Professional Documents
Culture Documents
Step1:
Using Tags
• The first step in creating an instance is assigning it a name and tags.
• The name of an instance is a default tag for the instance name and works like
every other tag.
• Tags work as metadata to identify and define the AWS resources that they are
attached to.
• Each tag is a label that consists of a customer-defined key and an optional value
that can simplify managing, searching for and filtering resources.
• Although there are no inherent types of tags, customers can use them to
categorize resources by purpose, owner, environment or other criteria.
• Potential benefits of tagging: Filtering, Automation, Cost allocation and Access
control. Eg: Key: Name, Value: My Instance.
Tag Features
• Each Amazon EC2 resource can have a maximum of 50 tags.
• Manage tags:
o Add, remove or edit tags.
o The tag limit per Amazon EC2 resource is 50 tags.
o Naming and tagging resources is optional.
• Tags simplify your search for tagged resources based on a specific tag key or
tag value.
• You can also filter your searches by multiple tag keys or tag values.
• Search and filter for tags:
o Search for resources by key or by value.
o Filter and search for resources by a combination of tag keys and values.
Step 2:
Choosing an Amazon Machine Image (AMI)
• An AMI is required when launching an instance.
• The AMI has three main components:
1. Template for the root volume, which contains the operating system,
application servers and applications.
2. Launch permissions that control which AWS accounts can use the AMI.
3. Block device mapping that specifies the volumes to attach to the
instance (if any) when it is launched.
Using AMIs
• Choose an AMI that fits the use case of your instance.
• Use the same AMI to launch multiple instances that should have the same
configuration.
• In this way, all of the instances launched from the same AMI will have identical
software configurations but different IP addresses.
• If instances have different use cases, use AMIs that are specific to the use cases
of each instance.
• Before you create your instance, it is important to fully understand what the
instance will be used for, because, after an instance is created, you cannot
change the AMI.
Where Do You Get an AMI?
1. Pre-built:
o Amazon offers a number of pre-built AMIs to launch your instances.
o These AMIs include Linux and Windows options with various sub options
to tailor your setup.
2. AWS Marketplace:
o The AWS Marketplace offers a digital catalog with thousands of software
solutions listed.
o These AMIs can offer specific use cases to help you get started quickly.
3. Create your own:
o An AMI is an anonymized, block-level copy of the root volume of a donor
machine or golden instance.
o It is a virtual machine (VM) that you configured with specific OS and
application content that you want placed on the AMI.
o When you create an AMI, Amazon EC2 stops the instance, snapshots its
root volume and finally registers the snapshot as an AMI.
4. Community AMIs:
o People all over the globe create community AMIs.
o These AMIs are not vetted by AWS and are used at your own risk.
o These AMIs can offer many different solutions to various problems, but
use them with great care.
o They should be thoroughly reviewed for security concerns when using
them in any production or corporate environment.
AMI Benefits
• Repeatability:
o Instances that are launched from the same AMI are exact replicas of one
another.
o As a result, it greatly facilitates building clusters of similar instances or
recreating compute environments.
• Reusability:
o AMIs package the full configuration and content of an EC2 instance such
that it can be used over and over again, with efficiency and precision.
• Recoverability:
o AN AMI is perfect for replacing failed machines with new instances that
are created from the same AMI.
• Marketplace solutions:
o Suppose that you are looking for a software solution from a specific
vendor.
o An AMI probably exists on the marketplace that you can launch to
implement that solution on an EC2 instance.
o Additionally, authorized software vendors can create AMIs and also sell
them there.
• Backups:
o AMIs provide a great way to back up a complete EC2 instance
configuration, which you can use to launch a replacement instance in the
event of a failure.
Step 3:
Instance Types
• The instance type specifies the hardware of the host computer that’s used for
your instance.
• The instance type you choose determines the following:
o Processing power (CPU)
o Memory (RAM)
o Storage (Disk space and disk type)
o Network performance
• Amazon EC2 provides a selection of instance types that these components
optimize to fit different use cases.
• You select the appropriate instance type based on the requirements of the
application or software that you plan to run on your instance.
Instance Families
• Each instance type belongs to an instance family.
• An instance family is a group of instances, with varying configurations, which
are based on similar compute, memory and storage capabilities.
• Instance type families: T family, M family, C family, P family, R family.
• Within each family, instance types have specific names, eg: T family has t2.micro,
t3.large and t3.xlarge, C family has c5.xlarge, P family has p3.2xlarge etc.
• For eg: a t3.2xlarge has twice the vCPU and memory of at3.xlarge.
Instance Categories
1. General Purpose:
o General purpose instances provide a balance of compute, memory and
networking resources and can be used for a variety of diverse
workloads.
o These instances are ideal for applications that use these resources in
equal proportions such as web servers and code repositories.
o Eg: A1, M4, M5, T2, T3 etc.
2. Compute Optimized:
o Compute optimized instances are ideal for compute bound applications
that benefit from high performance processors.
o Instances belonging to this category are well suited for batch
processing workloads, media transcoding, high performance web
servers, high performance computing (HPC), scientific modeling,
dedicated gaming servers and server engines, machine learning
inference and other compute intensive applications.
o Eg: C4, C5 etc.
3. Memory Optimized:
o Memory optimized instances are designed to deliver fast performance
for workloads that process large data sets in memory.
o Eg: R4, R5, X1, Z1 etc.
4. Accelerated Computing:
o Accelerated computing instances use hardware accelerators, or co-
processors, to perform functions, such as float point number
calculations, graphics processing, or data pattern matching, more
efficiently than is possible in software running on CPUs.
o HPC applications at scale in pharmaceutical discovery, seismic analysis,
weather forecasting and financial modeling.
o Eg: F1, G3, G4, P2, P3 etc.
5. Storage Optimized:
o Storage optimized instances are designed for workloads that require
high, sequential read and write access to very large data sets on local
storage.
o They are optimized to deliver tens of thousands of low-latency, random
I/O operations per second (IOPS) to applications.
o Eg: D2, H1, I3 etc.
6. HPC Optimized:
o High performance computing (HPC) instances are purpose built to offer
the best price performance for running HPC workloads at scale on
AWS.
o HPC instances are ideal for applications that benefit from high-
performance processors such as large, complex simulations and deep
learning workloads.
Step 5:
Network Settings
• Network settings means choosing the VPC, subnet and security group that
you will place your instance in.
• Also enable or disable a public IP address for the instance.
• An instance is placed behind a security group, within a subnet, within a VPC,
within a Region.
Regions
• The Region that you are launching your instance into is assumed by the
Region that you are working in on the AWS Management Console.
• It is not a network configuration setting in the Amazon EC2 launch wizard.
Public IP Addresses
• An IPv4 address that’s reachable from the internet.
• Used to communicate between your instances and the internet.
• Eg: A computer on the internet can reach the EC2 instance because the
instance has a public IP address assigned to it.
Public IP
• Depending on the situation, a public IP address might or might not be auto-
assigned to your EC2 instance.
• Different scenarios are explained below:
Scenario 1:
Scenario 2:
• You have the option to create additional subnets in your default VPC.
• If you launch your EC2 into a non-default subnet of the default VPC, then the
Auto-assign public IP setting will be disabled by default.
• However, you can choose to change it from disabled to enabled.
Scenario 3:
Rule Components
• When you configure the rules for your security groups, you decide which
internet protocols can reach your security groups.
• Internet protocols are different ways that computers and other services on the
internet can send information to each other.
• When you configure a security group’s rule there are four main components:
1. Type:
o The type is where you choose the specific type of protocol to open
to network traffic.
o You can choose a common protocol, such as SSH (for a Linux
instance), RDP (for a Windows instance), and HTTP and HTTPS to
allow internet traffic to reach your instance.
2. Protocol:
o The protocol section shows the protocol to allow for the protocol
type.
o The most common protocols are TCP and UDP – 6, ICMP – 1.
3. Port range:
o The port range verifies the ports that are allowed to pass traffic for
each protocol type.
o You can specify a single port number (eg: 22), or range of port
numbers (eg: 7000 – 8000)
4. Source/Destination:
o The source is where you choose the source (inbound rules) or
destination (outbound rules) for the traffic to reach.
o This option determines the traffic that can reach your instance.
o You can specify a single IP address, or a range of IP addresses.
o If the instance is hosting a web page, you can leave it open to all
traffic on HTTP.
Example:
o If the above security group has an inbound rule that allows HTTP protocol
from a source IP 0.0.0.0/0, then a response from the instance is automatically
allowed.
o The response is allowed even if no outbound rules are specified in the security
group.
o However, because no outbound rules are specified in the security group, the
instance cannot initiate an outbound call.
• Example:
o You can have an instance with one security group that provides SSH
access and then attach another security group that provides internet
access.
o When AWS decides whether to allow traffic to reach an instance, all
rules from all security groups associated with the instance are
evaluated first.
o This process can make it difficult to manage instances with multiple
security groups and might cause problems to them.
o The best practice is to condense your rules to one security group per
instance as much as possible.
Step 6:
Configure Storage
• The main solution for EC2 instance storage is Amazon Elastic Block Store, or
Amazon EBS.
• Amazon EBS is a durable, detachable, high-performance block-storage
service designed for Amazon EC2.
• It works like an external hard drive.
• Since EBS volumes are mounted to the instances, they provide extremely low
latency between where the data is stored and where it might be used on the
instance.
• It is able to handle almost any computing requirements.
• EBS volumes can be used to:
o Run databases.
o Host applications.
o Handle storage options for any computing needs.
1. Volume Types:
o When choosing a volume type, you cannot use Throughput Optimized
or Cold HDD volumes for root volumes.
o The root volume must be a general purpose or Provisioned IOPS
volume.
o You can add additional volumes (non-root volumes) to your instance
and mix and match any types with other volume types as needed.
2. Volume Size:
o The size of volume is in GiB (Gibibyte).
o If you are creating the volume from a snapshot, then the size of the
volume cannot be smaller than the size of the snapshot.
o Supported volume sizes are as follows:
▪ General purpose volumes: 1 GiB to 16,384 GiB
▪ Provisioned IOPS: 4 GiB to 16,384 GiB
▪ Throughput Optimized or Cold HDD: 125 GiB to 16,384 GiB
3. Whether the storage should be deleted on termination:
o Delete on termination indicates whether the volume should be
automatically deleted when the instance is terminated.
o If you disable this delete on termination, then the volume persists
independently from the running life of an EC2 instance.
o As a result, the volume will remain provisioned in your account until
you delete it manually.
o You can also change the delete on termination behavior after the
instance has been launched.
4. Whether you want to encrypt the volume:
o You have the option to encrypt your root volume and any additional
volumes that you attach to your EC2 instance.
o Amazon EBS encryption uses AWS Key Management Service (AWS
KMS) keys to encrypt volumes.
o AWS KMS is a security service that lets you create and manage
cryptographic keys and control their use across a wide range of AWS
services.
• Amazon Elastic File System (Amazon EFS) is a service that can host files that
are shared among multiple EC2 instances.
• EC2 instance can be attached to the newly created or already existing file
system.
• The files that are stored on the EFS file system will be accessible to all the
instances that are attached to it.
• However, Amazon EFS will not act as a gateway for instances to access files
that are stored on other EC2 instances.
• If an instance wants to share files with other instances, it must write them to
the shared file system, so that, the other instances can access them.
• It automatically grows and shrinks as you add and removes files with no need
for management or provisioning.
• You can attach instances to the file system as you launch your instance or
afterwards and remove instances from the file system without losing any files
stored on Amazon EFS.
• Amazon EFS cannot act as a root volume.
• Each instance that is attached to Amazon EFS must have its own root volume.
• Roles can be used to give instances permissions to access other AWS services
to overcome security risks:
o Security Risk – Placing AWS credentials on an EC2 instance to give it
permission to make secure API calls to other AWS services is highly
insecure.
o Security Solution – Attach an IAM role to the EC2 instance that grants
permission to make API requests to other services.
Managing Roles
• An instance profile is a container for an IAM role.
• Select a role from the instance profile to associate with the instance.
• Include the role when launching the instance.
• Add a role after the instance is launched.
• Remove the role from an instance.
• Update a role’s policy to affect permissions immediately and the change goes
into effect for all instances that have that same role attached to them.
User Data
• Optionally, specify a userdata script instance launch.
• Use userdata scripts to customize the runtime environment of your instance:
o A script runs the first time the instance starts by default.
o A script can be configured to run every time the instance starts.
• These scripts can do the following and more:
o Patch and update the instance AMI.
o Fetch and install software license keys.
o Install additional software.
Example Script:
#!/bin/bash (This command is called a shebang line. This line selects the interpreter of
the script executions, which is required on the first line for your script to work.)
yum update -y (This command updates all the packages on your instance.)
yum install httpd -y (This command installs the most recent Apache HTTP server
program in your instance.)
service httpd start (This command starts your Apache server program. Now it is not
only installed on your instance, it is also running on your instance.)
Configuration Considerations
• Keep in mind the following considerations to help you make good decisions
when launching your instance:
1. Have no default setting –
o Key pair.
2. Affect Costs –
o AMI
o Instance type.
o Configure Storage.
o Advanced details.
o Region
3. Cannot be modified after instance launch –
o AMI
o Key pair.
o Network settings – VPC, Subnet.
o Region
4. Can be modified after instance launch –
o Name and tags.
o Instance type.
o Network settings – Ip address, Security groups.
o Storage
o Advance details – Adding a role, User data scripts.
• Ultimately, the configuration choices that you make for your instance should be
based on the use case for the instance and keeping costs down.
AMI Components:
o Run Databases.
o Host applications.
o Handle most storage computing needs.
8. Advanced Details:
• Consider the following requirements:
o The instance must have an administrator update patches from
time to time.
o The application must be protected from accidentally being
terminated.
o The application needs to access Amazon S3.
• Because the application must access Amazon S3, you should attach an
IAM role to the instance that has sufficient permissions to perform the
required tasks.
• To protect the instance from accidental termination, enable termination
protection.
• To update and patch the instance when it is launched, add the
appropriate script to the user data field.
***