Articles

Run Windows Containers on ECS EC2 Windows Nodes (2026)

April 16, 2026 2 min read

Windows containers on ECS EC2 Windows nodes are surprisingly tricky because the Windows networking stack is fundamentally different from Linux, and ECS’s Linux-centric networking models don’t translate directly.

Let’s see it in action. Imagine you have a simple IIS web server container you want to run.

{
  "family": "iis-webserver",
  "networkMode": "awsvpc",
  "containerDefinitions": [
    {
      "name": "iis-container",
      "image": "mcr.microsoft.com/windows/servercore:ltsc2022",
      "cpu": 1024,
      "memory": 2048,
      "essential": true,
      "portMappings": [
        {
          "containerPort": 80,
          "hostPort": 80,
          "protocol": "tcp"
        }
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/iis-webserver",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "iis"
        }
      }
    }
  ],
  "requiresCompatibilities": [
    "EC2"
  ],
  "cpu": "1024",
  "memory": "2048",
  "platformVersion": "LATEST"
}

When you launch this task on an EC2 Windows node, the awsvpc network mode is key. It means your container gets its own Elastic Network Interface (ENI) directly attached to the EC2 instance, just like a standalone EC2 instance. This isolation is great for security and predictability, but it means ECS needs to manage IP address allocation and routing for these ENIs.

The problem ECS solves here is abstracting away the complexities of Windows networking for container orchestration. Instead of manually configuring IPAM, routing tables, and firewall rules on your Windows instances, ECS handles it. It provisions ENIs, assigns IPs from a subnet you specify, and configures the necessary routes so your container can communicate with other containers, services, and the internet.

The exact levers you control are primarily around your ECS cluster configuration and the VPC networking setup. This includes:

  • Subnet Selection: Choosing the subnet where your EC2 Windows nodes reside and where ECS will provision ENIs for your tasks. This subnet must have enough available IP addresses.
  • Security Groups: Attaching security groups to the EC2 instances and potentially to the ENIs of your tasks (though task-level ENI security groups are less common with awsvpc and more managed at the instance level).
  • IAM Roles: Ensuring your ECS agent and task execution roles have the necessary permissions to interact with EC2 and VPC networking resources.
  • ECS Agent Configuration: While less direct, the ECS agent on the Windows node is responsible for reporting network status and enabling awsvpc mode.

The most surprising thing people don’t realize is how deeply the awsvpc network mode on Windows relies on the underlying Windows Server networking features like HNS (Host Network Service) and the network virtualization platform. ECS doesn’t reinvent networking; it orchestrates these native Windows components. The HNS service is what actually creates and manages the virtual network adapters and bridges for your containers, and ECS interacts with HNS via the ECS agent to configure these.

The next hurdle you’ll likely encounter is understanding how to properly configure DNS resolution for your Windows containers when using awsvpc mode.

Want structured learning?

Take the full Ecs course →