt;span class="nx"&gt;container_definitions&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;([{&lt;/span&gt;
    &lt;span class="nx"&gt;name&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"api"&lt;/span&gt;
    &lt;span class="nx"&gt;image&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"123456789.dkr.ecr.us-east-1.amazonaws.com/api-gateway:latest"&lt;/span&gt;
    &lt;span class="nx"&gt;essential&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;

    &lt;span class="nx"&gt;portMappings&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;containerPort&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;3000&lt;/span&gt;
      &lt;span class="nx"&gt;protocol&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"tcp"&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;

    &lt;span class="nx"&gt;environment&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
      &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"NODE_ENV"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;value&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"production"&lt;/span&gt; &lt;span class="p"&gt;},&lt;/span&gt;
      &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"PORT"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;value&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"3000"&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;]&lt;/span&gt;
  &lt;span class="p"&gt;}])&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Compare this to Kubernetes - you'd need Deployment YAML, Service YAML, maybe Ingress, ConfigMaps... it adds up.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 2: Quick Start and Simplicity
&lt;/h3&gt;

&lt;p&gt;You're a startup. You have an MVP that needs to ship yesterday. Team of three people nobody knows Kubernetes deeply.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;ECS gives you:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Launch in couple hours (not days!)&lt;/li&gt;
&lt;li&gt;AWS integration out of the box&lt;/li&gt;
&lt;li&gt;No need to hire Kubernetes expert&lt;/li&gt;
&lt;li&gt;Less moving parts = less things break&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Look I'm not saying Kubernetes is bad. It's awesome! But do you need it when you just wanna run a container? It's like buying a truck to get bread from the store.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Time to learn:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: 2-3 days to work comfortably&lt;/li&gt;
&lt;li&gt;EKS: 2-3 weeks minimum (or even a month)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Here's a complete minimal ECS setup with Terraform:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Minimal ECS cluster&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_cluster"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-app-cluster"&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# ECS Service - runs 2 copies of your container&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_service"&lt;/span&gt; &lt;span class="s2"&gt;"app"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt;            &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-app"&lt;/span&gt;
  &lt;span class="nx"&gt;cluster&lt;/span&gt;         &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_ecs_cluster&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;
  &lt;span class="nx"&gt;task_definition&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_ecs_task_definition&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;api_gateway&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;
  &lt;span class="nx"&gt;desired_count&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;
  &lt;span class="nx"&gt;launch_type&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"FARGATE"&lt;/span&gt;

  &lt;span class="nx"&gt;network_configuration&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;subnets&lt;/span&gt;          &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"subnet-xxx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"subnet-yyy"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
    &lt;span class="nx"&gt;security_groups&lt;/span&gt;  &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"sg-xxx"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
    &lt;span class="nx"&gt;assign_public_ip&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's it! No Helm, no kubectl, no YAML soup.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 3: AWS-Native Project
&lt;/h3&gt;

&lt;p&gt;Your project is fully in AWS:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Database - RDS&lt;/li&gt;
&lt;li&gt;Files - S3&lt;/li&gt;
&lt;li&gt;Queues - SQS&lt;/li&gt;
&lt;li&gt;Cache - ElastiCache&lt;/li&gt;
&lt;li&gt;Logs - CloudWatch&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Why Kubernetes here? ECS integrates with these services &lt;strong&gt;natively&lt;/strong&gt; and simpler.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example - S3 access:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;ECS Task Role (simple):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"s3:*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"arn:aws:s3:::my-bucket/*"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Attach the role to Task Definition - done.&lt;/p&gt;

&lt;p&gt;In EKS you do the same through IRSA (IAM Roles for Service Accounts):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Setup OIDC provider&lt;/li&gt;
&lt;li&gt;Create ServiceAccount in Kubernetes&lt;/li&gt;
&lt;li&gt;Link with IAM role&lt;/li&gt;
&lt;li&gt;Annotate the pod&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;More steps = more places to mess up.&lt;/p&gt;

&lt;h2&gt;
  
  
  When EKS Becomes Necessary
&lt;/h2&gt;

&lt;p&gt;Alright enough praising ECS. Let's be honest - there are situations where EKS is really better.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 1: Large Microservices Architecture (20+ Services)
&lt;/h3&gt;

&lt;p&gt;When you have 20, 30, 50 microservices - that's different math.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why EKS wins:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;$70 per cluster is fixed price (whether 5 services or 50)&lt;/li&gt;
&lt;li&gt;Kubernetes scales complexity better&lt;/li&gt;
&lt;li&gt;Ecosystem: Helm, Operators, service mesh (Istio, Linkerd)&lt;/li&gt;
&lt;li&gt;Centralized management of all services&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Cost example:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;With 30 services in one region:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: 30 separate ECS Services = lots of config hard to manage&lt;/li&gt;
&lt;li&gt;EKS: One cluster all services in namespaces manage through GitOps&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Here $70/month pays for convenience.&lt;/p&gt;

&lt;p&gt;A typical Kubernetes deployment:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Kubernetes Deployment - simpler at scale&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;apps/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Deployment&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-gateway&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;production&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3&lt;/span&gt;
  &lt;span class="na"&gt;selector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-gateway&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;labels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-gateway&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api&lt;/span&gt;
        &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-registry/api-gateway:v1.2.3&lt;/span&gt;
        &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3000&lt;/span&gt;
        &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;requests&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;512Mi"&lt;/span&gt;
            &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;250m"&lt;/span&gt;
          &lt;span class="na"&gt;limits&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;512Mi"&lt;/span&gt;
            &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;250m"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;With Kubernetes you get built-in health checks, rolling updates, easy rollbacks.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 2: Multi-Cloud or Hybrid Infrastructure
&lt;/h3&gt;

&lt;p&gt;Your company wants:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Work in AWS and GCP simultaneously&lt;/li&gt;
&lt;li&gt;Keep some workloads on-premise&lt;/li&gt;
&lt;li&gt;Have ability to migrate between clouds&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;EKS (Kubernetes) gives portability:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Same YAML manifests work everywhere&lt;/li&gt;
&lt;li&gt;Can move applications between clouds&lt;/li&gt;
&lt;li&gt;Standardization across all infra&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;ECS is AWS only. Can't move it anywhere. (ECS anywhere?! :) )&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 3: Advanced Features
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;GPU workloads for ML/AI:&lt;/strong&gt; EKS supports GPU nodes out of the box + all tooling like Kubeflow.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Complex networking policies:&lt;/strong&gt; Network Policies in Kubernetes give precise traffic control between pods.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Network Policy example&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;networking.k8s.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;NetworkPolicy&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-policy&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-gateway&lt;/span&gt;
  &lt;span class="na"&gt;ingress&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;from&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;frontend&lt;/span&gt;
    &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;protocol&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;TCP&lt;/span&gt;
      &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3000&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Stateful applications:&lt;/strong&gt; StatefulSets Persistent Volumes - all this works better in Kubernetes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Practical Deployment Examples
&lt;/h2&gt;

&lt;p&gt;Enough theory let's get hands dirty. I'll show how to deploy a simple application to both ECS and EKS. Same application to compare.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Our application:&lt;/strong&gt; Nginx + simple Node.js API (both need Docker images)&lt;/p&gt;

&lt;h3&gt;
  
  
  Building Docker Images First
&lt;/h3&gt;

&lt;p&gt;Before deploying anywhere you need Docker images. Here's our setup:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="c"&gt;# Dockerfile for our Node.js app&lt;/span&gt;
&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="s"&gt; node:18-alpine&lt;/span&gt;

&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; package*.json ./&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;npm ci &lt;span class="nt"&gt;--production&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; . .&lt;/span&gt;

&lt;span class="k"&gt;EXPOSE&lt;/span&gt;&lt;span class="s"&gt; 3000&lt;/span&gt;
&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["node", "index.js"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Build and push:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Build image&lt;/span&gt;
docker build &lt;span class="nt"&gt;-t&lt;/span&gt; my-app:latest &lt;span class="nb"&gt;.&lt;/span&gt;

&lt;span class="c"&gt;# Tag for ECR&lt;/span&gt;
docker tag my-app:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

&lt;span class="c"&gt;# Push to ECR&lt;/span&gt;
aws ecr get-login-password &lt;span class="nt"&gt;--region&lt;/span&gt; us-east-1 | docker login &lt;span class="nt"&gt;--username&lt;/span&gt; AWS &lt;span class="nt"&gt;--password-stdin&lt;/span&gt; 123456789.dkr.ecr.us-east-1.amazonaws.com
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  ECS Deployment with Terraform
&lt;/h3&gt;

&lt;p&gt;Let's start with the simpler one - ECS.&lt;/p&gt;

&lt;h4&gt;
  
  
  Step 1: VPC Setup
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Create VPC for containers&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_vpc"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;cidr_block&lt;/span&gt;           &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"10.0.0.0/16"&lt;/span&gt;
  &lt;span class="nx"&gt;enable_dns_hostnames&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="nx"&gt;enable_dns_support&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Public subnets&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_subnet"&lt;/span&gt; &lt;span class="s2"&gt;"public"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;count&lt;/span&gt;                   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;
  &lt;span class="nx"&gt;vpc_id&lt;/span&gt;                  &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_vpc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;
  &lt;span class="nx"&gt;cidr_block&lt;/span&gt;              &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"10.0.${count.index}.0/24"&lt;/span&gt;
  &lt;span class="nx"&gt;availability_zone&lt;/span&gt;       &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;aws_availability_zones&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;available&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;names&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nx"&gt;count&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;index&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
  &lt;span class="nx"&gt;map_public_ip_on_launch&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Internet Gateway&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_internet_gateway"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;vpc_id&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_vpc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 2: ECS Cluster and Service
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Create ECS cluster&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_cluster"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-app-cluster"&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Task Definition - describes your Docker container&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_task_definition"&lt;/span&gt; &lt;span class="s2"&gt;"app"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;family&lt;/span&gt;                   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-app"&lt;/span&gt;
  &lt;span class="nx"&gt;network_mode&lt;/span&gt;             &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"awsvpc"&lt;/span&gt;
  &lt;span class="nx"&gt;requires_compatibilities&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"FARGATE"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
  &lt;span class="nx"&gt;cpu&lt;/span&gt;                      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"256"&lt;/span&gt;
  &lt;span class="nx"&gt;memory&lt;/span&gt;                   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"512"&lt;/span&gt;

  &lt;span class="nx"&gt;execution_role_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ecs_execution&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;
  &lt;span class="nx"&gt;task_role_arn&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ecs_task&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;

  &lt;span class="nx"&gt;container_definitions&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;([{&lt;/span&gt;
    &lt;span class="nx"&gt;name&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"app"&lt;/span&gt;
    &lt;span class="nx"&gt;image&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest"&lt;/span&gt;
    &lt;span class="nx"&gt;essential&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;

    &lt;span class="nx"&gt;portMappings&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;containerPort&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;3000&lt;/span&gt;
      &lt;span class="nx"&gt;protocol&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"tcp"&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;

    &lt;span class="nx"&gt;logConfiguration&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="nx"&gt;logDriver&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"awslogs"&lt;/span&gt;
      &lt;span class="nx"&gt;options&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="s2"&gt;"awslogs-group"&lt;/span&gt;         &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"/ecs/my-app"&lt;/span&gt;
        &lt;span class="s2"&gt;"awslogs-region"&lt;/span&gt;        &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"us-east-1"&lt;/span&gt;
        &lt;span class="s2"&gt;"awslogs-stream-prefix"&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"app"&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="p"&gt;}])&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# ECS Service - runs and maintains containers&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_ecs_service"&lt;/span&gt; &lt;span class="s2"&gt;"app"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt;            &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-app-service"&lt;/span&gt;
  &lt;span class="nx"&gt;cluster&lt;/span&gt;         &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_ecs_cluster&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;
  &lt;span class="nx"&gt;task_definition&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_ecs_task_definition&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;app&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;
  &lt;span class="nx"&gt;desired_count&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;
  &lt;span class="nx"&gt;launch_type&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"FARGATE"&lt;/span&gt;

  &lt;span class="nx"&gt;network_configuration&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;subnets&lt;/span&gt;          &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_subnet&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;public&lt;/span&gt;&lt;span class="p"&gt;[*].&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;
    &lt;span class="nx"&gt;security_groups&lt;/span&gt;  &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nx"&gt;aws_security_group&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ecs_tasks&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
    &lt;span class="nx"&gt;assign_public_ip&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 3: IAM Roles
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Role for ECS to pull Docker images and write logs&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role"&lt;/span&gt; &lt;span class="s2"&gt;"ecs_execution"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"ecs-execution-role"&lt;/span&gt;

  &lt;span class="nx"&gt;assume_role_policy&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="nx"&gt;Version&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;
    &lt;span class="nx"&gt;Statement&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;Action&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"sts:AssumeRole"&lt;/span&gt;
      &lt;span class="nx"&gt;Effect&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"Allow"&lt;/span&gt;
      &lt;span class="nx"&gt;Principal&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="nx"&gt;Service&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"ecs-tasks.amazonaws.com"&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;
  &lt;span class="p"&gt;})&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role_policy_attachment"&lt;/span&gt; &lt;span class="s2"&gt;"ecs_execution_policy"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;role&lt;/span&gt;       &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ecs_execution&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;
  &lt;span class="nx"&gt;policy_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Role for your application (e.g., S3 access)&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role"&lt;/span&gt; &lt;span class="s2"&gt;"ecs_task"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"ecs-task-role"&lt;/span&gt;

  &lt;span class="nx"&gt;assume_role_policy&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="nx"&gt;Version&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;
    &lt;span class="nx"&gt;Statement&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;Action&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"sts:AssumeRole"&lt;/span&gt;
      &lt;span class="nx"&gt;Effect&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"Allow"&lt;/span&gt;
      &lt;span class="nx"&gt;Principal&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="nx"&gt;Service&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"ecs-tasks.amazonaws.com"&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;
  &lt;span class="p"&gt;})&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Deploy It
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;terraform init
terraform plan
terraform apply
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Done!&lt;/strong&gt; Container is running.&lt;/p&gt;

&lt;h3&gt;
  
  
  EKS Deployment with Terraform
&lt;/h3&gt;

&lt;p&gt;Now the same thing but in EKS.&lt;/p&gt;

&lt;h4&gt;
  
  
  Step 1: EKS Cluster
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# EKS cluster&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_eks_cluster"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-eks-cluster"&lt;/span&gt;
  &lt;span class="nx"&gt;role_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;eks_cluster&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;
  &lt;span class="nx"&gt;version&lt;/span&gt;  &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"1.28"&lt;/span&gt;

  &lt;span class="nx"&gt;vpc_config&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;subnet_ids&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;concat&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;aws_subnet&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;public&lt;/span&gt;&lt;span class="p"&gt;[*].&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;aws_subnet&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;private&lt;/span&gt;&lt;span class="p"&gt;[*].&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Worker nodes&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_eks_node_group"&lt;/span&gt; &lt;span class="s2"&gt;"main"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;cluster_name&lt;/span&gt;    &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_eks_cluster&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;
  &lt;span class="nx"&gt;node_group_name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"main-nodes"&lt;/span&gt;
  &lt;span class="nx"&gt;node_role_arn&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;eks_node&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;arn&lt;/span&gt;
  &lt;span class="nx"&gt;subnet_ids&lt;/span&gt;      &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_subnet&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;private&lt;/span&gt;&lt;span class="p"&gt;[*].&lt;/span&gt;&lt;span class="nx"&gt;id&lt;/span&gt;

  &lt;span class="nx"&gt;scaling_config&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;desired_size&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;
    &lt;span class="nx"&gt;max_size&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;4&lt;/span&gt;
    &lt;span class="nx"&gt;min_size&lt;/span&gt;     &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;

  &lt;span class="nx"&gt;instance_types&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"t3.medium"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 2: IAM for EKS
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Cluster role&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role"&lt;/span&gt; &lt;span class="s2"&gt;"eks_cluster"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"eks-cluster-role"&lt;/span&gt;

  &lt;span class="nx"&gt;assume_role_policy&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="nx"&gt;Version&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;
    &lt;span class="nx"&gt;Statement&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;Action&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"sts:AssumeRole"&lt;/span&gt;
      &lt;span class="nx"&gt;Effect&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"Allow"&lt;/span&gt;
      &lt;span class="nx"&gt;Principal&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="nx"&gt;Service&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"eks.amazonaws.com"&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;
  &lt;span class="p"&gt;})&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role_policy_attachment"&lt;/span&gt; &lt;span class="s2"&gt;"eks_cluster_policy"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;policy_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"&lt;/span&gt;
  &lt;span class="nx"&gt;role&lt;/span&gt;       &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;eks_cluster&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Node role&lt;/span&gt;
&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role"&lt;/span&gt; &lt;span class="s2"&gt;"eks_node"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;name&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"eks-node-role"&lt;/span&gt;

  &lt;span class="nx"&gt;assume_role_policy&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;jsonencode&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
    &lt;span class="nx"&gt;Version&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;
    &lt;span class="nx"&gt;Statement&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[{&lt;/span&gt;
      &lt;span class="nx"&gt;Action&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"sts:AssumeRole"&lt;/span&gt;
      &lt;span class="nx"&gt;Effect&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"Allow"&lt;/span&gt;
      &lt;span class="nx"&gt;Principal&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="nx"&gt;Service&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"ec2.amazonaws.com"&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="p"&gt;}]&lt;/span&gt;
  &lt;span class="p"&gt;})&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role_policy_attachment"&lt;/span&gt; &lt;span class="s2"&gt;"eks_worker_node"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;policy_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"&lt;/span&gt;
  &lt;span class="nx"&gt;role&lt;/span&gt;       &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;eks_node&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_iam_role_policy_attachment"&lt;/span&gt; &lt;span class="s2"&gt;"eks_cni"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;policy_arn&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"&lt;/span&gt;
  &lt;span class="nx"&gt;role&lt;/span&gt;       &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;aws_iam_role&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;eks_node&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Step 3: Kubernetes Manifests
&lt;/h4&gt;

&lt;p&gt;After cluster is created deploy application with kubectl:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# deployment.yaml&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;apps/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Deployment&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
  &lt;span class="na"&gt;selector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;labels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;app&lt;/span&gt;
        &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest&lt;/span&gt;
        &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3000&lt;/span&gt;
        &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;requests&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;512Mi"&lt;/span&gt;
            &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;250m"&lt;/span&gt;
          &lt;span class="na"&gt;limits&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;512Mi"&lt;/span&gt;
            &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;250m"&lt;/span&gt;
&lt;span class="nn"&gt;---&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Service&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app-service&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;LoadBalancer&lt;/span&gt;
  &lt;span class="na"&gt;selector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app&lt;/span&gt;
  &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;80&lt;/span&gt;
    &lt;span class="na"&gt;targetPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3000&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Deploy It
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# 1. Apply Terraform&lt;/span&gt;
terraform init
terraform apply

&lt;span class="c"&gt;# 2. Configure kubectl&lt;/span&gt;
aws eks update-kubeconfig &lt;span class="nt"&gt;--name&lt;/span&gt; my-eks-cluster &lt;span class="nt"&gt;--region&lt;/span&gt; us-east-1

&lt;span class="c"&gt;# 3. Check nodes&lt;/span&gt;
kubectl get nodes

&lt;span class="c"&gt;# 4. Deploy application&lt;/span&gt;
kubectl apply &lt;span class="nt"&gt;-f&lt;/span&gt; deployment.yaml

&lt;span class="c"&gt;# 5. Check status&lt;/span&gt;
kubectl get pods
kubectl get svc
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Difference:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: one terraform apply and done&lt;/li&gt;
&lt;li&gt;EKS: terraform apply + kubectl commands + wait for everything to come up&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Complexity Comparison
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Action&lt;/th&gt;
&lt;th&gt;ECS&lt;/th&gt;
&lt;th&gt;EKS&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Config files&lt;/td&gt;
&lt;td&gt;3-4 Terraform files&lt;/td&gt;
&lt;td&gt;4-5 Terraform + YAML manifests&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;First deploy time&lt;/td&gt;
&lt;td&gt;5-7 minutes&lt;/td&gt;
&lt;td&gt;15-20 minutes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Commands to run&lt;/td&gt;
&lt;td&gt;2 (init apply)&lt;/td&gt;
&lt;td&gt;5+ (terraform + kubectl)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Need to know&lt;/td&gt;
&lt;td&gt;AWS Terraform Docker&lt;/td&gt;
&lt;td&gt;AWS Terraform Kubernetes kubectl Docker&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Real Cases and Economics
&lt;/h2&gt;

&lt;p&gt;Let's calculate concrete numbers for typical scenarios.&lt;/p&gt;

&lt;h3&gt;
  
  
  Case 1: Startup with 5 Microservices in 3 Regions
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;5 services (API Workers Background Jobs)&lt;/li&gt;
&lt;li&gt;3 regions: US EU Asia&lt;/li&gt;
&lt;li&gt;2 instances each service&lt;/li&gt;
&lt;li&gt;All need Docker images built and stored in ECR&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;ECS Fargate:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Cluster cost: $0
ECR storage: ~$5/month (for Docker images)
Compute (Fargate):
  - 5 services × 2 instances × 3 regions = 30 tasks
  - Each task: 0.25 vCPU 512 MB
  - $0.04048/hour per vCPU $0.004445/hour per GB
  - (~0.25 × $0.04048 + 0.5 × $0.004445) × 730 hours = ~$9/task/month
  - 30 tasks × $9 = $270/month

Total: ~$275/month
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;EKS:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Cluster cost: $70 × 3 regions = $210/month
ECR storage: ~$5/month (same Docker images)
Compute (EC2 nodes):
  - Minimum 2× t3.medium per region = 6 instances
  - t3.medium = $0.0416/hour × 730 = ~$30/month
  - 6 × $30 = $180/month

Total: $210 + $5 + $180 = $395/month
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Savings with ECS: $120/month or $1440/year&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Plus with ECS you don't pay DevOps engineer to manage Kubernetes :)&lt;/p&gt;

&lt;h3&gt;
  
  
  Case 2: Large Project with 30 Services in 1 Region
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;ECS:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Cluster: $0
Management: 30 separate ECS Services (hard to manage!)
Compute: depends on load
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;EKS:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Cluster: $70/month
Management: One namespace GitOps Helm (easier!)
Compute: same + better resource utilization
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Here EKS wins on management convenience. $70 pays for itself.&lt;/p&gt;

&lt;h3&gt;
  
  
  Time for Setup and Maintenance
&lt;/h3&gt;

&lt;p&gt;Real numbers from my experience:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Initial setup:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: 4 hours (Terraform + tests + Docker builds)&lt;/li&gt;
&lt;li&gt;EKS: 2 days (cluster + addons + monitoring setup + Docker builds)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Weekly maintenance:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: ~30 minutes (check logs updates)&lt;/li&gt;
&lt;li&gt;EKS: ~2 hours (updates cluster checks monitoring)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Platform updates:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ECS: automatic&lt;/li&gt;
&lt;li&gt;EKS: need to update control plane once a year (takes half a day with tests)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Decision Checklist: What to Choose?
&lt;/h2&gt;

&lt;p&gt;So here's a simple flowchart for decision making:&lt;/p&gt;

&lt;h3&gt;
  
  
  Choose ECS if:
&lt;/h3&gt;

&lt;p&gt;✅ You have less than 10-15 microservices&lt;br&gt;
✅ Project is AWS only (no multi-cloud plans)&lt;br&gt;
✅ Team doesn't know Kubernetes (and doesn't want to learn)&lt;br&gt;
✅ Need to launch quickly (MVP startup)&lt;br&gt;
✅ Budget is limited&lt;br&gt;
✅ Simple application without complex dependencies&lt;br&gt;
✅ Multi-regional deploy (save on clusters)&lt;br&gt;
✅ Comfortable with Docker basics&lt;/p&gt;

&lt;h3&gt;
  
  
  Choose EKS if:
&lt;/h3&gt;

&lt;p&gt;✅ More than 20+ microservices&lt;br&gt;
✅ Need portability (multi-cloud hybrid)&lt;br&gt;
✅ Team knows Kubernetes&lt;br&gt;
✅ Need advanced features (service mesh operators)&lt;br&gt;
✅ GPU workloads for ML/AI&lt;br&gt;
✅ Already using Kubernetes elsewhere&lt;br&gt;
✅ Complex microservices architecture&lt;br&gt;
✅ Want access to Kubernetes ecosystem&lt;/p&gt;

&lt;h3&gt;
  
  
  Middle Ground
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;You can start with ECS and migrate later!&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Many companies do this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Start on ECS (fast and cheap)&lt;/li&gt;
&lt;li&gt;Grow to 15-20 services&lt;/li&gt;
&lt;li&gt;Kubernetes developers join the team&lt;/li&gt;
&lt;li&gt;Gradually migrate to EKS&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This is normal evolution. Don't go Kubernetes just "because it's cool".&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusions
&lt;/h2&gt;

&lt;p&gt;Here's what's important to remember:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;ECS is not a "second-rate" option.&lt;/strong&gt; It's a full-fledged solution that handles many tasks excellently. Yes EKS is more powerful in capabilities but most projects simply don't need those capabilities.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Main ECS advantages:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Free control plane (save $70-210+ per month)&lt;/li&gt;
&lt;li&gt;Simplicity and launch speed&lt;/li&gt;
&lt;li&gt;Less operational overhead&lt;/li&gt;
&lt;li&gt;Native AWS integration&lt;/li&gt;
&lt;li&gt;Perfect for multi-regional deployment of small services&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;When EKS is really needed:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Large scale (20+ services)&lt;/li&gt;
&lt;li&gt;Code portability&lt;/li&gt;
&lt;li&gt;Advanced Kubernetes features&lt;/li&gt;
&lt;li&gt;Already have expertise in team&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;My advice:&lt;/strong&gt; Don't chase the hype. Start with ECS if the task allows. Save time money and nerves. And when you really grow into Kubernetes - then migrate.&lt;/p&gt;

&lt;p&gt;Kubernetes is like a Ferrari - cool car but for a trip to the store a regular Toyota works fine. And uses less gas 😄&lt;/p&gt;

&lt;h2&gt;
  
  
  Final Thoughts
&lt;/h2&gt;

&lt;p&gt;The choice between ECS and EKS isn't about "better" or "worse" - it's about &lt;strong&gt;right tool for the job&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Start simple. ECS lets you ship fast without the Kubernetes learning curve. Your Docker skills transfer directly. AWS handles the orchestration.&lt;/p&gt;

&lt;p&gt;As you grow, reassess. When you hit 15-20 services or need multi-cloud, EKS makes sense. But many successful companies run production on ECS for years.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Remember:&lt;/strong&gt; Complexity is a cost. Every abstraction layer you add costs time money and mental overhead. Sometimes the best architecture is the simplest one that works.&lt;/p&gt;

&lt;p&gt;Both platforms use Docker. Both run containers. Both scale. The question is: how much complexity do you actually need?&lt;/p&gt;

&lt;p&gt;Choose wisely!&lt;/p&gt;




&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://aws.amazon.com/blogs/containers/amazon-ecs-vs-amazon-eks-making-sense-of-aws-container-services/" rel="noopener noreferrer"&gt;AWS Official: ECS vs EKS&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/ecs/" rel="noopener noreferrer"&gt;Amazon ECS Documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/eks/" rel="noopener noreferrer"&gt;Amazon EKS Documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws/latest" rel="noopener noreferrer"&gt;Terraform AWS ECS Module&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest" rel="noopener noreferrer"&gt;Terraform AWS EKS Module&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://blog.1byte.com/ecs-vs-eks/" rel="noopener noreferrer"&gt;ECS vs EKS 2025 Comparison&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.perfectscale.io/blog/eks-vs-ecs" rel="noopener noreferrer"&gt;AWS Container Services Guide&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>architecture</category>
      <category>aws</category>
      <category>devops</category>
      <category>kubernetes</category>
    </item>
    <item>
      <title>Building an AI-Optimized Platform on Amazon EKS with NVIDIA NIM and OpenAI Models</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Wed, 18 Dec 2024 22:46:10 +0000</pubDate>
      <link>https://dev.to/aws-builders/building-an-ai-optimized-platform-on-amazon-eks-with-nvidia-nim-and-openai-models-4lbl</link>
      <guid>https://dev.to/aws-builders/building-an-ai-optimized-platform-on-amazon-eks-with-nvidia-nim-and-openai-models-4lbl</guid>
      <description>&lt;h3&gt;
  
  
  Introduction
&lt;/h3&gt;

&lt;p&gt;The rise of artificial intelligence (AI) has brought about an unprecedented demand for infrastructure that can handle large-scale computations, support GPU acceleration, and provide scalable, flexible management of workloads. Kubernetes has emerged as a leading platform for orchestrating these workloads, and Amazon Elastic Kubernetes Service (EKS) extends Kubernetes’ capabilities by simplifying deployment and scaling in the cloud.&lt;/p&gt;

&lt;p&gt;NVIDIA Infrastructure Manager (NIM) complements Kubernetes by optimizing GPU workloads, a critical need for training large language models (LLMs), computer vision, and other computationally intensive AI tasks. Additionally, OpenAI models can be integrated into this ecosystem to unlock cutting-edge AI capabilities, such as text generation, image recognition, and decision-making systems.&lt;/p&gt;

&lt;p&gt;This article provides an in-depth guide to building a complete AI platform using EKS, NVIDIA NIM, and OpenAI models, with Terraform automating the deployment. Whether you are an AI researcher or a business looking to adopt AI, this guide outlines how to build a robust and scalable platform. Complete code for this setup is available on GitHub &lt;a href="https://github.com/timurgaleev/eks-nim-llm-openai" rel="noopener noreferrer"&gt;https://github.com/timurgaleev/eks-nim-llm-openai&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why Choose NVIDIA NIM and EKS for AI Workloads?
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Challenges of AI Workloads&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;AI applications, especially those involving LLMs, have unique challenges:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;GPU Resource Management:&lt;/strong&gt; Training and inference rely on GPUs, which are scarce and expensive resources. Efficient allocation and monitoring are crucial.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Scalability:&lt;/strong&gt; AI workloads often need to scale dynamically based on user demand or data processing requirements.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Storage for Large Datasets:&lt;/strong&gt; AI models and datasets can require hundreds of gigabytes, necessitating persistent, shared, and scalable storage.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Observability:&lt;/strong&gt; Monitoring system performance, especially GPU utilization and latency, is essential for optimizing workloads.&lt;/p&gt;

&lt;h3&gt;
  
  
  NVIDIA NIM: A Solution for GPU Workloads
&lt;/h3&gt;

&lt;p&gt;NVIDIA NIM addresses these challenges by providing:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;GPU Scheduling:&lt;/strong&gt; Maximizes GPU usage across workloads.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Integration with Kubernetes:&lt;/strong&gt; Leverages Kubernetes to manage pods, jobs, and resources efficiently.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AI Model Management:&lt;/strong&gt; Simplifies deployment and scaling of AI models with Helm charts and Kubernetes CRDs (Custom Resource Definitions).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Support for Persistent Storage:&lt;/strong&gt; Integrates with shared storage solutions like AWS EFS for storing datasets and models.&lt;/p&gt;

&lt;h3&gt;
  
  
  Amazon EKS: A Scalable Kubernetes Solution
&lt;/h3&gt;

&lt;p&gt;Amazon EKS adds value by:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Managed Kubernetes:&lt;/strong&gt; Reduces operational overhead by handling Kubernetes cluster setup, updates, and management.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Elastic Compute Integration:&lt;/strong&gt; Dynamically provisions GPU-enabled instances, such as &lt;code&gt;g4dn&lt;/code&gt; and &lt;code&gt;p4d&lt;/code&gt;, to handle AI workloads. Ensure that your AWS account has sufficient quotas and availability for these instance types to avoid provisioning issues.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Built-in Security:&lt;/strong&gt; Integrates with AWS IAM and VPC for secure access and network segmentation.&lt;/p&gt;

&lt;p&gt;Together, NVIDIA NIM and Amazon EKS create a powerful platform for AI model training, inference, and experimentation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Architecture Overview
&lt;/h2&gt;

&lt;p&gt;The platform architecture integrates NVIDIA NIM and OpenAI models into an EKS cluster, combining compute, storage, and monitoring components.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Components
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;EKS Cluster:&lt;/strong&gt; Manages Kubernetes workloads and scales GPU-enabled nodes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Karpenter:&lt;/strong&gt; Dynamically provisions and scales nodes (CPU and GPU) based on workload demands, optimizing resource utilization and cost.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;GPU Node Groups:&lt;/strong&gt; Nodes equipped with NVIDIA GPUs for ML and AI inference tasks.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;NVIDIA NIM:&lt;/strong&gt; Deploys GPU workloads, manages AI pipelines, and integrates with Kubernetes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;OpenAI Web UI:&lt;/strong&gt; Provides a user-friendly interface for interacting with AI models.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Persistent Storage:&lt;/strong&gt; AWS EFS supports shared storage for datasets and models.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Observability Tools:&lt;/strong&gt; Prometheus and Grafana offer real-time monitoring of system metrics, including GPU utilization and pod performance.&lt;/p&gt;

&lt;h2&gt;
  
  
  Deployment Guide
&lt;/h2&gt;

&lt;p&gt;This guide provides step-by-step instructions to deploy the architecture using Terraform. While the focus is on essential components like EKS, GPU workloads, and observability, we skip detailed VPC configuration to allow flexibility based on your specific requirements.&lt;/p&gt;

&lt;p&gt;For a VPC example that fits this deployment, refer to the repository: &lt;a href="https://github.com/timurgaleev/eks-nim-llm-openai" rel="noopener noreferrer"&gt;https://github.com/timurgaleev/eks-nim-llm-openai&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: Provisioning the EKS Cluster
&lt;/h3&gt;

&lt;p&gt;Provisioning an Amazon EKS cluster is the foundation for Kubernetes workloads. Below is the EKS Cluster Configuration with key highlights to focus on scalability, system add-ons, and Karpenter integration.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;EKS Cluster Configuration&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~&amp;gt; 19.15"

  cluster_name                   = local.name
  cluster_version                = var.eks_cluster_version
  cluster_endpoint_public_access = true

  vpc_id     = module.vpc.vpc_id
  subnet_ids = compact([
    for subnet_id, cidr_block in zipmap(module.vpc.private_subnets, module.vpc.private_subnets_cidr_blocks) :
    substr(cidr_block, 0, 4) == "100." ? subnet_id : null
  ])

  manage_aws_auth_configmap = true
  aws_auth_roles = [
    {
      rolearn  = module.eks_blueprints_addons.karpenter.node_iam_role_arn
      username = "system:node:{{EC2PrivateDNSName}}"
      groups = [
        "system:bootstrappers",
        "system:nodes"
      ]
    }
  ]

  eks_managed_node_group_defaults = {
    iam_role_additional_policies = {
      AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
    }
    ebs_optimized = true
    block_device_mappings = {
      xvda = {
        device_name = "/dev/xvda"
        ebs = {
          volume_size = 100
          volume_type = "gp3"
        }
      }
    }
  }

  eks_managed_node_groups = {
    core_node_group = {
      name            = "core-node-group"
      description     = "EKS Core node group for hosting system add-ons"
      subnet_ids      = compact([
        for subnet_id, cidr_block in zipmap(module.vpc.private_subnets, module.vpc.private_subnets_cidr_blocks) :
        substr(cidr_block, 0, 4) == "100." ? subnet_id : null
      ])
      ami_type        = "AL2_x86_64"
      instance_types  = ["m5.xlarge"]
      capacity_type   = "SPOT"
      desired_size    = 2
      min_size        = 2
      max_size        = 4
      labels = {
        WorkerType    = "SPOT"
        NodeGroupType = "core"
      }
      tags = merge(local.tags, { Name = "core-node-grp" })
    }
  }
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Key Highlights
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;1. Networking:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Subnets are filtered to include only CIDR blocks starting with &lt;code&gt;100&lt;/code&gt;. to ensure specific subnet assignment for nodes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;2. IAM and Auth:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Integration with Karpenter is configured via the &lt;code&gt;aws_auth_roles&lt;/code&gt;block, allowing Karpenter to dynamically provision nodes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;3. Managed Node Groups:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Core Node Group:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Optimized for system-level workloads.&lt;/li&gt;
&lt;li&gt; Configured with &lt;code&gt;m5.xlarge&lt;/code&gt; spot instances for cost efficiency.&lt;/li&gt;
&lt;li&gt;Labels such as &lt;code&gt;NodeGroupType: core&lt;/code&gt; and taints can be used to restrict workloads to this node group.&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;4. Storage:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Nodes are configured with gp3 root volumes (100 GiB) for system usage. Additional storage for workloads should be configured separately.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;5. Scaling:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Use Karpenter for workload-based scaling instead of additional managed node groups. The &lt;code&gt;eks_managed_node_groups&lt;/code&gt; block here is only for critical system workloads.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Step 2: Deploying NVIDIA NIM for AI Workloads
&lt;/h3&gt;

&lt;p&gt;Deploying NVIDIA NIM (NVIDIA Inference Manager) requires configuring persistent storage for large datasets and allocating GPU resources for optimal performance. Here's an expanded guide breaking down the essential steps.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Persistent Storage with AWS EFS
&lt;/h3&gt;

&lt;p&gt;AI workloads often require storage that exceeds local node capacity. AWS EFS (Elastic File System) provides a shared and scalable storage solution across multiple pods. Below is the configuration for creating a Persistent Volume Claim (PVC) backed by EFS:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Code: Persistent Volume Claim (PVC)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;kubernetes_persistent_volume_claim_v1 "efs_pvc" {
  metadata {
    name      = "efs-storage"
    namespace = "nim"
  }
  spec {
    access_modes       = ["ReadWriteMany"] # Enables sharing storage across multiple pods.
    storage_class_name = "efs"             # Links the PVC to an EFS storage class.
    resources {
      requests = {
        storage = "200Gi" # Reserves 200 GiB of scalable storage.
      }
    }
  }
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Key Points:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Access Mode: &lt;code&gt;"ReadWriteMany"&lt;/code&gt; allows simultaneous access by multiple pods, critical for parallel workloads.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Storage Class: Must correspond to an EFS provisioner configured in the Kubernetes cluster.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Capacity: Start with 200 GiB and scale as per your dataset requirements.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2. Deploying NVIDIA NIM Helm Chart
&lt;/h3&gt;

&lt;p&gt;After configuring storage, deploy NVIDIA NIM using Helm. The Helm chart simplifies GPU allocation and links the persistent storage to NIM-managed workloads.&lt;/p&gt;

&lt;h4&gt;
  
  
  Configure the NGC API Key
&lt;/h4&gt;

&lt;p&gt;Before deploying NVIDIA NIM, you need to retrieve your &lt;strong&gt;NGC API Key&lt;/strong&gt; from NVIDIA’s cloud platform and set it as an environment variable. This key enables secure authentication with NVIDIA’s container registry and services.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Steps to Retrieve the NGC API Key:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Log in to your &lt;a href="https://ngc.nvidia.com/" rel="noopener noreferrer"&gt;NGC account&lt;/a&gt;.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Navigate to Setup &amp;gt; API Keys.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Click Generate API Key if you don’t already have one.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Copy the generated key to use in your deployment process.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Set the NGC API Key as an Environment Variable:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Run the following command in your terminal to make the key accessible to Terraform during deployment:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;export TF_VAR_ngc_api_key=&amp;lt;replace-me&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Replace &lt;code&gt;&amp;lt;replace-me&amp;gt;&lt;/code&gt; with your actual API key. This key will be passed to NVIDIA NIM to enable seamless model deployment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Code: Helm Release for NVIDIA NIM&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;helm_release "nim_llm" {
  name      = "nim-llm"
  chart     = "./nim-llm"                # Points to the NIM Helm chart location.
  namespace = "nim"
  values = [
    templatefile("nim-llm-values.yaml", {
      model_id    = var.model_id            # Specifies the LLM model (e.g., GPT-like models).
      num_gpu     = var.num_gpu             # Allocates GPU resources for inference tasks.
      ngc_api_key = var.ngc_api_key
      pvc_name    = kubernetes_persistent_volume_claim_v1.efs_pvc.metadata[0].name
    })
  ]
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Key Points:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;model_id:&lt;/code&gt; The identifier of the model being deployed (e.g., GPT-3, BERT).&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;num_gpu:&lt;/code&gt; Configures GPU resources for inference tasks. The value should align with the instance type used in your cluster (e.g., g4dn.xlarge for one GPU).&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;pvc_name:&lt;/code&gt; Links the EFS-backed PVC to the workload for storing large datasets or models.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  3. Configuration Highlights
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Why Persistent Storage?&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;AI models and datasets are often larger than the node's local storage. Using EFS ensures:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Scalability: Adjust storage as required without downtime.&lt;/li&gt;
&lt;li&gt;High Availability: Accessible across multiple Availability Zones.&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;GPU Allocation&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;NVIDIA NIM optimizes GPU usage for inference. Use the num_gpu variable to specify the number of GPUs for your workload, ensuring efficient resource utilization.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Summary&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Storage Configuration:&lt;/strong&gt; Use AWS EFS with Kubernetes PVC for shared, scalable storage across pods.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;GPU Allocation:&lt;/strong&gt; NVIDIA NIM enables efficient GPU resource management for AI inference tasks.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Helm Chart Deployment:&lt;/strong&gt; Leverage Helm for streamlined deployment, linking GPU resources and persistent storage.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Step 3: Adding OpenAI Web UI
&lt;/h3&gt;

&lt;p&gt;The OpenAI Web UI provides an interface for users to interact with deployed AI models.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;"helm_release" "openai_webui" {
  name       = "openai-webui"
  chart      = "open-webui"
  repository = "https://helm.openwebui.com/"
  namespace  = "openai-webui"
  values = [
    jsonencode({
      replicaCount = 1,
      image = {
        repository = "ghcr.io/open-webui/open-webui"
        tag        = "main"
      }
    })
  ]
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Step 4: Observability with Prometheus, Grafana, and Custom Metrics
&lt;/h3&gt;

&lt;p&gt;Prometheus and Grafana are essential tools for monitoring AI workloads. Prometheus collects resource metrics, including GPU-specific data, while Grafana visualizes these metrics through tailored dashboards. These tools help ensure that AI operations are running smoothly and efficiently.&lt;/p&gt;

&lt;p&gt;To extend observability, the Prometheus Adapter is configured with custom rules for tracking AI-specific metrics. Key configurations include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Tracking Active Requests: Using the &lt;code&gt;num_requests_running&lt;/code&gt; metric, Prometheus monitors the number of ongoing requests, providing insights into workload intensity.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Inference Queue Monitoring: The &lt;code&gt;nv_inference_queue_duration_us&lt;/code&gt; metric tracks NVIDIA inference queue times, converted into milliseconds for enhanced readability.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Sample Configuration for Prometheus Adapter:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;prometheus:
  url: http://kube-prometheus-stack-prometheus.${prometheus_namespace}
  port: 9090
rules:
  default: false
  custom:
  - seriesQuery: '{__name__=~"num_requests_running"}'
    resources:
      template: &amp;lt;&amp;lt;.Resource&amp;gt;&amp;gt;
    name:
      matches: "num_requests_running"
      as: ""
    metricsQuery: sum(&amp;lt;&amp;lt;.Series&amp;gt;&amp;gt;{&amp;lt;&amp;lt;.LabelMatchers&amp;gt;&amp;gt;}) by (&amp;lt;&amp;lt;.GroupBy&amp;gt;&amp;gt;)
  - seriesQuery: 'nv_inference_queue_duration_us{namespace!="", pod!=""}'
    resources:
      overrides:
        namespace:
          resource: "namespace"
        pod:
          resource: "pod"
    name:
      matches: "nv_inference_queue_duration_us"
      as: "nv_inference_queue_duration_ms"
    metricsQuery: 'avg(rate(nv_inference_queue_duration_us{&amp;lt;&amp;lt;.LabelMatchers&amp;gt;&amp;gt;}[1m])/1000) by (&amp;lt;&amp;lt;.GroupBy&amp;gt;&amp;gt;)'
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;These configurations enable Prometheus to expose meaningful custom metrics that are critical for scaling and optimizing AI workloads. By integrating these metrics into Grafana dashboards, users gain actionable insights into system performance and bottlenecks.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 5: Scaling and Optimization with Karpenter
&lt;/h3&gt;

&lt;p&gt;In large-scale AI deployments, workload demands fluctuate significantly. Dynamic scaling is essential for managing these workloads effectively while minimizing costs. Karpenter, a Kubernetes-native cluster autoscaler, provides powerful mechanisms for optimizing resource utilization. It dynamically provisions nodes tailored to the specific demands of applications, including GPU-heavy AI workloads.&lt;/p&gt;

&lt;p&gt;This section integrates Karpenter into the EKS Blueprint framework, highlighting its configuration for both CPU and GPU workloads. The full implementation and configurations are available in the &lt;a href="https://github.com/timurgaleev/eks-nim-llm-openai" rel="noopener noreferrer"&gt;https://github.com/timurgaleev/eks-nim-llm-openai&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Deploying Karpenter with EKS Blueprints&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Karpenter is added to the EKS cluster as a Blueprint add-on. Below is an example of the configuration block for enabling Karpenter, focusing on both CPU and GPU workload optimization:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;module "eks_blueprints_addons" {
  source  = "aws-ia/eks-blueprints-addons/aws"
  version = "~&amp;gt; 1.2"

  enable_karpenter                  = true
  karpenter_enable_spot_termination = true
  karpenter_node = {
    iam_role_additional_policies = {
      AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
    }
  }
  karpenter = {
    chart_version = "0.37.0"
  }
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This configuration enables Karpenter with support for Spot instance termination handling and assigns additional IAM policies for managing nodes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Configuring Karpenter for CPU and GPU Workloads&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For effective scaling, Karpenter relies on Provisioner configurations tailored to workload requirements. The following examples showcase how Karpenter dynamically provisions CPU and GPU nodes.&lt;/p&gt;

&lt;p&gt;CPU Workloads&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;name: cpu-karpenter
clusterName: ${module.eks.cluster_name}
ec2NodeClass:
  karpenterRole: ${split("/", module.eks_blueprints_addons.karpenter.node_iam_role_arn)[1]}
  subnetSelectorTerms:
    id: ${module.vpc.private_subnets[2]}
  securityGroupSelectorTerms:
    tags:
      Name: ${module.eks.cluster_name}-node
  instanceStorePolicy: RAID0

nodePool:
  labels:
    - type: karpenter
    - NodeGroupType: cpu-karpenter
  requirements:
    - key: "karpenter.k8s.aws/instance-family"
      operator: In
      values: ["m5"]
    - key: "karpenter.k8s.aws/instance-size"
      operator: In
      values: ["xlarge", "2xlarge", "4xlarge"]
    - key: "kubernetes.io/arch"
      operator: In
      values: ["amd64"]
    - key: "karpenter.sh/capacity-type"
      operator: In
      values: ["spot", "on-demand"]
  limits:
    cpu: 1000
  disruption:
    consolidationPolicy: WhenEmpty
    consolidateAfter: 180s
    expireAfter: 720h
  weight: 100
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;GPU Workloads&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;name: gpu-workloads
clusterName: ${module.eks.cluster_name}
ec2NodeClass:
  karpenterRole: ${split("/", module.eks_blueprints_addons.karpenter.node_iam_role_arn)[1]}
  subnetSelectorTerms:
    id: ${module.vpc.private_subnets[1]}
  securityGroupSelectorTerms:
    tags:
      Name: ${module.eks.cluster_name}-node
  instanceStorePolicy: RAID0

nodePool:
  labels:
    - type: karpenter
    - NodeGroupType: gpu-workloads
  requirements:
    - key: "karpenter.k8s.aws/instance-family"
      operator: In
      values: ["g5", "p4", "p5"]  # GPU instances
    - key: "karpenter.k8s.aws/instance-size"
      operator: In
      values: ["2xlarge", "4xlarge", "8xlarge", "12xlarge"]
    - key: "kubernetes.io/arch"
      operator: In
      values: ["amd64"]
    - key: "karpenter.sh/capacity-type"
      operator: In
      values: ["spot", "on-demand"]
  limits:
    cpu: 1000
  disruption:
    consolidationPolicy: WhenEmpty
    consolidateAfter: 180s
    expireAfter: 720h
  weight: 100
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Terraform Automation Scripts
&lt;/h3&gt;

&lt;p&gt;To streamline the deployment and teardown of resources, the project includes two utility scripts: &lt;code&gt;install.sh&lt;/code&gt; and &lt;code&gt;cleanup.sh&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;install.sh:&lt;/code&gt; Automates the deployment process. It initializes Terraform, applies modules sequentially (e.g., VPC and EKS), and ensures all resources are provisioned successfully. A final Terraform apply captures any remaining dependencies.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;cleanup.sh:&lt;/code&gt; Safely destroys the deployed infrastructure. It handles dependencies like Kubernetes services, Load Balancers, and Security Groups, ensuring proper teardown order. Each module is destroyed sequentially, with a final pass to catch residual resources.&lt;/p&gt;

&lt;p&gt;These scripts enhance operational efficiency and minimize errors during deployment and cleanup phases, making the workflow more robust and reproducible.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Features of Karpenter in AI Ecosystems
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Dynamic Node Provisioning:&lt;/strong&gt; Automatically provisions CPU or GPU nodes based on real-time workload needs.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Cost Optimization:&lt;/strong&gt; Leverages Spot instances while ensuring reliable on-demand scaling for critical workloads.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Enhanced Resource Utilization:&lt;/strong&gt; Consolidates underutilized nodes and removes idle resources with disruption policies.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tailored Scaling Policies:&lt;/strong&gt; Supports node pools for diverse workload types, such as inference tasks or data preprocessing.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Karpenter’s integration with GPU-optimized workloads ensures that demanding AI models benefit from high-performance compute nodes while maintaining cost efficiency.&lt;/p&gt;

&lt;h3&gt;
  
  
  Use Cases
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;1. AI Model Training&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;NVIDIA NIM’s GPU optimizations allow for efficient training of models like BERT or GPT, reducing runtime and costs.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Real-Time Inference&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Deploy models for real-time applications such as fraud detection, image recognition, or natural language understanding.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Experimentation and Research&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;With the OpenAI Web UI, data scientists can quickly test and iterate on models.&lt;/p&gt;

&lt;h3&gt;
  
  
  Conclusion
&lt;/h3&gt;

&lt;p&gt;This platform enables the scalable and efficient deployment of AI workloads by integrating NVIDIA NIM with Amazon EKS. Terraform automates the process, ensuring repeatable and reliable setups. With GPU optimization, persistent storage, and observability tools, the platform is well-suited for businesses and researchers alike.&lt;/p&gt;

&lt;p&gt;By following this guide, you can build a scalable and efficient AI platform. For detailed code and further exploration, visit the GitHub repository &lt;a href="https://github.com/timurgaleev/eks-nim-llm-openai" rel="noopener noreferrer"&gt;https://github.com/timurgaleev/eks-nim-llm-openai&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>aws</category>
      <category>eks</category>
      <category>nvidia</category>
      <category>ai</category>
    </item>
    <item>
      <title>Deploying AWS EKS with Terraform and Blueprints Addons</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Thu, 07 Nov 2024 09:07:18 +0000</pubDate>
      <link>https://dev.to/aws-builders/deploying-aws-eks-with-terraform-and-blueprints-addons-5am6</link>
      <guid>https://dev.to/aws-builders/deploying-aws-eks-with-terraform-and-blueprints-addons-5am6</guid>
      <description>&lt;p&gt;After a pause from covering AWS and infrastructure management, I’m back with insights for those looking to navigate the world of AWS containers and Kubernetes with ease. For anyone new to deploying Kubernetes in AWS, leveraging Terraform for setting up an EKS (Elastic Kubernetes Service) cluster can be a game-changer. By combining Terraform’s infrastructure-as-code capabilities with AWS’s EKS Blueprints Addons, users can create a scalable, production-ready Kubernetes environment without the usual complexity.&lt;/p&gt;

&lt;p&gt;In this article, I'll guide you through using Terraform to deploy EKS with essential add-ons, which streamline the configuration and management of your Kubernetes clusters. With these modular add-ons, you can quickly incorporate features like CoreDNS, the AWS Load Balancer Controller, and other powerful tools to customize and enhance your setup. Whether you’re new to container orchestration or just seeking an efficient AWS solution, this guide will help you build a resilient EKS environment in a few straightforward steps.&lt;/p&gt;

&lt;h3&gt;
  
  
  So let’s start.
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Setting Up the VPC for EKS
&lt;/h2&gt;

&lt;p&gt;The VPC configuration is foundational for your EKS cluster, establishing a secure, isolated environment with both public and private subnets. Private subnets are typically used to host your Kubernetes nodes, keeping them inaccessible from the internet. Here’s the configuration provided in the &lt;code&gt;vpc.tf&lt;/code&gt; file, which sets up both public and private subnets along with NAT and Internet Gateway options for flexible networking.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~&amp;gt; 5.0"

  name                 = local.name
  cidr                 = var.vpc_cidr
  azs                  = local.azs
  secondary_cidr_blocks = var.secondary_cidr_blocks
  private_subnets      = concat(local.private_subnets, local.secondary_ip_range_private_subnets)
  public_subnets       = local.public_subnets
  enable_nat_gateway   = true
  single_nat_gateway   = true
  public_subnet_tags   = {"kubernetes.io/role/elb" = 1}
  private_subnet_tags  = {
    "kubernetes.io/role/internal-elb" = 1
    "karpenter.sh/discovery" = local.name
  }
  tags = local.tags
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This setup:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Creates private and public subnets across multiple availability zones.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Configures a secondary CIDR block for the EKS data plane, which is crucial for large-scale deployments.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Enables a NAT gateway for private subnets, ensuring secure internet access for internal resources.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Tags subnets for Kubernetes service and discovery, essential for integration with other AWS services like load balancers and Karpenter.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Deploying EKS with Managed Node Groups
&lt;/h2&gt;

&lt;p&gt;Now that the VPC is configured, let’s move on to deploying the EKS cluster with the &lt;code&gt;eks.tf&lt;/code&gt; file configuration. This setup includes defining managed node groups within the EKS cluster, specifying node configurations, security rules, and IAM roles.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~&amp;gt; 19.15"

  cluster_name                   = local.name
  cluster_version                = var.eks_cluster_version
  cluster_endpoint_public_access = true
  vpc_id                         = module.vpc.vpc_id
  subnet_ids                     = compact([for subnet_id, cidr_block in zipmap(module.vpc.private_subnets, module.vpc.private_subnets_cidr_blocks) : substr(cidr_block, 0, 4) == "100." ? subnet_id : null])

  aws_auth_roles = [
    {
      rolearn  = module.eks_blueprints_addons.karpenter.node_iam_role_arn
      username = "system:node:{{EC2PrivateDNSName}}"
      groups   = ["system:bootstrappers", "system:nodes"]
    }
  ]

  eks_managed_node_groups = {
    core_node_group = {
      name             = "core-node-group"
      ami_type         = "AL2_x86_64"
      min_size         = 2
      max_size         = 8
      desired_size     = 2
      instance_types   = ["m5.xlarge"]
      capacity_type    = "SPOT"
      labels           = { WorkerType = "SPOT", NodeGroupType = "core" }
      tags             = merge(local.tags, { Name = "core-node-grp" })
    }
  }
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Key components:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;VPC and Subnets:&lt;/strong&gt; The &lt;code&gt;vpc_id&lt;/code&gt; and &lt;code&gt;subnet_ids&lt;/code&gt; reference the private subnets, providing a secure foundation for EKS nodes.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Managed Node Groups:&lt;/strong&gt; This setup defines a core node group with spot instances &lt;code&gt;(capacity_type = "SPOT")&lt;/code&gt; to optimize cost, with configurable instance types, sizes, and labels for workload placement.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Security Rules and IAM Roles:&lt;/strong&gt; Configures additional security rules to manage access between nodes and clusters, along with IAM roles to control permissions for Karpenter and node management.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Configuring EKS Add-ons
&lt;/h2&gt;

&lt;p&gt;Add-ons enhance your EKS cluster by integrating additional AWS services and open-source tools. With the EKS Blueprints, you can easily set up these add-ons, which range from storage solutions to observability and monitoring tools.&lt;/p&gt;

&lt;h3&gt;
  
  
  Setting Up the EBS CSI Driver for Persistent Storage
&lt;/h3&gt;

&lt;p&gt;The Amazon EBS CSI Driver is essential for persistent storage on EKS. This module configures the necessary IAM roles for the driver, enabling it to provision and manage EBS volumes.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;module "ebs_csi_driver_irsa" {
  source                = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version               = "~&amp;gt; 5.20"
  role_name_prefix      = format("%s-%s-", local.name, "ebs-csi-driver")
  attach_ebs_csi_policy = true
  oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
    }
  }
  tags = local.tags
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This configuration creates an IAM role for the EBS CSI Driver using IAM Roles for Service Accounts (IRSA), which allows the driver to interact with EBS securely.&lt;/p&gt;

&lt;h3&gt;
  
  
  Enabling Amazon CloudWatch Observability
&lt;/h3&gt;

&lt;p&gt;The &lt;code&gt;amazon-cloudwatch-observability&lt;/code&gt; add-on integrates CloudWatch for monitoring and logging, providing insights into your cluster’s performance.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;eks_addons = {
  amazon-cloudwatch-observability = {
    preserve                 = true
    service_account_role_arn = aws_iam_role.cloudwatch_observability_role.arn
  }
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This snippet specifies the IAM role required for CloudWatch, enabling detailed observability for your workloads.&lt;/p&gt;

&lt;h3&gt;
  
  
  Integrating AWS Load Balancer Controller
&lt;/h3&gt;

&lt;p&gt;The AWS Load Balancer Controller allows you to provision and manage Application Load Balancers (ALBs) for Kubernetes services. Here’s how it’s configured:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;enable_aws_load_balancer_controller = true
aws_load_balancer_controller = {
  set = [{
    name  = "enableServiceMutatorWebhook"
    value = "false"
  }]
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;enableServiceMutatorWebhook&lt;/code&gt; setting is disabled to avoid automatic modification of service annotations, making it ideal for custom configurations.&lt;/p&gt;

&lt;h3&gt;
  
  
  Adding Karpenter for Autoscaling
&lt;/h3&gt;

&lt;p&gt;Karpenter is an open-source autoscaler designed for Kubernetes, enabling efficient and dynamic scaling of EC2 instances based on workload requirements. This configuration sets up Karpenter with support for spot instances, reducing costs for non-critical workloads.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;enable_karpenter                  = true
karpenter_enable_spot_termination = true
karpenter_node = {
  iam_role_additional_policies = {
    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  }
}
karpenter = {
  chart_version       = "0.37.0"
  repository_username = data.aws_ecrpublic_authorization_token.token.user_name
  repository_password = data.aws_ecrpublic_authorization_token.token.password
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This configuration includes additional IAM policies for Karpenter nodes, making it easier to integrate with AWS services like EC2 for flexible scaling.&lt;/p&gt;

&lt;p&gt;These add-ons, configured through the AWS EKS Blueprints and Terraform, help streamline Kubernetes management on AWS while offering enhanced storage, observability, and autoscaling. ​&lt;/p&gt;

&lt;p&gt;To explore the complete configuration, you can find the full code in the GitHub repository &lt;a href="https://github.com/timurgaleev/aws-eks-terraform-addons" rel="noopener noreferrer"&gt;https://github.com/timurgaleev/aws-eks-terraform-addons&lt;/a&gt;. The repository includes &lt;code&gt;install.sh&lt;/code&gt; to deploy the EKS cluster and configure the add-ons seamlessly, along with &lt;code&gt;cleanup.sh&lt;/code&gt; to tear down the environment when it’s no longer needed.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This Terraform setup provides a powerful framework for deploying EKS with essential add-ons, such as storage, observability, and autoscaling, to support scalable applications. Specifically, &lt;a href="https://github.com/timurgaleev/aws-eks-terraform-addons" rel="noopener noreferrer"&gt;this configuration&lt;/a&gt; is designed to enable deployment of applications like OpenAI Chat, showcasing Kubernetes' flexibility for real-time, interactive workloads. With this setup, you’re ready to deploy and manage robust, production-grade EKS clusters in AWS.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Beginning the Journey into ML, AI and GenAI on AWS</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Mon, 22 Jan 2024 22:08:13 +0000</pubDate>
      <link>https://dev.to/aws-builders/beginning-the-journey-into-ml-ai-and-genai-on-aws-1hdc</link>
      <guid>https://dev.to/aws-builders/beginning-the-journey-into-ml-ai-and-genai-on-aws-1hdc</guid>
      <description>&lt;p&gt;Machine Learning (ML), Artificial Intelligence (AI), and Generative Artificial Intelligence (GenAI) are transformative technologies that have the potential to revolutionize industries across the globe.&lt;/p&gt;

&lt;p&gt;At the last &lt;a href="https://reinvent.awsevents.com/"&gt;AWS re:Invent&lt;/a&gt;, there were numerous updates related to ML/AI and everything associated with these technologies. I also decided to delve into these topics and immerse myself in this field.&lt;/p&gt;

&lt;p&gt;I won't delve into explaining the meanings of ML, AI, DL(Deep Learning), and GenAI. However, I'd like to touch upon FMs and LLM as we will focus our attention there. I found myself losing the same question when I came across this topic in my reading or listening. :)&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo8u33rx24fh8ngkid0cm.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo8u33rx24fh8ngkid0cm.png" alt="Image description" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Foundational Models (FMs) within the AWS ecosystem represent fundamental structures and algorithms essential for diverse AI applications. These models, often created by industry-leading AI companies, are integral to the development and functionality of AWS services, shaping the landscape of artificial intelligence on the platform. In the context of Amazon Bedrock, Language Models (LMs) play a pivotal role. These LMs contribute to the service's linguistic capabilities, facilitating advanced language understanding and content generation within the AWS environment.&lt;/p&gt;

&lt;p&gt;AWS provides various services for Machine Learning and Artificial Intelligence, including &lt;a href="https://aws.amazon.com/sagemaker/"&gt;Amazon SageMaker&lt;/a&gt;, &lt;a href="https://aws.amazon.com/deeplens/"&gt;AWS DeepLens&lt;/a&gt;, &lt;a href="https://aws.amazon.com/deepcomposer/"&gt;AWS DeepComposer&lt;/a&gt;, &lt;a href="https://aws.amazon.com/forecast/"&gt;Amazon Forecast&lt;/a&gt; and more. Familiarize yourself with the services available to determine which ones suit your specific needs.&lt;/p&gt;

&lt;p&gt;Generative Artificial Intelligence (GenAI) is a type of artificial intelligence that can generate text, images, or other media using generative models. AWS offers a range of services for building and scaling generative AI applications, including &lt;a href="https://aws.amazon.com/sagemaker/"&gt;Amazon SageMaker&lt;/a&gt;, &lt;a href="https://aws.amazon.com/de/rekognition/"&gt;Amazon Rekognition&lt;/a&gt;, &lt;a href="https://aws.amazon.com/deepracer/"&gt;AWS DeepRacer&lt;/a&gt;, and &lt;a href="https://aws.amazon.com/forecast/"&gt;Amazon Forecast&lt;/a&gt;. AWS has also invested in developing foundation models (FMs) for generative AI, which are ultra-large machine learning models that generative AI relies on. AWS has also launched the Generative AI Innovation Center, which connects AWS AI and ML experts with customers around the world to help them envision, design, and launch new generative AI products and services. Generative AI has the potential to revolutionize the way we create and consume media, but it is important to use it responsibly and ethically.&lt;/p&gt;

&lt;p&gt;Some examples GenAI: One of the most well-known examples of GenAI is &lt;a href="https://chat.openai.com/"&gt;ChatGPT&lt;/a&gt;, launched by &lt;a href="https://openai.com/"&gt;OpenAI&lt;/a&gt;, which became wildly popular overnight and galvanized public attention. Another model from OpenAI, called text-embedding-ada-002, is specifically designed to work with embeddings—a type of database specifically designed to feed data into large language models (LLM). However, it’s important to note that generative AI creates artifacts that can be inaccurate or biased, making human validation essential and potentially limiting the time it saves workers. Therefore, end users should be realistic about the value they are looking to achieve, especially when using a service as is.&lt;/p&gt;

&lt;p&gt;I've also delved a bit deeper into Broad AI when learning GenAI and I'd like to show this in the form of the following picture as it explains a lot.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facybt8ctsdkcfl5w3wvq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facybt8ctsdkcfl5w3wvq.png" alt="Image description" width="800" height="449"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Layers from broad artificial Intelligence to generative AI&lt;/p&gt;

&lt;p&gt;Broad AI includes task-specific algorithms, Machine Learning (ML), and Deep Learning. These layers enable AI to perform tasks like image recognition, natural language processing, and complex pattern modeling.&lt;/p&gt;

&lt;p&gt;The transition to GenAI involves Transfer Learning, Reinforcement Learning, and Autonomous Learning. These layers allow AI to apply knowledge across contexts, learn from interactions, and independently gather and learn from information.&lt;/p&gt;

&lt;p&gt;So, the journey from Broad AI to GenAI represents significant leaps in AI capabilities, moving towards AI systems that can truly understand, learn, and adapt like a human brain.&lt;/p&gt;

&lt;p&gt;Let's explore a couple of AWS services that, from my perspective, are among the more popular today.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/sagemaker/"&gt;Amazon SageMaker&lt;/a&gt;:&lt;/p&gt;

&lt;p&gt;Amazon SageMaker is a comprehensive platform that simplifies the machine learning workflow. It covers everything from data labeling and preparation to model training and deployment. Take advantage of SageMaker's Jupyter notebook integration for interactive data exploration and model development. The platform also supports popular ML frameworks like TensorFlow and PyTorch.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/q/"&gt;Amazon Q&lt;/a&gt; is a groundbreaking Generative AI assistant crafted with a focus on security and privacy. Its purpose is to unleash the transformative capabilities of this technology for employees within organizations of varying sizes and across diverse industries.&lt;/p&gt;

&lt;p&gt;Introduces robust enhancements to the generative AI service, Amazon Bedrock.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/de/bedrock/"&gt;Amazon Bedrock&lt;/a&gt;, an entirely managed service on AWS, provides access to extensive language models and other foundational models (FMs) from prominent artificial intelligence (AI) companies such as AI21, Anthropic, Cohere, Meta, and Stability AI, all consolidated through a unified API.&lt;/p&gt;

&lt;p&gt;I would also like to share more information about Amazon Bedrock here about the innovations that were announced at the latest AWS re:Invent.&lt;/p&gt;

&lt;p&gt;Fine-tuning for Amazon Bedrock:&lt;br&gt;
Now, there are increased opportunities for model customization in Amazon Bedrock, featuring fine-tuning support for Cohere Command Lite, Meta Llama 2, and Amazon Titan Text models, with Anthropic Claude's support expected soon.&lt;/p&gt;

&lt;p&gt;These recent enhancements to Amazon Bedrock significantly reshape how organizations, regardless of their size or industry, can leverage generative AI to drive innovation and redefine customer experiences.&lt;/p&gt;

&lt;p&gt;AWS is compatible with all the leading deep-learning frameworks, facilitating their deployment. The deep-learning Amazon Machine Image, accessible on both Amazon Linux and Ubuntu, allows for the creation of managed, auto-scalable GPU clusters. This enables training and inference processes to be conducted at any scale. Also, AWS offers a range of AI services that allow you to integrate pre-trained models into your applications without the need for deep expertise in machine learning. Services like Amazon Rekognition for image and video analysis, Amazon Comprehend for natural language processing, and Amazon Polly for text-to-speech can enhance your applications with AI capabilities.&lt;/p&gt;

&lt;p&gt;The best way to solidify your understanding of ML, AI, and GenAI on AWS is through hands-on projects. Start with simple projects and gradually increase complexity as you gain confidence. Use datasets available on platforms like Kaggle or create your own to train and test models.&lt;/p&gt;

&lt;p&gt;Conclusion:&lt;/p&gt;

&lt;p&gt;Embarking on a journey into Machine Learning, Artificial Intelligence, and Generative Artificial Intelligence on AWS is an exciting endeavor. By following these steps, you can lay a solid foundation for your understanding and proficiency in leveraging AWS services for ML and AI applications. Remember, the key to success is a combination of hands-on experience, continuous learning, and active engagement with the AWS community. Happy training!&lt;/p&gt;

</description>
      <category>genai</category>
      <category>machinelearning</category>
      <category>ai</category>
      <category>aws</category>
    </item>
    <item>
      <title>Domain-Driven Design (DDD) in AWS. Find Your Business Domains.</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Wed, 29 Mar 2023 15:27:12 +0000</pubDate>
      <link>https://dev.to/aws-builders/domain-driven-design-ddd-in-aws-find-your-business-domains-54ak</link>
      <guid>https://dev.to/aws-builders/domain-driven-design-ddd-in-aws-find-your-business-domains-54ak</guid>
      <description>&lt;p&gt;This article is an introduction to Domain-Driven Design and how it can be used with AWS. I will provide guidance on how to define business domains in legacy monolithic applications and decompose them into a set of microservices step by step. By starting with Domain-Driven Design for your microservices, you can get the benefits of cloud scaling in your new refactored application.&lt;/p&gt;

&lt;p&gt;Is Domain-Driven Design usefull for me?&lt;br&gt;
The purpose of &lt;a href="https://en.wikipedia.org/wiki/Domain-driven_design#:~:text=Domain%2Ddriven%20design%20(DDD),should%20match%20the%20business%20domain." rel="noopener noreferrer"&gt;Domain-Driven Design&lt;/a&gt; is to free the domain code from technical details to have more room to work with its complexity. It is well suited to work with very complex domains and projects that are starting to dive into legacy.&lt;/p&gt;

&lt;p&gt;Domain-Driven Design requires an understanding of the business idea or understanding of the final 'business product'. It requires time and commitment from both business experts and technical implementers. Domain-Driven Design should not be used in situations where you need 'quick solutions'. Instead, use Domain-Driven Design for software that supports the core business area rather than supporting areas. Running Domain-Driven Design can be achieved through an &lt;strong&gt;event-storming session&lt;/strong&gt;. However, as mentioned above, this is a commitment worth making. It will allow you to develop software that is more tailored to the needs of your end clients. It will also help create decoupled services that are more scalable and maintainable. The combination will result in greater business agility.&lt;/p&gt;

&lt;h2&gt;
  
  
  Event Storming
&lt;/h2&gt;

&lt;p&gt;Event Storming helps teams of business and technical people come to a consensus on what the solution should be. This happens without being distracted by the specific implementation details of how it will be implemented. This means, that it may take longer for the teams to start providing source code. However, all teams will be better aligned as to what each microservice should be responsible for. The event storming workshop is a brainstorming session. In this session all stakeholders in the solution work together to define the business events that correspond to the domains. &lt;br&gt;
Suppose, we have a commerce development task where the business event might be a customer who applies for a new product. During the workshop, the group will begin to identify the object that triggered the event, the processes that should occur as a result, and any subsequent event triggered by the original event.&lt;/p&gt;

&lt;p&gt;To do this, a team brainstorming session takes place where the event groups can identify areas of their business and then the contexts in which they operate. These can be used to define the usage and the relationship that occurs between each microservice and it’s context. Once the domains have been defined with the help of the business experts, the technical implementers can start designing the solution.&lt;/p&gt;

&lt;p&gt;The result of the event-storming session is a domain model for development. The domain model can be used to define a number of &lt;strong&gt;bounded contexts&lt;/strong&gt;. &lt;/p&gt;

&lt;h2&gt;
  
  
  Bounded Contexts
&lt;/h2&gt;

&lt;p&gt;A bounded context is the boundary where each domain applies. The order contract opening example can be thought of as the 'Order Contract Opening Context' in a shop. In a complete system, there may be other contexts such as the product context, the description context and the manufacturing context. Identifying the business events that cause interactions between the different constrained contexts helps to determine how your microservices will interact with each other in the new architecture.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpj032bjacr3fuagai55j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpj032bjacr3fuagai55j.png" alt="Image description"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The example context map is just a sample of the core domains. There are also a number of supporting and subsequent domains. Although it is necessary to have a service that manages these, this is not part of the core application domain for sending products.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxw17vkd9h8odi8m8ynk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxw17vkd9h8odi8m8ynk.png" alt="Image description"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Core Domains and refactoring
&lt;/h2&gt;

&lt;p&gt;When you start defining "Core Domains and Subsequent Domains"  the question that usually arises is how to manage requests between domains.To do this, we'll look at options for using AWS services for how domains can be implemented.&lt;br&gt;
Containerisation or serverless diagram of such solutions would rather be a 'modern architecture' than a good old-fashioned network and virtual machine deployment diagram. The advantage of these solutions is that the diagram itself helps to actually outline, what the logical functionality is, since we can be more expressive and fine-grained with resource usage.&lt;br&gt;
The undisputed king of serverless computing platforms has been &lt;a href="https://aws.amazon.com/lambda/" rel="noopener noreferrer"&gt;AWS Lambda&lt;/a&gt;AWS Lambda for several years now. It satisfies all the aforementioned conditions and can be used in a number of languages/implementations, including TypeScript.&lt;br&gt;
Other viable options might include some of the more well-known container services such as &lt;a href="https://aws.amazon.com/ecs/" rel="noopener noreferrer"&gt;AWS ECS&lt;/a&gt; or &lt;a href="https://aws.amazon.com/eks/" rel="noopener noreferrer"&gt;AWS EKS&lt;/a&gt; wrapped Fargate. However, they require considerably more setup and configuration, and also require that containerization actually takes place. It doesn't mean that containerisation is bad, in general containerisation can be good, it all depends on your development idea whether it's refactoring into microservices or starting a new application.&lt;br&gt;
If you need Eventing then here it is &lt;a href="https://aws.amazon.com/sns/" rel="noopener noreferrer"&gt;Simple Notification Service (SNS)&lt;/a&gt;. It is a push-based service, i.e. it automatically handles the distribution of the event to the recipients. SNS uses a pay-per-use model and it is essentially serverless as the only infrastructure you need is the SNS subject.&lt;br&gt;
The modern cloud is about using its own API products to expose its applications, rather than building something of its own with Fastify, Kong or the like.&lt;br&gt;
The API gateway acts as the only public interface connected to any other infrastructure, in our case primarily our Lambda compute functions, which will respond to paths defined in the gateway. In the case of AWS the service of interest, unsurprisingly, is called the &lt;a href="https://aws.amazon.com/api-gateway/" rel="noopener noreferrer"&gt;AWS API Gateway&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The following diagram shows how monolith receives some of the traffic during the gradual addition of new microservices in the example application.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvswfwbv788o9tfgbk36.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvswfwbv788o9tfgbk36.png" alt="Image description"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;There is also &lt;a href="https://aws.amazon.com/migration-hub/" rel="noopener noreferrer"&gt;AWS Migration Hub&lt;/a&gt;, it will help you in finding your domains and even offer AWS services that you can implement. This will help you to plan a refactoring or plan for migrating from your old OnPrem solutions to AWS with all modern solutions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Conclusion
&lt;/h3&gt;

&lt;p&gt;To summarise, people just don't tend to talk about 'domains' all day. Most employees do not pay attention to the implementation of domains in the organisation.&lt;br&gt;
It is also worth noting that dividing systems into domains after they have been fully designed is also useless. DDD should be done, at least approximately, at the initial design stage.&lt;br&gt;
But in any case, DDD is the place to be. In the example of using DDD in AWS it looks simple but when you start to go deeper here you find a lot of services where they all have to be interconnected and here comes the methods and dependencies. That's why it's very important to create a structure at the beginning of the work.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>AWS, Terraform ,WordPress. Step-by-Step Guide Example</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Tue, 24 Jan 2023 12:52:15 +0000</pubDate>
      <link>https://dev.to/aws-builders/aws-terraform-wordpress-step-by-step-guide-example-3p6d</link>
      <guid>https://dev.to/aws-builders/aws-terraform-wordpress-step-by-step-guide-example-3p6d</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a0v10xe10hjy4sz0nba.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a0v10xe10hjy4sz0nba.png" alt="Image description" width="800" height="447"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I've looked at many ways to run Wordpress on AWS but they are all expensive or unstable for me. So I decided to make a stable version of Wordpress installation that suited me.&lt;/p&gt;

&lt;p&gt;Infrastructure management has changed a lot over the years. So much so that the traditional system administrator managed a rack full of servers. In many cases, the initial setup required manual intervention at the console. &lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why AWS for WordPress might be a great choice&lt;/strong&gt;&lt;br&gt;
To begin with, AWS is a big deal. It's the cloud hosting provider with the largest market share. AWS is such a successful platform that it accounts for half of Amazon's operating income, which is in the billions of dollars.&lt;/p&gt;

&lt;p&gt;AWS offers high scalability, making it ideal for sites with thousands of daily visitors. The platform also allows for any server configuration. This is ideal for high-performance sites such as online stores.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;In this article, I will show you how to use Terraform to install Wordpress on AWS&lt;/em&gt;. &lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Our objectives&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Create a ‘tf’ files which will hold all of our relevant configuration information (main.tf, …)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Define which provider we will be using in the Terraform config. (aws, cloudflare)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Certificate handling (AWS Certificate Manager)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Define security group rules and names.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Define the EC2 instances we want to create. (AWS Auto Scaling Group)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Run Terraform to plan and apply our configuration.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Before you get started, you’ll need to sign up for AWS. During the process, you’ll need to verify your account using a credit card – onto which they’ll charge $1 – and receive a verification code via SMS.&lt;br&gt;
When you’re ready, select the Free support plan and you’ll get access to your console, which is where the magic happens&lt;/p&gt;

&lt;p&gt;&lt;em&gt;So, let's start creating our wordpress in AWS&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;I will assume that you have already configured all the necessary tools to run such as &lt;em&gt;Terraform&lt;/em&gt;, &lt;em&gt;aws-cli&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The first thing you need to do is clone the repository:&lt;br&gt;
&lt;code&gt;$ git clone https://github.com/timurgaleev/wordpress-ec2-rds-alb-vpc.git&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Once you've taken the templates from the repository, you now need to configure the 'tf' files, which will hold all of the relevant Terraform configuration. You can encapsulate it in one file, but for simplicity and convenience we will work within multiple files. &lt;/p&gt;

&lt;p&gt;The structure of the repository is as follows:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;acm.tf&lt;/code&gt; - AWS Certificate Manager Terraform module&lt;br&gt;
  &lt;code&gt;alb.tf&lt;/code&gt; - AWS Application and Network Load Balancer Terraform module&lt;br&gt;
  &lt;code&gt;asg.tf&lt;/code&gt; - AWS Auto Scaling Group (ASG) Terraform module&lt;br&gt;
  &lt;code&gt;cloudflare.tf&lt;/code&gt; - Cloudflare Provider&lt;br&gt;
  &lt;code&gt;efs.tf&lt;/code&gt; - Provides an Elastic File System (EFS) File System resource&lt;br&gt;
  &lt;code&gt;output.tf&lt;/code&gt; - Terraform Output Values&lt;br&gt;
  &lt;code&gt;rds.tf&lt;/code&gt; - AWS RDS Terraform module&lt;br&gt;
  &lt;code&gt;security_group.tf&lt;/code&gt; - AWS EC2-VPC Security Group Terraform module&lt;br&gt;
  &lt;code&gt;vpc.tf&lt;/code&gt; - AWS VPC Terraform module&lt;br&gt;
  &lt;code&gt;variables.tf&lt;/code&gt; - variables used in Terraform.&lt;/p&gt;

&lt;p&gt;Prerequisites needed for creating a envirenment&lt;br&gt;
provider.tf you will need a change.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;backend "s3" {
    bucket         = "ecs-terraform-examplecom-state"
    key            = "example/com.tfstate"
    region         = "eu-west-1"
    encrypt        = "true"
    dynamodb_table = "ecs-terraform-remote-state-dynamodb"
  }
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It will also use an S3 bucket that will be used as a remote store for our Terraform state. This allows multiple users to work with one set of Infrastructure as Code without causing conflicts.&lt;/p&gt;

&lt;p&gt;Then change the variables according to your needs.&lt;br&gt;
&lt;code&gt;variables.tf&lt;/code&gt; like environment, Domain, Cloudflare API Token&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;variable "asg_min_size" {
  description = "AutoScaling Group Min Size "
  default     = 1
}

variable "asg_max_size" {
  description = "AutoScaling Group Max Size "
  default     = 2
}

variable "asg_desired_capacity" {
  description = "AutoScaling Group Desired Capacity"
  default     = 1
}

variable "rds_engine" {
  description = "RDS engine"
  default     = "mariadb"
}

variable "rds_engine_version" {
  description = "RDS engine version"
  default     = "10.6.7"
}

variable "rds_instance_class" {
  description = "RDS instance class"
  default     = "db.t3.micro"
}

variable "site_domain" {
  description = "Domain"
  default     = "example.com"
}

variable "cloudflare_zone" {
  description = "cloudflare Zone Id"
}

variable "dns_ttl" {
  description = "cloudflare for dns = 1 is automatic."
  default     = 1
}

variable "dns_allow_overwrite_records" {
  description = "cloudflare allow overwrite records."
  default     = true
}

variable "cloudflare_api_token" {
  description = "cloudflare api token"
}

variable "ssh_key_name" {
  description = "SSH Key"
}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now we can run our WordPress.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Run &lt;code&gt;terraform init&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;terraform plan&lt;/code&gt; and review&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;terraform apply&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Now enter your server domain, and you'll see the following WordPress installation screen. If that's the case, great job! If you don't see that screen, you may need to double-check the steps you followed. &lt;/p&gt;

&lt;p&gt;You can destroy this WordPress by running:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;terraform plan &lt;span class="nt"&gt;-destroy&lt;/span&gt;
terraform destroy  &lt;span class="nt"&gt;--force&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;br&gt;
We've only had a superficial look at how Terraform can be used in AWS, but I think a simple introduction is the best part! We created a database in RDS and plugged it into Wordpress as well as created and wired the necessary data into Cloudflare. &lt;/p&gt;

</description>
      <category>productivity</category>
      <category>learning</category>
      <category>careerdevelopment</category>
    </item>
    <item>
      <title>Critical New 0-day Vulnerability in Popular Log4j Library - List of applications</title>
      <dc:creator>Timur Galeev</dc:creator>
      <pubDate>Mon, 13 Dec 2021 09:33:58 +0000</pubDate>
      <link>https://dev.to/timurgaleev/list-critical-new-0-day-vulnerability-in-popular-log4j-library-1n9j</link>
      <guid>https://dev.to/timurgaleev/list-critical-new-0-day-vulnerability-in-popular-log4j-library-1n9j</guid>
      <description>&lt;h2&gt;
  
  
  Akamai : &lt;a href="https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability"&gt;https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache Druid : &lt;a href="https://github.com/apache/druid/pull/12051"&gt;https://github.com/apache/druid/pull/12051&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache Flink : &lt;a href="https://flink.apache.org/2021/12/10/log4j-cve.html"&gt;https://flink.apache.org/2021/12/10/log4j-cve.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache LOG4J : &lt;a href="https://logging.apache.org/log4j/2.x/security.html"&gt;https://logging.apache.org/log4j/2.x/security.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache Kafka : &lt;a href="https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv"&gt;https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache Solr : &lt;a href="https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228"&gt;https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apache Struts : &lt;a href="https://struts.apache.org/announce-2021#a20211212-2"&gt;https://struts.apache.org/announce-2021#a20211212-2&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Apero CAS : &lt;a href="https://apereo.github.io/2021/12/11/log4j-vuln/"&gt;https://apereo.github.io/2021/12/11/log4j-vuln/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  APPSHEET : &lt;a href="https://community.appsheet.com/t/appsheet-statement-on-log4j-vulnerability-cve-2021-44228/59976"&gt;https://community.appsheet.com/t/appsheet-statement-on-log4j-vulnerability-cve-2021-44228/59976&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Aptible : &lt;a href="https://status.aptible.com/incidents/gk1rh440h36s?u=zfbcrbt2lkv4"&gt;https://status.aptible.com/incidents/gk1rh440h36s?u=zfbcrbt2lkv4&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Atlassian : &lt;a href="https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html"&gt;https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Automox : &lt;a href="https://blog.automox.com/log4j-critical-vulnerability-scores-a-10"&gt;https://blog.automox.com/log4j-critical-vulnerability-scores-a-10&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Avantra SYSLINK : &lt;a href="https://support.avantra.com/support/solutions/articles/44002291388-cve-2021-44228-log4j-2-vulnerability"&gt;https://support.avantra.com/support/solutions/articles/44002291388-cve-2021-44228-log4j-2-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Avaya : &lt;a href="https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609"&gt;https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  AWS New : &lt;a href="https://aws.amazon.com/security/security-bulletins/AWS-2021-006/"&gt;https://aws.amazon.com/security/security-bulletins/AWS-2021-006/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  AWS OLD: &lt;a href="https://aws.amazon.com/security/security-bulletins/AWS-2021-005/"&gt;https://aws.amazon.com/security/security-bulletins/AWS-2021-005/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  AZURE Datalake store java : &lt;a href="https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310"&gt;https://github.com/Azure/azure-data-lake-store-java/blob/ed5d6304783286c3cfff0a1dee457a922e23ad48/CHANGES.md#version-2310&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  BACKBLAZE : &lt;a href="https://twitter.com/backblaze/status/1469477224277368838"&gt;https://twitter.com/backblaze/status/1469477224277368838&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  BitDefender : &lt;a href="https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability"&gt;https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  BitNami By VMware : &lt;a href="https://docs.bitnami.com/general/security/security-2021-12-10/"&gt;https://docs.bitnami.com/general/security/security-2021-12-10/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  BMC Software : &lt;a href="https://community.bmc.com/s/news/aA33n000000TSUdCAO/bmc-security-advisory-for-cve202144228-log4shell-vulnerability"&gt;https://community.bmc.com/s/news/aA33n000000TSUdCAO/bmc-security-advisory-for-cve202144228-log4shell-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Boomi DELL : &lt;a href="https://community.boomi.com/s/question/0D56S00009UQkx4SAD/is-boomi-installation-moleculegateway-protected-from-cve202144228-log4j"&gt;https://community.boomi.com/s/question/0D56S00009UQkx4SAD/is-boomi-installation-moleculegateway-protected-from-cve202144228-log4j&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Broadcom : &lt;a href="https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793"&gt;https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CarbonBlack : &lt;a href="https://community.carbonblack.com/t5/Threat-Research-Docs/Log4Shell-Log4j-Remote-Code-Execution-CVE-2021-44228/ta-p/109134"&gt;https://community.carbonblack.com/t5/Threat-Research-Docs/Log4Shell-Log4j-Remote-Code-Execution-CVE-2021-44228/ta-p/109134&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Cerberus FTP : &lt;a href="https://support.cerberusftp.com/hc/en-us/articles/4412448183571-Cerberus-is-not-affected-by-CVE-2021-44228-log4j-0-day-vulnerability"&gt;https://support.cerberusftp.com/hc/en-us/articles/4412448183571-Cerberus-is-not-affected-by-CVE-2021-44228-log4j-0-day-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CheckPoint : &lt;a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;amp;solutionid=sk176865&amp;amp;partition=General&amp;amp;product=IPS"&gt;https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;amp;solutionid=sk176865&amp;amp;partition=General&amp;amp;product=IPS&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Cisco: &lt;a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"&gt;https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Citrix : &lt;a href="https://support.citrix.com/article/CTX335705"&gt;https://support.citrix.com/article/CTX335705&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CloudFlare : &lt;a href="https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/"&gt;https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CPanel : &lt;a href="https://forums.cpanel.net/threads/log4j-cve-2021-44228-does-it-affect-cpanel.696249/"&gt;https://forums.cpanel.net/threads/log4j-cve-2021-44228-does-it-affect-cpanel.696249/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CommVault &lt;a href="https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985?postid=11745#post11745"&gt;https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985?postid=11745#post11745&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ConcreteCMS.com : &lt;a href="https://www.concretecms.com/about/blog/security/concrete-log4j-zero-day-exploit"&gt;https://www.concretecms.com/about/blog/security/concrete-log4j-zero-day-exploit&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Connect2id : &lt;a href="https://connect2id.com/blog/connect2id-server-12-5-1"&gt;https://connect2id.com/blog/connect2id-server-12-5-1&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ConnectWise : &lt;a href="https://www.connectwise.com/company/trust/advisories"&gt;https://www.connectwise.com/company/trust/advisories&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ContrastSecurity : &lt;a href="https://support.contrastsecurity.com/hc/en-us/articles/4412612486548"&gt;https://support.contrastsecurity.com/hc/en-us/articles/4412612486548&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ControlUp : &lt;a href="https://status.controlup.com/incidents/qqyvh7b1dz8k"&gt;https://status.controlup.com/incidents/qqyvh7b1dz8k&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Coralogix : &lt;a href="https://twitter.com/Coralogix/status/1469713430659559425"&gt;https://twitter.com/Coralogix/status/1469713430659559425&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CouchBase : &lt;a href="https://forums.couchbase.com/t/ann-elasticsearch-connector-4-3-3-4-2-13-fixes-log4j-vulnerability/32402"&gt;https://forums.couchbase.com/t/ann-elasticsearch-connector-4-3-3-4-2-13-fixes-log4j-vulnerability/32402&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  CyberArk : &lt;a href="https://cyberark-customers.force.com/s/article/Critical-Vulnerability-CVE-2021-44228"&gt;https://cyberark-customers.force.com/s/article/Critical-Vulnerability-CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Cybereason : &lt;a href="https://www.cybereason.com/blog/cybereason-solutions-are-not-impacted-by-apache-log4j-vulnerability-cve-2021-44228"&gt;https://www.cybereason.com/blog/cybereason-solutions-are-not-impacted-by-apache-log4j-vulnerability-cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Datto : &lt;a href="https://www.datto.com/blog/dattos-response-to-log4shell"&gt;https://www.datto.com/blog/dattos-response-to-log4shell&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Debian : &lt;a href="https://security-tracker.debian.org/tracker/CVE-2021-44228"&gt;https://security-tracker.debian.org/tracker/CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Dell : &lt;a href="https://www.dell.com/support/kbdoc/fr-fr/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability"&gt;https://www.dell.com/support/kbdoc/fr-fr/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Docker : &lt;a href="https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/"&gt;https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Docusign : &lt;a href="https://www.docusign.com/trust/alerts/alert-docusign-statement-on-the-log4j2-vulnerability"&gt;https://www.docusign.com/trust/alerts/alert-docusign-statement-on-the-log4j2-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  DRAW.IO : &lt;a href="https://twitter.com/drawio/status/1470061320066277382"&gt;https://twitter.com/drawio/status/1470061320066277382&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  DropWizard : &lt;a href="https://twitter.com/dropwizardio/status/1469285337524580359"&gt;https://twitter.com/dropwizardio/status/1469285337524580359&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  DynaTrace : &lt;a href="https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/Impact-of-log4j-zero-day-vulnerability/m-p/177259/highlight/true#M19282"&gt;https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/Impact-of-log4j-zero-day-vulnerability/m-p/177259/highlight/true#M19282&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Eclipse Foundation : &lt;a href="https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992521"&gt;https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992521&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Elastic : &lt;a href="https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476"&gt;https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ESET : &lt;a href="https://forum.eset.com/topic/30691-log4j-vulnerability/?do=findComment&amp;amp;comment=143745"&gt;https://forum.eset.com/topic/30691-log4j-vulnerability/?do=findComment&amp;amp;comment=143745&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ESRI : &lt;a href="https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/"&gt;https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  EVLLABS JGAAP : &lt;a href="https://github.com/evllabs/JGAAP/releases/tag/v8.0.2"&gt;https://github.com/evllabs/JGAAP/releases/tag/v8.0.2&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  F5 Networks : &lt;a href="https://support.f5.com/csp/article/K19026212"&gt;https://support.f5.com/csp/article/K19026212&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  F-Secure &lt;a href="https://status.f-secure.com/incidents/sk8vmr0h34pd"&gt;https://status.f-secure.com/incidents/sk8vmr0h34pd&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Fastly : &lt;a href="https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j"&gt;https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ForcePoint : &lt;a href="https://support.forcepoint.com/s/article/CVE-2021-44228-Java-log4j-vulnerability-mitigation-with-Forcepoint-Security-Manager"&gt;https://support.forcepoint.com/s/article/CVE-2021-44228-Java-log4j-vulnerability-mitigation-with-Forcepoint-Security-Manager&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Forescout : &lt;a href="https://forescout.force.com/support/s/article/Important-security-information-related-to-Apache-Log4j-utility-CVE-2021-44228"&gt;https://forescout.force.com/support/s/article/Important-security-information-related-to-Apache-Log4j-utility-CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ForgeRock : &lt;a href="https://backstage.forgerock.com/knowledge/kb/book/b21824339"&gt;https://backstage.forgerock.com/knowledge/kb/book/b21824339&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Fortinet : &lt;a href="https://www.fortiguard.com/psirt/FG-IR-21-245"&gt;https://www.fortiguard.com/psirt/FG-IR-21-245&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  FusionAuth : &lt;a href="https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/"&gt;https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Genesys : &lt;a href="https://www.genesys.com/blog/post/genesys-update-on-the-apache-log4j-vulnerability"&gt;https://www.genesys.com/blog/post/genesys-update-on-the-apache-log4j-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Ghidra : &lt;a href="https://github.com/NationalSecurityAgency/ghidra/blob/2c73c72f0ba2720c6627be4005a721a5ebd64b46/README.md#warning"&gt;https://github.com/NationalSecurityAgency/ghidra/blob/2c73c72f0ba2720c6627be4005a721a5ebd64b46/README.md#warning&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  GitHub : &lt;a href="https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"&gt;https://github.com/advisories/GHSA-jfh8-c2jp-5v3q&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  GoAnywhere : &lt;a href="https://www.goanywhere.com/cve-2021-44228-goanywhere-mitigation-steps"&gt;https://www.goanywhere.com/cve-2021-44228-goanywhere-mitigation-steps&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Google Cloud Global Products coverage : &lt;a href="https://cloud.google.com/log4j2-security-advisory"&gt;https://cloud.google.com/log4j2-security-advisory&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Google Cloud Armor WAF : &lt;a href="https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability"&gt;https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  GrayLog : &lt;a href="https://www.graylog.org/post/graylog-update-for-log4j"&gt;https://www.graylog.org/post/graylog-update-for-log4j&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  GratWiFi WARNING I can't confirm it: &lt;a href="https://www.facebook.com/GratWiFi/posts/396447615600785"&gt;https://www.facebook.com/GratWiFi/posts/396447615600785&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  GuardedBox : &lt;a href="https://twitter.com/GuardedBox/status/1469739834117799939"&gt;https://twitter.com/GuardedBox/status/1469739834117799939&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Guidewire : &lt;a href="https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products"&gt;https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  HackerOne : &lt;a href="https://twitter.com/jobertabma/status/1469490881854013444"&gt;https://twitter.com/jobertabma/status/1469490881854013444&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  HCL Software : &lt;a href="https://support.hcltechsw.com/csm?id=kb_article&amp;amp;sysparm_article=KB0095486"&gt;https://support.hcltechsw.com/csm?id=kb_article&amp;amp;sysparm_article=KB0095486&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Huawei : &lt;a href="https://www.huawei.com/en/psirt/security-notices/huawei-sn-20211210-01-log4j2-en"&gt;https://www.huawei.com/en/psirt/security-notices/huawei-sn-20211210-01-log4j2-en&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  HostiFi : &lt;a href="https://twitter.com/hostifi_net/status/1469511114824339464"&gt;https://twitter.com/hostifi_net/status/1469511114824339464&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  I2P : &lt;a href="https://geti2p.net/en/blog/post/2021/12/11/i2p-unaffected-cve-2021-44228"&gt;https://geti2p.net/en/blog/post/2021/12/11/i2p-unaffected-cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Ignite Realtime : &lt;a href="https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108"&gt;https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Imperva : &lt;a href="https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/"&gt;https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Inductive Automation : &lt;a href="https://support.inductiveautomation.com/hc/en-us/articles/4416204541709-Regarding-CVE-2021-44228-Log4j-RCE-0-day"&gt;https://support.inductiveautomation.com/hc/en-us/articles/4416204541709-Regarding-CVE-2021-44228-Log4j-RCE-0-day&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Informatica : &lt;a href="https://network.informatica.com/community/informatica-network/blog/2021/12/10/log4j-vulnerability-update"&gt;https://network.informatica.com/community/informatica-network/blog/2021/12/10/log4j-vulnerability-update&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Ivanti : &lt;a href="https://forums.ivanti.com/s/article/CVE-2021-44228-Java-logging-library-log4j-Ivanti-Products-Impact-Mapping?language=en_US"&gt;https://forums.ivanti.com/s/article/CVE-2021-44228-Java-logging-library-log4j-Ivanti-Products-Impact-Mapping?language=en_US&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  JAMF NATION : &lt;a href="https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740"&gt;https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  JazzSM DASH IBM : &lt;a href="https://www.ibm.com/support/pages/node/6525552"&gt;https://www.ibm.com/support/pages/node/6525552&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Jenkins : &lt;a href="https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/"&gt;https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  JetBrains Teamcity : &lt;a href="https://youtrack.jetbrains.com/issue/TW-74298"&gt;https://youtrack.jetbrains.com/issue/TW-74298&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  JFROG : &lt;a href="https://twitter.com/jfrog/status/1469385793823199240"&gt;https://twitter.com/jfrog/status/1469385793823199240&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Jitsi : &lt;a href="https://github.com/jitsi/security-advisories/blob/4e1ab58585a8a0593efccce77d5d0e22c5338605/advisories/JSA-2021-0004.md"&gt;https://github.com/jitsi/security-advisories/blob/4e1ab58585a8a0593efccce77d5d0e22c5338605/advisories/JSA-2021-0004.md&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Kafka Connect CosmosDB : &lt;a href="https://github.com/microsoft/kafka-connect-cosmosdb/blob/0f5d0c9dbf2812400bb480d1ff0672dfa6bb56f0/CHANGELOG.md"&gt;https://github.com/microsoft/kafka-connect-cosmosdb/blob/0f5d0c9dbf2812400bb480d1ff0672dfa6bb56f0/CHANGELOG.md&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Kaseya : &lt;a href="https://helpdesk.kaseya.com/hc/en-gb/articles/4413449967377-Log4j2-Vulnerability-Assessment"&gt;https://helpdesk.kaseya.com/hc/en-gb/articles/4413449967377-Log4j2-Vulnerability-Assessment&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Keycloak : &lt;a href="https://github.com/keycloak/keycloak/discussions/9078"&gt;https://github.com/keycloak/keycloak/discussions/9078&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Leanix : &lt;a href="https://www.leanix.net/en/blog/log4j-vulnerability-log4shell"&gt;https://www.leanix.net/en/blog/log4j-vulnerability-log4shell&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  LucentSKY : &lt;a href="https://twitter.com/LucentSky/status/1469358706311974914"&gt;https://twitter.com/LucentSky/status/1469358706311974914&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Lightbend : &lt;a href="https://discuss.lightbend.com/t/regarding-the-log4j2-vulnerability-cve-2021-44228/9275"&gt;https://discuss.lightbend.com/t/regarding-the-log4j2-vulnerability-cve-2021-44228/9275&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  LogRhythm CISO email I can't confirmed : &lt;a href="https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992599"&gt;https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#gistcomment-3992599&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Macchina io : &lt;a href="https://twitter.com/macchina_io/status/1469611606569099269"&gt;https://twitter.com/macchina_io/status/1469611606569099269&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  MailCow : &lt;a href="https://github.com/mailcow/mailcow-dockerized/issues/4375"&gt;https://github.com/mailcow/mailcow-dockerized/issues/4375&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  McAfee : &lt;a href="https://kc.mcafee.com/corporate/index?page=content&amp;amp;id=KB95091"&gt;https://kc.mcafee.com/corporate/index?page=content&amp;amp;id=KB95091&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Metabase : &lt;a href="https://github.com/metabase/metabase/commit/8bfce98beb25e48830ac2bfd57432301c5e3ab37"&gt;https://github.com/metabase/metabase/commit/8bfce98beb25e48830ac2bfd57432301c5e3ab37&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Microsoft : &lt;a href="https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"&gt;https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Minecraft : &lt;a href="https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition"&gt;https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  MISP : &lt;a href="https://twitter.com/MISPProject/status/1470051242038673412"&gt;https://twitter.com/MISPProject/status/1470051242038673412&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Mulesoft : &lt;a href="https://help.mulesoft.com/s/article/Apache-Log4j2-vulnerability-December-2021"&gt;https://help.mulesoft.com/s/article/Apache-Log4j2-vulnerability-December-2021&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  N-able : &lt;a href="https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability"&gt;https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  NELSON : &lt;a href="https://github.com/getnelson/nelson/blob/f4d3dd1f1d4f8dfef02487f67aefb9c60ab48bf5/project/custom.scala"&gt;https://github.com/getnelson/nelson/blob/f4d3dd1f1d4f8dfef02487f67aefb9c60ab48bf5/project/custom.scala&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  NEO4J : &lt;a href="https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856"&gt;https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  NetApp : &lt;a href="https://security.netapp.com/advisory/ntap-20211210-0007/"&gt;https://security.netapp.com/advisory/ntap-20211210-0007/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Netflix : &lt;a href="https://github.com/search?q=org%3ANetflix+CVE-2021-44228&amp;amp;type=commits"&gt;https://github.com/search?q=org%3ANetflix+CVE-2021-44228&amp;amp;type=commits&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  NextGen Healthcare Mirth : &lt;a href="https://github.com/nextgenhealthcare/connect/discussions/4892#discussioncomment-1789526"&gt;https://github.com/nextgenhealthcare/connect/discussions/4892#discussioncomment-1789526&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Newrelic : &lt;a href="https://github.com/newrelic/newrelic-java-agent/issues/605"&gt;https://github.com/newrelic/newrelic-java-agent/issues/605&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Nutanix : &lt;a href="https://download.nutanix.com/alerts/Security_Advisory_0023.pdf"&gt;https://download.nutanix.com/alerts/Security_Advisory_0023.pdf&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Okta : &lt;a href="https://sec.okta.com/articles/2021/12/log4shell"&gt;https://sec.okta.com/articles/2021/12/log4shell&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  OpenHab : &lt;a href="https://github.com/openhab/openhab-distro/pull/1343"&gt;https://github.com/openhab/openhab-distro/pull/1343&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  OpenNMS : &lt;a href="https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/"&gt;https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  OpenMRS TALK : &lt;a href="https://talk.openmrs.org/t/urgent-security-advisory-2021-12-11-re-apache-log4j-2/35341"&gt;https://talk.openmrs.org/t/urgent-security-advisory-2021-12-11-re-apache-log4j-2/35341&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  OpenSearch : &lt;a href="https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950"&gt;https://discuss.opendistrocommunity.dev/t/log4j-patch-for-cve-2021-44228/7950&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Oracle : &lt;a href="https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"&gt;https://www.oracle.com/security-alerts/alert-cve-2021-44228.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  OxygenXML : &lt;a href="https://www.oxygenxml.com/security/advisory/CVE-2019-17571.html"&gt;https://www.oxygenxml.com/security/advisory/CVE-2019-17571.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Palo-Alto Networks : &lt;a href="https://security.paloaltonetworks.com/CVE-2021-44228"&gt;https://security.paloaltonetworks.com/CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  PaperCut : &lt;a href="https://www.papercut.com/support/known-issues/#PO-684"&gt;https://www.papercut.com/support/known-issues/#PO-684&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Parse.ly : &lt;a href="https://blog.parse.ly/parse-ly-log4shell/"&gt;https://blog.parse.ly/parse-ly-log4shell/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Pega : &lt;a href="https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability"&gt;https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  PingIdentity : &lt;a href="https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228"&gt;https://support.pingidentity.com/s/article/Log4j2-vulnerability-CVE-CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Positive Technologies : &lt;a href="https://twitter.com/ptsecurity/status/1469398376978522116"&gt;https://twitter.com/ptsecurity/status/1469398376978522116&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Progress / IpSwitch : &lt;a href="https://www.progress.com/security"&gt;https://www.progress.com/security&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Pulse Secure : &lt;a href="https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44933/?kA13Z000000L3dR"&gt;https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44933/?kA13Z000000L3dR&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Puppet : &lt;a href="https://puppet.com/blog/puppet-response-to-remote-code-execution-vulnerability-cve-2021-44228/"&gt;https://puppet.com/blog/puppet-response-to-remote-code-execution-vulnerability-cve-2021-44228/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Pure Storage : &lt;a href="https://support.purestorage.com/Field_Bulletins/Interim_Security_Advisory_Regarding_CVE-2021-44228_(%22log4j%22)"&gt;https://support.purestorage.com/Field_Bulletins/Interim_Security_Advisory_Regarding_CVE-2021-44228_(%22log4j%22)&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Qlik : &lt;a href="https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368"&gt;https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Quest KACE : &lt;a href="https://support.quest.com/kace-systems-management-appliance/kb/335869/is-the-kace-sma-affected-by-cve-2021-44228"&gt;https://support.quest.com/kace-systems-management-appliance/kb/335869/is-the-kace-sma-affected-by-cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Radware : &lt;a href="https://support.radware.com/app/answers/answer_view/a_id/1029752"&gt;https://support.radware.com/app/answers/answer_view/a_id/1029752&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Red5Pro : &lt;a href="https://www.red5pro.com/blog/red5-marked-safe-from-log4j-and-log4j2-zero-day/"&gt;https://www.red5pro.com/blog/red5-marked-safe-from-log4j-and-log4j2-zero-day/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  RedHat : &lt;a href="https://access.redhat.com/security/cve/cve-2021-44228"&gt;https://access.redhat.com/security/cve/cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Revenera / Flexera : &lt;a href="https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905"&gt;https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  RunDeck by PagerDuty : &lt;a href="https://docs.rundeck.com/docs/history/CVEs/"&gt;https://docs.rundeck.com/docs/history/CVEs/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  RSA : &lt;a href="https://community.rsa.com/t5/general-security-advisories-and/rsa-customer-advisory-apache-vulnerability-log4j2-cve-2021-44228/ta-p/660501"&gt;https://community.rsa.com/t5/general-security-advisories-and/rsa-customer-advisory-apache-vulnerability-log4j2-cve-2021-44228/ta-p/660501&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Rubrik : &lt;a href="https://support.rubrik.com/s/announcementdetail?Id=a406f000001PwOcAAK"&gt;https://support.rubrik.com/s/announcementdetail?Id=a406f000001PwOcAAK&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SAFE FME Server : &lt;a href="https://community.safe.com/s/article/Is-FME-Server-Affected-by-the-Security-Vulnerability-Reported-Against-log4j"&gt;https://community.safe.com/s/article/Is-FME-Server-Affected-by-the-Security-Vulnerability-Reported-Against-log4j&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SailPoint : &lt;a href="https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-log4j-Remote-Code-Execution-Vulnerability/ba-p/206681"&gt;https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-log4j-Remote-Code-Execution-Vulnerability/ba-p/206681&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Salesforce : &lt;a href="https://help.salesforce.com/s/articleView?id=000363736&amp;amp;type=1"&gt;https://help.salesforce.com/s/articleView?id=000363736&amp;amp;type=1&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SAP BusinessObjects : &lt;a href="https://launchpad.support.sap.com/#/notes/3129956"&gt;https://launchpad.support.sap.com/#/notes/3129956&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SAP Global coverage : &lt;a href="https://launchpad.support.sap.com/#/notes/3129930"&gt;https://launchpad.support.sap.com/#/notes/3129930&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SAS : &lt;a href="https://support.sas.com/content/support/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html"&gt;https://support.sas.com/content/support/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Security Onion : &lt;a href="https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html"&gt;https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ServiceNow : &lt;a href="https://support.servicenow.com/kb?id=kb_article_view&amp;amp;sysparm_article=KB1000959"&gt;https://support.servicenow.com/kb?id=kb_article_view&amp;amp;sysparm_article=KB1000959&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Sesam Info : &lt;a href="https://twitter.com/sesam_info/status/1469711992122486791"&gt;https://twitter.com/sesam_info/status/1469711992122486791&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Shibboleth : &lt;a href="http://shibboleth.net/pipermail/announce/2021-December/000253.html"&gt;http://shibboleth.net/pipermail/announce/2021-December/000253.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Signald : &lt;a href="https://gitlab.com/signald/signald/-/issues/259"&gt;https://gitlab.com/signald/signald/-/issues/259&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Skillable : &lt;a href="https://skillable.com/log4shell/"&gt;https://skillable.com/log4shell/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SLF4J : &lt;a href="http://slf4j.org/log4shell.html"&gt;http://slf4j.org/log4shell.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SmileCDR : &lt;a href="https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228"&gt;https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Software AG : &lt;a href="https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849"&gt;https://tech.forums.softwareag.com/t/log4j-zero-day-vulnerability/253849&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SolarWinds : &lt;a href="https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228"&gt;https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SonarSource : &lt;a href="https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721"&gt;https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Sonatype : &lt;a href="https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild"&gt;https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SonicWall : &lt;a href="https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"&gt;https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Sophos : &lt;a href="https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce"&gt;https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Splunk : &lt;a href="https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html"&gt;https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Spring Boot : &lt;a href="https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot"&gt;https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  SUSE : &lt;a href="https://www.suse.com/security/cve/CVE-2021-44228.html"&gt;https://www.suse.com/security/cve/CVE-2021-44228.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Sterling Order IBM : &lt;a href="https://www.ibm.com/support/pages/node/6525544"&gt;https://www.ibm.com/support/pages/node/6525544&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Swingset : &lt;a href="https://github.com/bpangburn/swingset/blob/017452b2d0d8370871f43a68043dacf53af7f759/swingset/CHANGELOG.txt#L10"&gt;https://github.com/bpangburn/swingset/blob/017452b2d0d8370871f43a68043dacf53af7f759/swingset/CHANGELOG.txt#L10&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Synopsys : &lt;a href="https://community.synopsys.com/s/article/SIG-Security-Advisory-for-Apache-Log4J2-CVE-2021-44228"&gt;https://community.synopsys.com/s/article/SIG-Security-Advisory-for-Apache-Log4J2-CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Talend : &lt;a href="https://jira.talendforge.org/browse/TCOMP-2054"&gt;https://jira.talendforge.org/browse/TCOMP-2054&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  TealiumIQ : &lt;a href="https://community.tealiumiq.com/t5/Announcements-Blog/Update-on-Log4j-Security-Vulnerability/ba-p/36824"&gt;https://community.tealiumiq.com/t5/Announcements-Blog/Update-on-Log4j-Security-Vulnerability/ba-p/36824&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  TrendMicro : &lt;a href="https://success.trendmicro.com/solution/000289940"&gt;https://success.trendmicro.com/solution/000289940&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Ubiquiti-UniFi-UI : &lt;a href="https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1"&gt;https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Ubuntu : &lt;a href="https://ubuntu.com/security/CVE-2021-44228"&gt;https://ubuntu.com/security/CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  USSIGNAL MSP : &lt;a href="https://ussignal.com/blog/apache-log4j-vulnerability"&gt;https://ussignal.com/blog/apache-log4j-vulnerability&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Varonis : &lt;a href="https://help.varonis.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-CVE-2021-44228"&gt;https://help.varonis.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-CVE-2021-44228&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Veeam : &lt;a href="https://forums.veeam.com/veeam-backup-for-azure-f59/log4j-cve-2021-44228-vulnerability-t78225.html#p438231"&gt;https://forums.veeam.com/veeam-backup-for-azure-f59/log4j-cve-2021-44228-vulnerability-t78225.html#p438231&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Vespa ENGINE : &lt;a href="https://github.com/vespa-engine/blog/blob/f281ce4399ed3e97b4fed32fcc36f9ba4b17b1e2/_posts/2021-12-10-log4j-vulnerability.md"&gt;https://github.com/vespa-engine/blog/blob/f281ce4399ed3e97b4fed32fcc36f9ba4b17b1e2/_posts/2021-12-10-log4j-vulnerability.md&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  VMware : &lt;a href="https://www.vmware.com/security/advisories/VMSA-2021-0028.html"&gt;https://www.vmware.com/security/advisories/VMSA-2021-0028.html&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Wallarm : &lt;a href="https://lab.wallarm.com/cve-2021-44228-mitigation-update/"&gt;https://lab.wallarm.com/cve-2021-44228-mitigation-update/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  WatchGuard / Secplicity / &lt;a href="https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/"&gt;https://www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  WitFoo : &lt;a href="https://www.witfoo.com/blog/emergency-update-for-cve-2021-44228-log4j/"&gt;https://www.witfoo.com/blog/emergency-update-for-cve-2021-44228-log4j/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Wowza : &lt;a href="https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve"&gt;https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  WSO2 : &lt;a href="https://github.com/wso2/security-tools/pull/169"&gt;https://github.com/wso2/security-tools/pull/169&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  XCP-ng : &lt;a href="https://xcp-ng.org/forum/topic/5315/log4j-vulnerability-impact"&gt;https://xcp-ng.org/forum/topic/5315/log4j-vulnerability-impact&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Yandex-Cloud : &lt;a href="https://github.com/yandex-cloud/docs/blob/6ff6c676787756e7dd6101c53b051e4cd04b3e85/ru/overview/security-bulletins/index.md#10122021--cve-2021-44228--%D1%83%D0%B4%D0%B0%D0%BB%D0%B5%D0%BD%D0%BD%D0%BE%D0%B5-%D0%B2%D1%8B%D0%BF%D0%BE%D0%BB%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5-%D0%BA%D0%BE%D0%B4%D0%B0-log4shell-apache-log4j"&gt;https://github.com/yandex-cloud/docs/blob/6ff6c676787756e7dd6101c53b051e4cd04b3e85/ru/overview/security-bulletins/index.md#10122021--cve-2021-44228--%D1%83%D0%B4%D0%B0%D0%BB%D0%B5%D0%BD%D0%BD%D0%BE%D0%B5-%D0%B2%D1%8B%D0%BF%D0%BE%D0%BB%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5-%D0%BA%D0%BE%D0%B4%D0%B0-log4shell-apache-log4j&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ZAMMAD : &lt;a href="https://community.zammad.org/t/cve-2021-44228-elasticsearch-users-be-aware/8256"&gt;https://community.zammad.org/t/cve-2021-44228-elasticsearch-users-be-aware/8256&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Zaproxy : &lt;a href="https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/"&gt;https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Zerto : &lt;a href="https://help.zerto.com/kb/000004822"&gt;https://help.zerto.com/kb/000004822&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  Zesty : &lt;a href="https://www.zesty.io/mindshare/company-announcements/log4j-exploit/"&gt;https://www.zesty.io/mindshare/company-announcements/log4j-exploit/&lt;/a&gt;
&lt;/h2&gt;

&lt;h2&gt;
  
  
  ZSCALER : &lt;a href="https://www.zscaler.fr/blogs/security-research/security-advisory-log4j-0-day-remote-code-execution-vulnerability-cve-2021"&gt;https://www.zscaler.fr/blogs/security-research/security-advisory-log4j-0-day-remote-code-execution-vulnerability-cve-2021&lt;/a&gt;
&lt;/h2&gt;

</description>
      <category>devops</category>
      <category>codequality</category>
      <category>codereview</category>
    </item>
  </channel>
</rss>
