Streamlining and deploying Windows Containers on AWS

Containers are often associated with Linux, given their widespread use and the ease with which most Continuous Integration/Continuous Deployment (CI/CD) tools can configure and deploy them. However, deploying Windows containers on Amazon Web Services (AWS) presents different challenges. To address this, the Alpha Omega Digital Modernization Center of Excellence (COE) developed a standardized and automated solution within the Perseus™ Development, Security, and Operations (DevSecOps) accelerator. This solution streamlines and ensures the repeatability of deploying Windows containers efficiently on AWS.

 AWS native tools and processes are well-documented and standardized across various application environments. Typically, code is checked into a repository, built using CodeBuild, stored in Elastic Container Registry (ECR), and then deployed via CodePipeline and CodeDeploy to the container service of choice. However, building a Windows container inside a Linux container is not feasible, as Docker-in-Docker is not supported for Windows containers. This rules out using CodeBuild for the container build. This solution-based paper offers a repeatable method for building and deploying Windows-based containers on AWS with maximum automation and minimal human involvement.

Here are few automation considerations that are a must for an automated container pipeline on AWS: 

To determine what changes are needed, it is helpful to examine a typical Linux container pipeline:

The pipeline is triggered when code is checked into the code repository, which could be Git, AWS CodeCommit, or similar. Most repositories have a way to initiate events. In a standard pipeline, this triggers Amazon Web Services (AWS) CodeBuild. The CodeBuild job clones the repository, sets up a build environment (running Docker in the background), and then builds the code and Docker image. Once the image is successfully built, it is pushed to AWS Elastic Container Registry (ECR). This image push triggers the next event, initiating the deployment phase of the pipeline, typically after some container scanning.

With the end-to-end process outlined, the next step is determining the necessary adjustments. An ephemeral build environment, such as CodeBuild, is preferred—incurring costs only during the build phase and requiring no ongoing maintenance. EC2 Image Builder, when combined with additional components, effectively meets this requirement.

In the updated pipeline, the components in the Deployment section, located to the right of ECR, remain unchanged. Only the container build process requires modification to accommodate both Windows and Linux-based containers within the same computing environment. In this use case, the repository was hosted on a GitHub Enterprise server within a private VPC in a separate account, presenting connectivity challenges with Image Builder. To address this, a Lambda function was triggered by code commits. This Lambda function connected through AWS PrivateLink to the repository, cloned the code, created a zip file of it, and uploaded the file to an S3 bucket. A bucket notification then initiated the EC2 Image Builder job via an EventBridge Rule. EC2 Image Builder launched a Windows instance, which retrieved the code from S3, built the container, and pushed it to the ECR repository. An Instance Profile attached to the build instance facilitated easy access to the code from S3. Upon completion of the build job, the instance was terminated, eliminating the need for ongoing management. Each build job executes on a fresh, up-to-date new instance.

Are there any challenges with Windows containers? Absolutely! Consider the following:

While this extended start-up time might be a bit inconvenient, it’s manageable within the deployment process. Plus, moving away from running Windows servers often results in a big reduction in operational overhead and costs.

To summarize, transitioning your legacy Windows applications from Windows EC2 instances to Windows Docker containers is achievable with a well-designed automation pipeline. While CodeBuild has limitations for this purpose, it can be replaced with EC2 Image Builder, along with implementing additional components. This setup will result in a streamlined CI/CD pipeline for your legacy Windows applications, enabling you to leverage the benefits of Amazon ECS or EKS effectively.