Graduate Program KB

EC2

  • EC2: Elastic Compute Cloud is an Infrastructure as a Service

  • It consists in the capability of:

    • Renting virtual machines (EC2)
    • Storing data on virtual drives (EBS)
    • Distributing load across machines (ELB)
    • Scaling the services using an auto-scaling group (ASG)

  • EC2 sizing and configuration options:

    • Operating system
    • Amount of compute power and cores
    • Amount of random-access memory
    • Amount of storage space
      • Network-attached (EBS & EFS)
      • Hardware (EC2 Instance Store)
    • Network card: Speed of the card, public IP address
    • Firewall rules: Security group
    • Bootstrap script (configure at first launch): EC2 User Data script

  • Bootstrap our instances using an EC2 User Data script

    • Bootstrapping: Launching commands when a machine starts
    • Script is run only once at the instance's first startup
    • EC2 user data is used to automate common boot tasks such as:
      • Installing updates
      • Installing software
      • Downloading common files from the internet
    • The EC2 User Data script runs with the root user

  • Naming convention example: m5.2xlarge

    • m: Instance class
    • 5: Generation
    • 2xlarge: Size within the instance class

  • EC2 Instance types:

    • General Purpose: Great for diversity of workloads such as web servers / code repositories
    • Compute Optimized: For compute-intensive tasks that require high performance processors
      • Batch processing workloads
      • Media transcoding
      • High performance web servers or computing
      • Scientific modeling and machine learning
      • Dedicated gaming servers
    • Memory Optimized: Fast performance for workloads that process large data sets in memory
      • High performance relational / non-relational databases
      • Distributed web scale cache stores
      • In-memory databases optimised for business intelligence
      • Applications performing real-time processing of large unstructured data
    • Storage Optimised: For storage-intensive tasks that require high, sequential read / write access to large data sets on local storage
      • High frequency online transaction processing systems
      • Relational and NoSQL databases
      • Cache for in-memory databases
      • Data warehousing applications
      • Distributed file systems

Security Groups

  • Control how traffic is allowed into or out of our EC2 Instances and are fundamental to network security in AWS

  • Security groups:

    • Only contain allow rules
    • Rules can reference by IP or by security group
    • Acting as a firewall on EC2 instances
    • They regulate:
      • Access to Ports
      • Authorised IP ranges for IPv4 and IPv6
      • Control of inbound network (from other to the instance)
      • Control of outbound network (from the instance to other)

  • Good to knows:

    • Can be attached to multiple instances
    • Are locked down to a region/VPC combination
    • Lives "outside" the EC2 (if traffic is BlockDeviceVolume, the EC2 instance won't see it)
    • It's good to maintain one separate security group for SSH access
    • If your application is not accessible (time out), then it's a security group issue
    • If your application gives a "connect refused" error, then it's an application error or it's not launched
    • All inbound traffic is blocked by default
    • All outbound traffic is authorised by default

  • List of well-known ports:

    • 22: SSH (Log into Linux instance)
    • 21: FTP
    • 22: SFTP
    • 80: HTTP
    • 443: HTTPS
    • 3389: RDP (Remote Desktop Protocol for logging into a Windows instance)

SSH into your EC2 Instance

  • Go to Instances then Launch and Instance, configure settings then create a key pair with .pem format for access to the instance

    • .ppk format for PuTTY

  • The instance's security group needs to accept traffic from your IP over port 22

    • Also allow HTTP traffic if launching a web server

  • Connect to the instance with: ssh -i <key>.pem ec2-user@<ip>

  • Alternatively, you can connect to the instance through EC2 Instance Connect

    • Add the IP range Amazon uses for EC2 Instance Connection in your region to your security group rules for SSH traffic
    • Go to the list of instances then select and connect

  • To allow instance's to perform AWS queries through the CLI, assign it an IAM Role that inherits the permissions it needs

  • To troubleshoot the instance, follow the steps:

    • If there's no public IP set, take note of the instance's subnet ID
    • Go to VPC service dashboard:
      • Go to Internet Gateways and create one. Associate it with the VPC of the subnet ID then take note of the Internet Gateway ID
      • Go to Route tables:
        • Edit the route table to add a route where Destination is 0.0.0.0/0 and the target is the Internet Gateway ID
        • ENsure the subnet route table is explicitly associated with the subnet ID

EC2 Instances Purchasing Options

  • On-Demand Instances: For short-term commitment and uninterrupted workloads, pay for what you use
  • Reserved (1 & 3 years): Reserve instance attributes such as Instance Type, Region, Tenancy, OS
    • Reserved Instances: Long workloads
    • Convertible Reserved Instances: Long workloads with flexible instances
  • Savings Plans (1 & 3 years): Commitment to an amount of usage, for long workloads
    • Discount up to 72% based off long-term usage
    • Locked to a specific instance family and region
  • Spot Instances: For short workloads that are resilient to failure, cheap but not reliable
    • Most cost-efficient instances in AWS, can get up to 90% discounts
    • Useful for batch jobs, data analysis, image processing, etc.
    • Not suitable for critical jobs or databases
  • Dedicated Hosts: Book an entire physical server and control instance placement
    • Most expensive option
    • Useful for companies that regularly need to address compliance requirements
  • Dedicated Instances: Instances run on hardware dedicated to you
    • Can share hardware with other instances in the same account
  • Capacity Reservations: Reserve capacity in a specific availability zone for any duration
    • No time commitment (create/cancel anytime) and billing discounts
    • Charged at On-Demand rate whether the instances are ran or not
    • Suitable for short-term, uninterrupted workloads in a specific AZ

Shared Responsibility Model for EC2

  • AWS responsibilities:

    • Infrastructure (global network security)
    • Isolation on physical hosts
    • Replacing faulty hardware
    • Compliance validation

  • User responsibilities:

    • Security Groups rules
    • OS patches and updates
    • Software and utilities installed on the EC2 instance
    • IAM Roles assigned to EC2 and IAM user access management
    • Data security on your instance