Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Hi all,

I am hoping someone can help us in understanding where the benefits lie when comparing an ECS Push deployment model to an ECS Hybrid. We fully understand the architectural differences between the two models.

We are currently running an ECS Push model and have the opportunity to change it. The question is whether others have seen benefits to a Hybrid model where a worker is constantly running that a ECS Push model doesn't support or can't do? Is there some functionality or scenarios that are possible when running an ECS Hybrid that would not otherwise be possible in a ECS Push deployment model?

Any input, opinions, and observations are more than welcome! Thanks in advance.

hi <@U061LJNCW91>!

cc <@U05TQMN8RUP> since he may be able to offer a more comprehensive / relevant answer but I see the primary difference as one of control

with hybrid work pools, you are responsible for the worker process (i.e. `prefect worker start ...`)
• if it needs to run a certain way in your infrastructure, you'd want to run a worker yourself
    ◦ for example, if the worker needed to grab secrets from a vault in a `pull` step or something else that's only accessible directly within your infrastructure
• if you were not able to store `AwsCredentials` in Prefect Cloud (some cannot), you would need to run a well-permissioned worker in your own infrastruture
i think those are the main reasons, but basically the gist is if you have networking/permission-related restrictions / constraints that cannot be satisfied with a push work pool, then the hybrid option is there for those willing to run their own worker

does that help?

Agree with nate here, it's about control, transparency, and security. With a hybrid worker you can inspect and collect all the logs, control the networking, and boot it in AWS with an inherited role and permissions, so no credentials ever get handed off to a third party

This makes sense to me and is along the lines I was thinking. I was just making sure I wasn't losing or gaining functionality outside the control, transparency, and security as you pointed out. It sounds like that is not the which helps me greatly. I appreciate the information and help from both of you!

yeah, the actual code and feature set for the two types are nearly identical, aside from accounting for the fact that one is always on and the other is not

Yep, that makes sense to me. I an inclined to resume our ECS Push scenario from a cost efficiency perspective since we will not have to run a worker 24x7.

<@U061LJNCW91> I would definitely make the effort to stay in ECS Push mode. It's removes a lot of moving parts when running your own worker and gives you peace of mind. Regarding "secrets injection" we do this in run time, when the flow run starts using Infisical python SDK. Works very well.