ECS Fargate Production Patterns That Actually Work

I’ve deployed and managed many containerized services on ECS Fargate. Over time, a set of patterns has emerged that I apply consistently to every new service. This post documents those patterns with Terraform examples, covering everything from Fargate Spot strategies to deployment circuit breakers and ARM64 migration.

The Standard Architecture

Every service I deploy follows the same high-level architecture:

Internet/VPC -> ALB (HTTPS, TLS 1.3) -> ECS Fargate -> Aurora PostgreSQL Serverless v2
                 |
                WAF (rate limiting + AWS managed rules)

Each component has its own security group, with traffic flowing only from the layer above. The ALB sits in private subnets (no public-facing services), and Route53 private hosted zones handle internal DNS.