Learn how to design and deploy a production-ready, multi-AZ ECS Fargate architecture on AWS using CloudFormation. This guide walks through VPC design, ALB configuration, ECS services, security groups, health checks, and deployment strategies for highly available enterprise workloads.
High availability isn't optional for production workloads. When we built infrastructure for a CRM platform handling enterprise customers, multi-AZ deployment was a non-negotiable requirement. Here's what we learned about building resilient ECS Fargate architectures.
AWS availability zones are physically separate data centers within a region. When you deploy to a single AZ, you're one power outage, network issue, or hardware failure away from complete downtime.
The math is simple: A single AZ typically offers 99.9% availability. Two AZs configured correctly can achieve 99.99% or higher. For a business application, that's the difference between 8+ hours of downtime per year versus less than an hour.
Multi-AZ deployments provide:
The architecture follows a proven pattern: an Application Load Balancer sits in front of ECS Fargate tasks distributed across two availability zones. Each AZ contains its own public subnet with ECS tasks running independently.
Key components:
Your VPC forms the foundation of the entire architecture. Get this right and everything else becomes easier.
CIDR block sizing matters. We used a /16 block (10.5.0.0/16) which gives us 65,536 IP addresses. This provides plenty of room for growth without requiring painful re-architecting later. Each subnet uses a /24 block (256 addresses), leaving space for additional subnets as needs evolve.
Enable DNS support. Both EnableDnsHostnames and EnableDnsSupport should be true. This allows your containers to resolve internal AWS service endpoints and communicate with other resources by hostname.
Plan for private subnets. While our example uses public subnets for simplicity, production workloads often benefit from private subnets with NAT gateways. This adds cost but improves security by keeping containers off the public internet.
The Application Load Balancer is the traffic distribution brain of your architecture.
Cross-zone load balancing is enabled by default on ALBs, meaning traffic is distributed evenly across all healthy targets regardless of which AZ they're in. This prevents hot spots when one AZ has more capacity than another.
Health check configuration determines how quickly unhealthy targets are removed from rotation. We use:
SSL termination happens at the ALB. This offloads TLS processing from your containers and simplifies certificate management through AWS Certificate Manager.
Sticky sessions should be avoided unless absolutely necessary. They can cause uneven load distribution and complicate scaling. If you need session persistence, consider external session storage like ElastiCache.
The ECS service definition controls how your containers are deployed and scaled.
Desired count should be at least 2 for multi-AZ redundancy. We typically start with 2 and let auto-scaling handle increases based on load.
Deployment configuration uses these settings:
This means during a deployment, ECS spins up new tasks before terminating old ones, maintaining service availability throughout the process.
Task placement happens automatically when you specify multiple subnets in your service's network configuration. ECS spreads tasks across AZs to maximize availability.
Platform version should be explicitly set to LATEST or a specific version. AWS occasionally introduces new platform versions with security patches and feature improvements.
Security groups are your primary network access control mechanism. We use a layered approach:
ALB Security Group:
ECS Task Security Group:
Database Security Group:
This chain ensures traffic can only flow through the intended path: Internet → ALB → ECS Tasks → Database.
Proper health checks are critical for multi-AZ resilience. You need both ALB target group health checks and ECS container health checks.
ALB health checks determine which tasks receive traffic. A failing health check removes the task from the target group within seconds. Design your health endpoint to:
Container health checks are defined in your task definition. They help ECS detect containers that are running but not functioning correctly. A failing container health check triggers ECS to stop and replace the task.
Grace period gives new containers time to start up before health checks begin. Set this longer than your container's startup time to prevent premature failures.
Rolling deployments work well for most use cases. ECS gradually replaces old tasks with new ones while maintaining service availability.
For higher-risk deployments, consider blue-green deployments with AWS CodeDeploy:
Circuit breaker configuration (available since late 2020) automatically rolls back deployments that fail to stabilize. Enable this to prevent bad deployments from taking down your entire service.
Deployment alarms can trigger rollbacks based on CloudWatch metrics. If error rates spike or latency increases beyond thresholds, CodeDeploy automatically reverts to the previous version.
Visibility into your multi-AZ deployment is essential.
CloudWatch Container Insights provides detailed metrics for ECS:
Key metrics to alert on:
Distributed tracing with AWS X-Ray helps debug issues that span multiple services. Enable the X-Ray daemon sidecar in your task definition for automatic trace collection.
Multi-AZ deployments cost more than single-AZ, but usually not double.
What scales with AZs:
What doesn't scale:
Cost optimization tips:
Building a multi-AZ ECS Fargate architecture requires coordinating VPC design, load balancing, service configuration, and security. The investment pays off with significantly improved availability and resilience.
| Component | Recommendation |
|---|---|
| Availability Zones | Minimum 2, consider 3 for critical workloads |
| Task Count | At least 2 for redundancy |
| Health Checks | Both ALB and container level |
| Deployments | Rolling with circuit breaker enabled |
| Security Groups | Layered, least-privilege approach |
| Monitoring | Container Insights + custom alarms |
Start with at least two AZs, implement proper health checks at multiple levels, and use rolling deployments with circuit breakers for zero-downtime updates. The patterns described here have served us well across dozens of production deployments.
Production-tested AWS WAF best practices for securing fintech applications, including recommended architecture, managed rule groups, CloudFormation configuration, monitoring, and common pitfalls to avoid.
Read moreHow we used AWS Cloud Map to solve service discovery, health-aware routing, and configuration drift in a 7-microservice transport management system running on ECS.
Read moreA practical, step-by-step FinOps playbook showing how a ride-sharing platform reduced their AWS bill from $85,000 to $51,000 per month using tagging, right-sizing, auto-scaling, Graviton, Spot, and Savings Plans.
Read more