AWS Compute Overview: Launching an EC2 instance and configurations
AWS offers a range of Compute Services and EC2, ECS, and Lambdas are few important services from the Associates Architect exam perspective. The core of Cloud computing in AWS is EC2 instance, which is like CPU in our personal computer or Server in our on-prem data centre; but, we only pay for the capacity we actually use. EC2 instance is virtual server in cloud and an Amazon Machine Image (AMI) provides information to launch the instance. AMI includes template (OS, Application Server, and application), launch permissions, and volume (storage) to attach the instance. We can create and register the configuration (AMI) for launching new instances. Copy AMI in new regions and launch instances.
Launching the EC2 instance is like assembling your PC but difference is we dont invest anything upfront and it is virtual. We choose configuration (OS, etc.), Choose Instance type (based on type and size), add storage (hard disk), and configure security rules. Choosing the instance type means choosing among memory optimized, Storage optimized, and so on. At a minimum we need to choose Type, Size, and AMI:
The steps to launch EC2 instances are:
In order to access the operating system on your EC2 instances, you need a set of credentials. In the shared responsibility model, you own the operating system credentials but AWS helps you bootstrap the initial access to the operating system. When you launch a new Amazon EC2 instance from a standard AMI, you can access that instance using secure remote system access protocols, such as Secure Shell (SSH), or Windows Remote Desktop Protocol (RDP). You must successfully authenticate at the operating-system level before you can access and configure the Amazon EC2 instance to your requirements. After you have authenticated and have remote access into the Amazon EC2 instance, you can set up the operating system authentication mechanisms you want, which might include X.509 certificate authentication, Microsoft Active Directory, or local operating system accounts. To enable authentication to the EC2 instance, AWS provides asymmetric key pairs, known as Amazon EC2 key pairs. Read more on AWS Security Whitepaper
- When we launch the instance, the root device volume (an Amazon EBS volume) contains the image used to boot the instance.
- When we launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts.
- EBS volume (virtual had disk) mounted to EC2 instance should be in same availability zone. Root (and other volumes) can be modified later (on the fly) with no downtime or no snapshot.
- When an EC2 instance is terminated, EC2 uses the value of the DeleteOnTermination attribute for each attached EBS volume to determine whether to preserve or delete the volume when the instance is terminated.
- Instance metadata is data about instance that one can use to configure or manage the running instance. We can also use instance metadata to access user data that you specified when launching your instance. To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta-data/
- Reserved - Capacity reservation offering a significant discount on the hourly charge of an instance. Choose among Standard RIs, Convertible RIs, and Scheduled RIs
- Spot - Spots are unused EC2 capacity. Spot instances can be interrupted with 2 mins notification when EC2 (on-demand instances) needs that capacity back. Enables to bid whatever price one wants for instance capacity, providing for even greater savings if applications have flexible start and end times. A Spot Fleet is a collection, or fleet, of Spot Instances, and optionally On-Demand Instances. For example, we can have an application with load balancer and attach one on-demand and multiple spot instances
- Dedicated Instances are Amazon EC2 instances that run in a VPC on hardware that's dedicated to a single customer. Your Dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts.
- Use IAM role for API access
- Use encrypted EBS volumes to protect data at rest
- To encrypt sensitive data in transit, use an encryption protocol such as Transport Layer Security (TLS) or IPsec.
- Make sure to allow only encrypted connections between EC2 instances and the AWS API endpoints or other sensitive remote network services.
- Create an AMI catalog containing customized security configuration baselines to ensure all instances are launched with standard security controls.
- Establish a change management process to authorize and incorporate changes to AWS resources (such as security groups, route tables, and network ACLs), OS, and application configuration
- AWS CloudTrail, AWS Config, and AWS Config Rules provide audit and change tracking features for auditing AWS resource changes
- Leverage Security Groups as the primary mechanism for controlling network access to EC2 instances. When necessary, use network ACLs sparingly to provide stateless, coarse-grain network control. We cannot specify IP addresses using Security Groups, instead use Network Access Control Lists
- Configure security groups to permit the minimum required network traffic for the EC2 instance. Configure VPC subnet route tables with the minimal required network routes.hard
Is a way of storing data in different places on multiple hard disks to protect data in case of drive failure. Works by placing data on multiple disks and allowing input/output (I/O) operations to overlap in a balanced way, improving performance. Because the use of multiple disks increases the mean time between failures (MTBF), storing data redundantly also increases fault tolerance. Create EBS volumes with identical size and IOPS performance values for array. Make sure to not create an array that exceeds the available bandwidth of EC2 instance. Attach the Amazon EBS volumes to the instance that we want to host the array.
Read more different RAIN configurations and differences in AWS here.
EC2 instances can be organized in groups and ensureing correct number of instances (min, max, and desired number of instances) are always available to handle the application load.
Choose the scaling options:The cooldown period helps to ensure that your Auto Scaling group doesn't launch or terminate additional instances before the previous scaling activity takes effect.
- Schedule - plan your scaling activities based on the known traffic patterns of your web application
- Dynamic - follow the demand curve for your applications closely, reducing the need to manually provision Amazon EC2 capacity in advance, for example, use target tracking scaling policies
- Predictive - feature of AWS Auto Scaling uses machine learning to schedule the right number of EC2 instances in anticipation of approaching traffic changes.
To specify which instances to terminate first during scale in, configure a termination policy for the Auto Scaling group. Optionally, you can use instance protection to prevent specific instances from being terminated during automatic scale in. With the default termination policy, the behavior of the Auto Scaling group is as follows:
- Determine which Availability Zone(s) have the most instances, and at least one instance that is not protected from scale in.
- Determine which instance to terminate so as to align the remaining instances to the allocation strategy for the On-Demand or Spot Instance
- Determine whether any of the instances use the oldest launch template or configuration
- Which instances are closest to the next billing hour.
When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures. You can use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload.