Modernize .NET Applications with Linux Containers | AWS White Paper Summary

  • Since the introduction of .NET Framework in 2002, more than six million developers have adopted the .NET programming ecosystem to build their applications.
  • In its initial form, .NET was built to run exclusively on the Windows operating system.

  • This resulted in large portfolios of applications running on .NET and Windows, particularly in the enterprise.

  • Many organizations simultaneously want to move their VM-based deployments to containers, to predictably deploy their applications across environments, maximize the efficiency of their resource consumption, and introduce DevOps practices to automate their development lifecycle.

  • Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production, up from less than 30% in 2020.

  • An IDC survey found that 45% of respondents’ application portfolio is running in containers today, and that is expected to increase to 60% in three years

  • This paper walks through this use case of modernizing a .NET Framework application running on Windows VMs to .NET 5, and Linux containers running on Amazon Elastic Container Service (Amazon ECS) and AWS Fargate.

  • This guide uses AWS Fargate for ECS to deploy containerized .NET Framework applications on AWS.

Choosing container orchestration

  • When choosing your container orchestration option, you should start with the question, “How much of the container infrastructure do I want to manage?” The following options are available to you:

  • Self-Managed Containers on Amazon Elastic Compute Cloud (Amazon EC2)

  • Amazon Elastic Container Service
  • Amazon Elastic Kubernetes Service
  • AWS Fargate

Cost considerations

Cloud Computing

  • Cloud computing helps businesses reduce costs and complexity, adjust capacity on-demand, accelerate time-to-market, increase opportunities for innovation, and enhance security.
  • Weighing the financial considerations of operating an on-premises data center versus using cloud infrastructure is not as simple as comparing hardware, storage, and compute costs.

AWS pricing model

  • AWS offers a simple, consistent, pay-as-you-go pricing model, so you are charged only for the resources you consume.
  • With this model, there are no upfront fees, no minimum commitments, and no long-term contracts required.
  • There is also flexibility to choose the pricing model that best fits your needs if the pay-as-you-go model is not optimal for your use case.
  • Short descriptions of all of these pricing models are found below.

    • On-Demand Instance — With On-Demand Instances, you pay for compute capacity by the hour, with no minimum commitments required.
    • Reserved Instance — For longer-term savings, you can purchase in advance.

    • In addition to providing a significant discount (up to 60 percent) compared to On-Demand Instance pricing, Reserved Instances allow you to reserve capacity.

    • Spot Instance — You can request unused Amazon Elastic Compute Cloud (Amazon EC2) capacity.
    • Instances are charged the Spot Price, which is set by Amazon EC2 and fluctuates, depending on supply and demand.

image

Summary by service and operating system

  • The following table represents the summary of running the preceding application on each service, and compares the monthly cost of running on Windows versus Linux.
  • These figures include the cost of compute, the Amazon VPC, and ELB.
  • Running on Linux costs less than running on Windows for each service.

1

  • You can find more details here :

AWS Fargate pricing

  • Windows containers are not supported to run on AWS Fargate at this time.

1

Architecture overview

image

image

image

Replatforming from Windows VMs to Linux containers

  • Prerequisites
    • Install Docker. See Docker Desktop.
    • Install the AWS CDK. See AWS CDK Toolkit ( cdk command).
    • Install the AWS CLI. See AWS Command Line Interface.

Containerize the application

  • Before you deploy the application to AWS, you will containerize it locally and ensure that it builds.
  • Create a file with the following content and name it Dockerfile . Save it in the same folder as the MvcMusicStore.csproj file.
FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /src
COPY ["MvcMusicStore.csproj", ""]
RUN dotnet restore "./MvcMusicStore.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "MvcMusicStore.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "MvcMusicStore.csproj" -c Release -o
/app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "MvcMusicStore.dll"]
  • Ensure Docker is started locally, and from the command line, set the working directory to the folder containing the above Dockerfile.
  • Run the following command to ensure that the application container image builds successfully.
docker build . -t music-store

Run the docker images command from the command line. You should see a newly created mvcmusicstore Docker image in the output:

REPOSITORY
music-store
TAG
latest
IMAGE ID
19fa5c6fb0c3
CREATED
2 minutes ago
SIZE
233MB

Create the infrastructure as code

  • There are various ways to create a Fargate service, such as using AWS Management Console, AWS CLI , AWS CloudFormation template, and AWS Cloud Development Kit (AWS CDK).
  • AWS CDK is an open-source software development framework to define your cloud application resources using familiar programming languages.

Logging and monitoring

  • Monitoring is an important part of maintaining the reliability, availability, and performance of your applications running on Amazon ECS.
  • You should collect monitoring data from all of the parts of your AWS stack so that you can more easily debug a multi-point failure if one occurs.
  • AWS provides several tools for monitoring your Amazon ECS resources and responding for potential incidents.

1

Security

  • Shared responsibility model with the customer: AWS manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate, and AWS customers are responsible for building secure applications.

User to application authentication and authorization

  • Amazon also provides an ASP.NET Core Identity Provider for Amazon Cognito, which allows ASP.NET Core applications to easily integrate with Amazon Cognito in their web applications for user authentication and authorization.
  • The following integrations are also supported:
    • User authentication through an identity provider (IdP) that is OpenID Connect (OICD) compliant
    • User authentication through well-known IdPs such as Amazon, Facebook, and Google through Amazon Cognito user pools
    • User authentication through corporate identities using SAML, LDAP, or Microsoft Active Directory through Amazon Cognito user pools

Application to database authentication and authorization

  • Amazon RDS supports both Windows and SQL Server authentication modes when connecting an application to the database.
Windows Authentication
  • Windows (or Integrated) Authentication is the common mechanism for clients and applications to connect to SQL Server databases.
  • The best practice is to use a separate Amazon ECS task as a ticket renewal “sidecar,” which stores the Kerberos ticket in Fargate task storage for the application, which reads the ticket from Fargate task storage and connects to the database using Windows Authentication.

image

Identity and access management for Amazon ECS

image

Service-linked role

  • There are multiple activities that the Amazon ECS service runs as it orchestrates your container workloads.

  • Amazon ECS uses a service-linked role for the permissions it requires to call other AWS services on your behalf.

  • These include services like Amazon EC2 to manage elastic network interfaces, ELB to manage targets, and Amazon Route 53 for creating health checks, amongst others

image

Container Instance role

image

Task execution role

  • The task execution role grants the Amazon ECS container agent permission to make AWS API calls on your behalf when an Amazon ECS task is started.

image

Task role

image

Original paper