ECS Fargate Production Patterns That Actually Work

I’ve deployed and managed many containerized services on ECS Fargate. Over time, a set of patterns has emerged that I apply consistently to every new service. This post documents those patterns with Terraform examples, covering everything from Fargate Spot strategies to deployment circuit breakers and ARM64 migration.

The Standard Architecture

Every service I deploy follows the same high-level architecture:

Internet/VPC -> ALB (HTTPS, TLS 1.3) -> ECS Fargate -> Aurora PostgreSQL Serverless v2
                 |
                WAF (rate limiting + AWS managed rules)

Each component has its own security group, with traffic flowing only from the layer above. The ALB sits in private subnets (no public-facing services), and Route53 private hosted zones handle internal DNS.

Managing Multi-Account AWS Infrastructure with Terraform Workspaces

When you’re managing infrastructure across dozens of AWS accounts, you need patterns that scale. In this post I’ll share the approach I use to manage multi-account, multi-environment AWS infrastructure using Terraform workspaces, modular code, and a consistent tagging strategy.

The Problem

Imagine this setup: you have multiple organizational scopes (teams, business units, projects), each with their own AWS accounts for non-production and production. On top of that, your non-production account hosts multiple environments (dev, integration, certification). Multiply this by several countries or regions, and you’re looking at a lot of infrastructure to manage.