Using Amazon EC2

Steps to Launching an EC2 Instance

• From the EC2 Dashboard page, you can access the Launch Instance Wizard.
• The Launch Instance Wizard lets you quickly launch an instance.
• The configuration choices you have to make while launching an instance
includes:
o Instance name and tags.
o Amazon Machine Image.
o Instance Type.
o Key pair.
o Network Settings.
o Configure Storage.
o Advanced Details.

Step1:
Using Tags
• The first step in creating an instance is assigning it a name and tags.
• The name of an instance is a default tag for the instance name and works like
every other tag.
• Tags work as metadata to identify and define the AWS resources that they are
attached to.
• Each tag is a label that consists of a customer-defined key and an optional value
that can simplify managing, searching for and filtering resources.
• Although there are no inherent types of tags, customers can use them to
categorize resources by purpose, owner, environment or other criteria.
• Potential benefits of tagging: Filtering, Automation, Cost allocation and Access
control. Eg: Key: Name, Value: My Instance.

Tag Features
• Each Amazon EC2 resource can have a maximum of 50 tags.
• Manage tags:
o Add, remove or edit tags.
o The tag limit per Amazon EC2 resource is 50 tags.
o Naming and tagging resources is optional.
 • Tags simplify your search for tagged resources based on a specific tag key or
tag value.
• You can also filter your searches by multiple tag keys or tag values.
• Search and filter for tags:
o Search for resources by key or by value.
o Filter and search for resources by a combination of tag keys and values.

Benefits of Using Tags

• Tags can help you to manage your instances, images and other Amazon EC2
resources.
• Benefits of using Tags are:
1. Resource organization:
o Tags are a good way to organize AWS resources in the AWS
Management Console.
o You can configure tags to be displayed with resources, and you
can search and filter by tag.
o With the AWS Resource Groups service, you can create groups of
AWS resources based on one or more tags or portions of tags.
o Using Resource Groups and Tag Editor, you can consolidate and
view data for applications that consist of multiple services,
resources and Regions in one place.
2. Cost management:
o You can use AWS Cost Explorer and detailed billing reports to
break down AWS costs by tag.
o Typically, you use business tags such as cost center, business unit,
customer or project to associate AWS costs with traditional cost-
allocation dimensions.
o But a cost allocation report can include any tag.
3. Automation:
o Resource-specific or service-specific tags are often used to filter
resources during automation activities.
o Automation tags are used to opt in or opt out of automated tasks
or to identify specific versions of resources to archive, update or
delete.
o Eg: You can run automated start or stop scripts that turn off
development environments during nonbusiness hours to reduce
costs.
o In the above scenario, EC2 instance tags are a simple way to
identify instances to opt out of this action.
 o For scripts that find and delete stale, out of date or rolling Amazon
EBS Snapshots, snapshot tags can add an extra dimension of
search criteria.
4. Access Control:
o AWS Identity and Access Management (IAM) provides fine-
grained access control across all of AWS.
o With IAM, you can specify who can access which services and
resources, and under which conditions.
o Using IAM, you can use tagged resources to implement attribute-
based access control (ABAC).
o You can create IAM policies that allow operations based on tag
information to control access.
o ABAC helps provide better control over which resources a user
can modify, use or delete.
o Eg: You can create an IAM policy that allows users to terminate an
instance but denies the action if the instance has the tag
environment=production.

Step 2:
Choosing an Amazon Machine Image (AMI)
• An AMI is required when launching an instance.
• The AMI has three main components:
1. Template for the root volume, which contains the operating system,
application servers and applications.
2. Launch permissions that control which AWS accounts can use the AMI.
3. Block device mapping that specifies the volumes to attach to the
instance (if any) when it is launched.

Using AMIs
• Choose an AMI that fits the use case of your instance.
• Use the same AMI to launch multiple instances that should have the same
configuration.
• In this way, all of the instances launched from the same AMI will have identical
software configurations but different IP addresses.
• If instances have different use cases, use AMIs that are specific to the use cases
of each instance.
• Before you create your instance, it is important to fully understand what the
instance will be used for, because, after an instance is created, you cannot
change the AMI.
Where Do You Get an AMI?
1. Pre-built:
o Amazon offers a number of pre-built AMIs to launch your instances.
o These AMIs include Linux and Windows options with various sub options
to tailor your setup.
2. AWS Marketplace:
o The AWS Marketplace offers a digital catalog with thousands of software
solutions listed.
o These AMIs can offer specific use cases to help you get started quickly.
3. Create your own:
o An AMI is an anonymized, block-level copy of the root volume of a donor
machine or golden instance.
o It is a virtual machine (VM) that you configured with specific OS and
application content that you want placed on the AMI.
o When you create an AMI, Amazon EC2 stops the instance, snapshots its
root volume and finally registers the snapshot as an AMI.
4. Community AMIs:
o People all over the globe create community AMIs.
o These AMIs are not vetted by AWS and are used at your own risk.
o These AMIs can offer many different solutions to various problems, but
use them with great care.
o They should be thoroughly reviewed for security concerns when using
them in any production or corporate environment.

AMI Benefits
• Repeatability:
o Instances that are launched from the same AMI are exact replicas of one
another.
o As a result, it greatly facilitates building clusters of similar instances or
recreating compute environments.
• Reusability:
o AMIs package the full configuration and content of an EC2 instance such
that it can be used over and over again, with efficiency and precision.
• Recoverability:
o AN AMI is perfect for replacing failed machines with new instances that
are created from the same AMI.
• Marketplace solutions:
o Suppose that you are looking for a software solution from a specific
vendor.
 o An AMI probably exists on the marketplace that you can launch to
implement that solution on an EC2 instance.
o Additionally, authorized software vendors can create AMIs and also sell
them there.
• Backups:
o AMIs provide a great way to back up a complete EC2 instance
configuration, which you can use to launch a replacement instance in the
event of a failure.

Step 3:
Instance Types
• The instance type specifies the hardware of the host computer that’s used for
your instance.
• The instance type you choose determines the following:
o Processing power (CPU)
o Memory (RAM)
o Storage (Disk space and disk type)
o Network performance
• Amazon EC2 provides a selection of instance types that these components
optimize to fit different use cases.
• You select the appropriate instance type based on the requirements of the
application or software that you plan to run on your instance.

Instance Families
• Each instance type belongs to an instance family.
• An instance family is a group of instances, with varying configurations, which
are based on similar compute, memory and storage capabilities.
• Instance type families: T family, M family, C family, P family, R family.
• Within each family, instance types have specific names, eg: T family has t2.micro,
t3.large and t3.xlarge, C family has c5.xlarge, P family has p3.2xlarge etc.

Instance Types Names

• Instance type name has several parts, for eg: consider t2.micro instance type:
o t is the family name.
o 2 is the generation number.
o micro is the size of the instance.
• Therefore, a t2 instance is the second generation of the T family.
 • Instance types that are of a higher generation are more powerful and provide
more value for the price.
• The next part of the name is the size portion of the instance.
• When you compare sizes, it is important to look at the coefficient portion of the
size category.

• For eg: a t3.2xlarge has twice the vCPU and memory of at3.xlarge.

Instance Categories
1. General Purpose:
o General purpose instances provide a balance of compute, memory and
networking resources and can be used for a variety of diverse
workloads.
o These instances are ideal for applications that use these resources in
equal proportions such as web servers and code repositories.
o Eg: A1, M4, M5, T2, T3 etc.

2. Compute Optimized:
o Compute optimized instances are ideal for compute bound applications
that benefit from high performance processors.
o Instances belonging to this category are well suited for batch
processing workloads, media transcoding, high performance web
servers, high performance computing (HPC), scientific modeling,
dedicated gaming servers and server engines, machine learning
inference and other compute intensive applications.
o Eg: C4, C5 etc.

3. Memory Optimized:
o Memory optimized instances are designed to deliver fast performance
for workloads that process large data sets in memory.
o Eg: R4, R5, X1, Z1 etc.
 4. Accelerated Computing:
o Accelerated computing instances use hardware accelerators, or co-
processors, to perform functions, such as float point number
calculations, graphics processing, or data pattern matching, more
efficiently than is possible in software running on CPUs.
o HPC applications at scale in pharmaceutical discovery, seismic analysis,
weather forecasting and financial modeling.
o Eg: F1, G3, G4, P2, P3 etc.

5. Storage Optimized:
o Storage optimized instances are designed for workloads that require
high, sequential read and write access to very large data sets on local
storage.
o They are optimized to deliver tens of thousands of low-latency, random
I/O operations per second (IOPS) to applications.
o Eg: D2, H1, I3 etc.

6. HPC Optimized:
o High performance computing (HPC) instances are purpose built to offer
the best price performance for running HPC workloads at scale on
AWS.
o HPC instances are ideal for applications that benefit from high-
performance processors such as large, complex simulations and deep
learning workloads.

Scaling Instances Vertically

• Unlike the instance’s AMI, the instance type can be changed after the instance
is launched.
• Thus, you have the option to scale your instances by changing your instance
type to give it more compute power.
• This kind of expansion is called vertical scaling.
• Vertical scaling – scaling for more compute power per instance – gives you
the ability to do the following:
o Scale up or down for CPU.
o Switch to any instance type in any instance family.
• Eg:
o m5.large: 2 vCPU and 8 GiB RAM.
o m5.xlarge: 4 vCPU and 16 GiB RAM.
o m5.2xlarge: 4 vCPU and 32 GiB RAM.
Step 4:
Key Pairs
• A key pair is used to securely connect to the instance.
• It is a set of security credentials that you use to prove your identity when
connecting to an Amazon EC2 instance.
• At instance launch, you can specify an existing key pair, create a new key pair,
or choose not to use a key pair for this instance.
• A key pair cannot be added to the instance after it is launched.
• A key pair consists of the following:
o A public key that AWS stores.
o A private key (secret key) file that you store.

Connecting to your Instance with your Key Pair

• To connect to a Windows instance, use the private key to obtain the
administrator password that you need to log in to your instance through
Remote Desktop Protocol (RDP).
• With Linux instances, at boot time, the public key content is placed on the
instance.
• To login to your Linux instance, you must provide the private key when you
establish the connection using Secure Shell (SSH).

Step 5:
Network Settings
• Network settings means choosing the VPC, subnet and security group that
you will place your instance in.
• Also enable or disable a public IP address for the instance.
• An instance is placed behind a security group, within a subnet, within a VPC,
within a Region.
Regions
• The Region that you are launching your instance into is assumed by the
Region that you are working in on the AWS Management Console.
• It is not a network configuration setting in the Amazon EC2 launch wizard.

VPCs and Subnets

• When you start using Amazon VPC, you have a default VPC in each AWS
Region.
• A default VPC comes with a public subnet in each Availability Zone of the
Region.
• Therefore, you can immediately start launching Amazon EC2 instances into a
default VPC.
• You can create more public subnets in your default VPC.
• You can even create and customize additional VPCs in any region.

Public IP Addresses
• An IPv4 address that’s reachable from the internet.
• Used to communicate between your instances and the internet.
• Eg: A computer on the internet can reach the EC2 instance because the
instance has a public IP address assigned to it.

Public IP
• Depending on the situation, a public IP address might or might not be auto-
assigned to your EC2 instance.
• Different scenarios are explained below:
Scenario 1:

• By default, the Auto-assign public IP setting is set to enabled when you

launch an instance in a default subnet in the default VPC.
• However, when launching your instance, you can choose to disable the auto-
assignment of the public IP address if you want to.

Scenario 2:

• You have the option to create additional subnets in your default VPC.
• If you launch your EC2 into a non-default subnet of the default VPC, then the
Auto-assign public IP setting will be disabled by default.
• However, you can choose to change it from disabled to enabled.

Scenario 3:

• You can also create additional VPCs.

• If you launch your EC2 into a non-default VPC, then the Auto-assign public
IP setting will be disabled by default.
• However, you can choose to change it from disabled to enabled.
Security Groups
• A security group acts as a Virtual firewall that controls network access to
your instances.
• Exists outside the instance’s guest OS.
• At the most basic level, a security group is a way for you to filter traffic that is
allowed to reach your instances.
• Security groups are based on rules that you can configure to filter the traffic
that is allowed for your instance.
• Security groups block all access unless an allow rule is in place for that traffic.
• Therefore, when you are configuring security group rules, you can specify
allow rules, but not deny rules.
• These rules can be modified at any time, and the new rule updates are
automatically applied to all instances associated with the security group
immediately.

Security group rules features:

o Filters traffic that’s allowed to access your instance.

o Specifies allow rules but not deny rules.
o Can be modified at any time.
o Updates affect attached instances in real time.

Rule Components
• When you configure the rules for your security groups, you decide which
internet protocols can reach your security groups.
• Internet protocols are different ways that computers and other services on the
internet can send information to each other.
• When you configure a security group’s rule there are four main components:
1. Type:
o The type is where you choose the specific type of protocol to open
to network traffic.
o You can choose a common protocol, such as SSH (for a Linux
instance), RDP (for a Windows instance), and HTTP and HTTPS to
allow internet traffic to reach your instance.
2. Protocol:
o The protocol section shows the protocol to allow for the protocol
type.
o The most common protocols are TCP and UDP – 6, ICMP – 1.
 3. Port range:
o The port range verifies the ports that are allowed to pass traffic for
each protocol type.
o You can specify a single port number (eg: 22), or range of port
numbers (eg: 7000 – 8000)
4. Source/Destination:
o The source is where you choose the source (inbound rules) or
destination (outbound rules) for the traffic to reach.
o This option determines the traffic that can reach your instance.
o You can specify a single IP address, or a range of IP addresses.
o If the instance is hosting a web page, you can leave it open to all
traffic on HTTP.

Inbound and Outbound Rules

1. Inbound Rules:

o When you create a security group, it has no inbound rules.

o Therefore, no inbound traffic that originates from another host to your
instance is allowed until you add inbound rules to the security group.
2. Outbound Rules:

o By default, a security group includes an outbound rule that allows all

outbound traffic.
o You can remove the rule and add outbound rules that allow specific
outbound traffic only.
o If your security group has no outbound rules, no outbound traffic that
originates from your instance is allowed.
Security Group’s Stateful attributes
• Security groups are stateful, which means that for every inbound rule, an
outbound rule exists, even if you don’t configure one.
• Likewise, for every outbound rule, an inbound rule exists, even if you don’t
configure one.
• Therefore, inbound rules govern only what protocols can invoke a response
from outside the instance, and outbound rules govern only what protocols
can invoke a response from inside the instance.
• If an outbound rule allows a protocol in, it must allow an outbound response,
and if an outbound response, and if an outbound rule allows a protocol out, it
must allow an inbound response.

Stateful effects of Security Groups:

o For every inbound rule, an outbound response is allowed.

o For every outbound rule, an inbound response is allowed.

Example:

o If the above security group has an inbound rule that allows HTTP protocol
from a source IP 0.0.0.0/0, then a response from the instance is automatically
allowed.
o The response is allowed even if no outbound rules are specified in the security
group.
o However, because no outbound rules are specified in the security group, the
instance cannot initiate an outbound call.

Managing Security Groups

• Security groups act at the instance level, not the subnet level.
• Instances in the same subnet can be assigned to a different security group.
• You can attach more than one security group to an instance:
o Instance-specific security groups are recommended.
 • All the rules from all the security groups that are attached to an instance are
evaluated before traffic is allowed to pass through.

• Example:
o You can have an instance with one security group that provides SSH
access and then attach another security group that provides internet
access.
o When AWS decides whether to allow traffic to reach an instance, all
rules from all security groups associated with the instance are
evaluated first.
o This process can make it difficult to manage instances with multiple
security groups and might cause problems to them.
o The best practice is to condense your rules to one security group per
instance as much as possible.

Step 6:
Configure Storage

• The main solution for EC2 instance storage is Amazon Elastic Block Store, or
Amazon EBS.
• Amazon EBS is a durable, detachable, high-performance block-storage
service designed for Amazon EC2.
• It works like an external hard drive.
 • Since EBS volumes are mounted to the instances, they provide extremely low
latency between where the data is stored and where it might be used on the
instance.
• It is able to handle almost any computing requirements.
• EBS volumes can be used to:
o Run databases.
o Host applications.
o Handle storage options for any computing needs.

EBS Volume Types

• Amazon EBS provides multiple volume types that you can use to optimize
storage performance and cost for a broad range of applications.
• These volume types are divided into two major categories:
1. Solid State Drives (SSD)
o General Purpose – It is an SSD volume that balances price and
performance for a wide variety of workloads.
o Provisioned IOPS – They are the highest-performance SSD
volumes for mission-critical low-latency or high-throughput
workloads.

Note: Input/Output Operations Per Second (IOPS) measures the number of

maximum reads and writes that a computing storage device can perform in a second.

2. Hard Disk Drives (HDD)

o Throughput Optimized – It is a low-cost HDD volume designed
for frequently accessed, throughput intensive workloads.
o Cold – It is the lowest cost HDD volume and is designed for less
frequently accessed workloads.
• SSDs are for transactional workloads such as:
o Databases
o Virtual desktops.
o Boot volumes.
• HDDs are for throughput-intensive workloads such as:
o MapReduce
o Log processing.
EBS Volume Types – Use Cases
1. General Purpose:
o Recommended for most workloads.
o Virtual desktops.
o Medium-sized single instance databases such as Microsoft SQL Server
and Oracle.
o Latency-sensitive interactive applications.
o Boot volumes.
o Development and test environments.
2. Provisioned IOPS:
o Critical business applications that require sustained IOPS performance.
o Large database workloads.
3. Throughput Optimized:
o Streaming workloads
o Big data
o Data warehouses
o Log processing
o Cannot be a boot volume.
4. Cold:
o Throughput-oriented storage for large volumes of data that is
infrequently accessed.
o Scenarios where the lowest storage cost is important.
o Cannot be a root volume.

Amazon EBS Storage Configuration Options

1. Volume Types:
o When choosing a volume type, you cannot use Throughput Optimized
or Cold HDD volumes for root volumes.
o The root volume must be a general purpose or Provisioned IOPS
volume.
o You can add additional volumes (non-root volumes) to your instance
and mix and match any types with other volume types as needed.
 2. Volume Size:
o The size of volume is in GiB (Gibibyte).
o If you are creating the volume from a snapshot, then the size of the
volume cannot be smaller than the size of the snapshot.
o Supported volume sizes are as follows:
▪ General purpose volumes: 1 GiB to 16,384 GiB
▪ Provisioned IOPS: 4 GiB to 16,384 GiB
▪ Throughput Optimized or Cold HDD: 125 GiB to 16,384 GiB
3. Whether the storage should be deleted on termination:
o Delete on termination indicates whether the volume should be
automatically deleted when the instance is terminated.
o If you disable this delete on termination, then the volume persists
independently from the running life of an EC2 instance.
o As a result, the volume will remain provisioned in your account until
you delete it manually.
o You can also change the delete on termination behavior after the
instance has been launched.
4. Whether you want to encrypt the volume:
o You have the option to encrypt your root volume and any additional
volumes that you attach to your EC2 instance.
o Amazon EBS encryption uses AWS Key Management Service (AWS
KMS) keys to encrypt volumes.
o AWS KMS is a security service that lets you create and manage
cryptographic keys and control their use across a wide range of AWS
services.

Adding a File System

• Amazon Elastic File System (Amazon EFS) is a service that can host files that
are shared among multiple EC2 instances.
 • EC2 instance can be attached to the newly created or already existing file
system.
• The files that are stored on the EFS file system will be accessible to all the
instances that are attached to it.
• However, Amazon EFS will not act as a gateway for instances to access files
that are stored on other EC2 instances.
• If an instance wants to share files with other instances, it must write them to
the shared file system, so that, the other instances can access them.
• It automatically grows and shrinks as you add and removes files with no need
for management or provisioning.
• You can attach instances to the file system as you launch your instance or
afterwards and remove instances from the file system without losing any files
stored on Amazon EFS.
• Amazon EFS cannot act as a root volume.
• Each instance that is attached to Amazon EFS must have its own root volume.

Amazon EC2 Instance Store

• An instance store provides temporary block-level storage for your instance.
• This storage is located on disks that are physically attached to the host
computer.
• An instance store is ideal for temporary storage of information that changes
frequently, such as buffers, caches, scratch data and other temporary content.

Limitations of Instance Store

1. Persistence of Volumes:
o Instance store volumes are not persistent volumes.
o If your instance is (on purpose or by system failure) stopped,
hibernated, or terminated, you will lose all your data on the volume.
2. Limited Availability:
o They have limited availability because they are only optional for a
certain combination of AMIs and instance types.
o When selecting an AMI, you can filter for AMIs that offer instance store
volumes.
3. Adding volumes:
o You can specify instance store volumes for an instance only when you
launch it.
o After the instance is launched, you can add EBS volumes to the
instance but not instance store volumes.
 4. Detaching Volumes:
o An instance store volume’s disks are physically attached to the instance.
o Therefore, you cannot detach an instance store volume from one
instance and attach it to a different instance.
o AWS does not offer you the option to detach the volume.
5. Configuration of Volumes:
o Instance store volumes are not configurable.
o The instance type that you choose predetermines the volume type (SSD
or HDD) and size.
o These configurations are not optional and also you cannot encrypt
these volumes.

Amazon EBS vs EC2 Instance Store

➢ Amazon EBS
• The volumes are mounted to the physical computer.
• Can configure the volume type (SSD or HDD) and the volume size.
• Can encrypt the volume and retain it after terminating the instance.
• Persistent volumes.
➢ EC2 Instance Store
• The volumes are physically attached to the host computer.
• Cannot be configured for volume type or the volume size (these
configurations are determined based on the instance type that you
use).
• Encrypting and retaining the volume after you delete the instance is not
an option.
• Not persistent volumes (only retains data while the instance state is
running or rebooting, otherwise all data will be lost).

Step 7: Advanced Details

IAM Role
• An IAM role is an IAM identity that you can create in your account that has
specific permissions.
• Roles can be granted temporary credentials that have a more restricted set of
permissions than your standard IAM user.

IAM Glossary (IAM – Identity and Access Management)

▪ IAM identities – An IAM identity represents a user, and can be authenticated

and then authorized to perform actions in AWS.
 ▪ Permission Policies – Policies determine which actions an identity can perform,
on which AWS resources, and under which conditions.

Using IAM Roles with AWS Services

• EC2 instances often run applications that must make secure API calls to other
AWS services.

• Roles can be used to give instances permissions to access other AWS services
to overcome security risks:
o Security Risk – Placing AWS credentials on an EC2 instance to give it
permission to make secure API calls to other AWS services is highly
insecure.
o Security Solution – Attach an IAM role to the EC2 instance that grants
permission to make API requests to other services.

Managing Roles
• An instance profile is a container for an IAM role.
• Select a role from the instance profile to associate with the instance.
• Include the role when launching the instance.
• Add a role after the instance is launched.
• Remove the role from an instance.
• Update a role’s policy to affect permissions immediately and the change goes
into effect for all instances that have that same role attached to them.

User Data
• Optionally, specify a userdata script instance launch.
• Use userdata scripts to customize the runtime environment of your instance:
o A script runs the first time the instance starts by default.
o A script can be configured to run every time the instance starts.
 • These scripts can do the following and more:
o Patch and update the instance AMI.
o Fetch and install software license keys.
o Install additional software.

Example Script:
#!/bin/bash (This command is called a shebang line. This line selects the interpreter of
the script executions, which is required on the first line for your script to work.)

sudo su (sudo – Super user do, su - switch user.)

yum update -y (This command updates all the packages on your instance.)

yum install httpd -y (This command installs the most recent Apache HTTP server
program in your instance.)

service httpd start (This command starts your Apache server program. Now it is not
only installed on your instance, it is also running on your instance.)

chkconfig httpd on (This command configures your instance to automatically start

the Apache server program for each reboot of the instance.)

Additional Advance Settings Options

1. Request Spot Instances:
o You can request Spot Instances at the Spot price, which are capped off
at the On-Demand price.
o Spot instances are for workloads that can be interrupted.
o Requesting Spot Instances can affect pricing because they are cheaper
than On-Demand Instances.
2. Shutdown Behavior:
o The shutdown behavior setting affects how the instance behaves when
an OS-level shutdown is performed.
o Instances can either terminated or stopped.
o If no value is specified, the value of the AMI will still be used.
3. Termination Protection:
o If termination protection is enabled, the instance cannot be terminated
by using the console, API, or CLI until termination protection is disabled.
o If no value is specified, the value of the source AMI will still be used.
4. Detailed Monitoring:
o Amazon CloudWatch is a monitoring service that provides you with data
and actionable insights to monitor your applications.
 o It is continually monitoring, collecting and analyzing metrics about your
instances.
o It updates your metrics dashboard every 5 minutes, without any
additional charges.
o If detailed monitoring is enabled, CloudWatch updates metrics to your
monitoring dashboards every minute.
o Additional charges will apply if it is enabled.
o If no value is specified, the value of the source AMI will still be used.
5. Tenancy:
o You have the option to enable or disable Dedicated Tenancy.
o Dedicated tenancy instances run on single-tenant, dedicated hardware.
o Host tenancy instances run on a dedicated host.
o If you select dedicated tenancy or dedicated host, your costs will be
increased for your instance.
o You have no additional charge for running your instance on shared
hardware.
o If no value is specified, the value of the source AMI will still be used.

Configuration Considerations
• Keep in mind the following considerations to help you make good decisions
when launching your instance:
1. Have no default setting –
o Key pair.
2. Affect Costs –
o AMI
o Instance type.
o Configure Storage.
o Advanced details.
o Region
3. Cannot be modified after instance launch –
o AMI
o Key pair.
o Network settings – VPC, Subnet.
o Region
4. Can be modified after instance launch –
o Name and tags.
o Instance type.
o Network settings – Ip address, Security groups.
o Storage
o Advance details – Adding a role, User data scripts.
 • Ultimately, the configuration choices that you make for your instance should be
based on the use case for the instance and keeping costs down.

Activity: Configuring an instance based on the use

case.
1. Scenario:
• Your manager asked you to create an EC2 instance that will host a
dynamic website.
• After asking your manager more specific questions, you learn the
following:
o The website should be available to everyone on the web, but the
primary customer target is on the east coast of the United States.
o The instance that is hosting the website should have a windows
operating system.
o The application should be launched with the most recent patches
and updates.
o The instance will need to have administrator update patches from
time to time.
o The instance must be protected from accidentally being
terminated.
o The application needs to access Amazon S3.
o The instance’s resources should be reportable for costs.
o The costs to run the instance should be kept as low as possible.
2. Name and tags:
• Requirements to consider:
o The instance’s resources should be reportable for costs.
o The costs to run the instance should be kept as low as possible.
• To help track the costs of the instance, tags should be used.
• You can run reports based on tags to gain insights into the monthly costs
of this particular instance.
• Eg: key: Name | value: My test server
Key: Dept | value: Development
3. AMI:
• Requirements to consider:
o The instance that is hosting the website should have a windows
operating system.
o The costs to run the instance should be kept as low as possible.
 • An AMI should be chosen that is packaged with Windows as the
operating system.
• Also, you should give careful consideration for any other software that
might be needed when choosing your AMI.
• Your manager said to keep costs as low as possible.
• However, you don’t want the performance of your website to suffer in
order to keep costs low.
• AMIs cannot be switched out, if you later need a more advanced AMI,
you will need to create a new instance.

AMI Components:

o A template for the root volume.

o Launch permissions.
o A block device mapping.
4. Instance Type:
• Requirements to consider:
o The website should be available to everyone on the web, but the
primary customer target is on the east coast of the United States.
o The costs to run the instance should be kept as low as possible.
• The instance is going to be used to host a website, and cost is a factor.
• Therefore, the most cost-effective instance type for a web server is one
of the families in the general-purpose category.
• Remember that instance types can be changed.
• You can scale up or scale down as needed. For eg: you might start with
an instance in the T3 family, and scale up if you need more CPU.
5. Key Pair:
• Requirements to consider:
o The instance will need to have an administrator update patches
from time to time.
• Because the instance will need to have an administrator update patches
from time to time, the instance should be created with a key pair.
• You can either create a new key pair or use an existing key pair.
• The administrator who is making the updates should have access to this
key pair.
• A key pair consists of the following:
o A public key that AWS stores.
o A private key file that you store.
6. Network Settings:
• Requirements to consider:
o The instance that is hosting the website should have a Windows
operating system.
o The website should be available to everyone on the web, but the
primary customer target is on the east coast of the United States.
• The website will be primarily targeting customers on the east coast of
the United States.
• Therefore, the best Region to launch your instance in is the N. Virginia
Region.
• You should be sure that the VPC and subnet that you place your instance
in are configured for internet access.
• Also, a public IP address should be assigned to the instance.
• The Security groups should have inbound rules that allow for the
following:
o Internet (HTTP, HTTPS) traffic for the public website to be
accessible to the internet.
o Remote Desktop Protocol (RDP) traffic for an administrator to log
in for patching and updating the instance.
o If the instance had a Linux OS, then you would use SSH instead.
7. Storage Configurations:
• Requirements to consider:
o The website should be available to everyone on the web, but the
primary customer target is on the east coast of the United States.
o The costs to run the instance should be kept as low as possible.
• A general purpose EBS volume would make the best choice for this
workload.
• A provisioned IOPS volume is over-resourcing and will cost you more
than you need to spend.
• If the website was hosting a critical business website with a large
database, then a provisioned IOPS volume could be the right solution.
• You can always scale to meet the needs of your storage.

Amazon EBS Capabilities:

o Run Databases.
o Host applications.
o Handle most storage computing needs.
8. Advanced Details:
• Consider the following requirements:
o The instance must have an administrator update patches from
time to time.
o The application must be protected from accidentally being
terminated.
o The application needs to access Amazon S3.
• Because the application must access Amazon S3, you should attach an
IAM role to the instance that has sufficient permissions to perform the
required tasks.
• To protect the instance from accidental termination, enable termination
protection.
• To update and patch the instance when it is launched, add the
appropriate script to the user data field.

***