up:: [[AWS MOC]] tags:: #on/computing/cloud/aws # AWS EC2 ## Basics - EC2 stands for Elastic Compute Cloud - Acts as Infrastructure as a Service - Provides virtual machine instances hosted on AWS infrastructure - Can configure the following: - OS - CPU - RAM - Storage - Network card, public IP - Firewall rules - Bootstrap script - Public IP of an instance may change between reboots. To prevent this, use an [[#Elastic IP Addresses|Elastic IP]]. - Connection methods: - SSH - RDP - EC2 Instance Connect (browser terminal) - EC2 provides on-demand instances - Good for short workloads, predictable pricing; can pay by the second ### Bootstrapping - Can bootstrap an instance using an *EC2 User Data* script - User Data script is run once at instance initialization - User Data is used to automate: - Installing updates - Installing software - Downloading common files - Anything else you can think of - Script runs as root ## Purchasing Options - EC2 On-Demand - Pay for what you use - Linux or Windows - billing per second, after the first minute - All other OSes - billing per hour - Highest cost but no upfront payment - No long-term commitment - Recommended for short-term and un-interrupted workloads, where you can't predict how the application will behave - Reserved Instances (1 & 3 years) - For long workloads - Convertible Reserved Instances - long workloads with flexible instances - Can change the EC2 instance type, instance family, OS, scope, and tenancy - Reserve a specific instance attribute (Instance Type, Region, Tenancy, OS) - Can choose to pay All Upfront (max discount), Partial Upfront, or No Upfront (least discount) - Can scope to a region or an AZ - Use for steady-state applications (like a database) - Can buy/sell instances in Reserved Instance Marketplace - Savings Plans (1 & 3 years) - Commitment to an amount of usage, long workloads - Discount based on long-term usage - Locked into a specific instance family and AWS region - Spot Instances - Short workloads - Cheap - Can lose instances (less reliable) - Not suited for critical jobs or databases - Dedicated Hosts - Rent an entire physical server - Control instance placement - For compliance and using existing existing software licenses - On-demand or reserved - Dedicated Instances - No other customers will share your hardware - May share hardware with other instances in the same account - Capacity Reservations - Reserve capacity in a specific Availability Zone for any duration ### IP Address Charges - There's a charge for all public IPv4 addresses created in your account, regardless if they're in use ($0.005 per hour) - Free tier is 750 hours/month for first 12 months - Amazon's attempt to get people to move to IPv6 ### Spot Instances - Up to 90% discount compared to On-Demand - Define a max spot price and get an instance with current spot price < max - Hourly spot price varies based on offer and capacity - If the current spot price > max then you can choose to stop or terminate your instance with a 2-minute grace period - How to terminate - Spot request - Define max price, desired number of instances, launch spec, request type (one-time vs persistent), valid from, valid until - Can only cancel spot instance requests that are open, active, or disabled - Canceling a spot request does not terminate instances - Terminate the spot request, then terminate the instances ### Spot Fleets - Set of spot instances + (optional) On-Demand instances - Allow you to automatically request spot instances with the lowest price - Fleet will try to meet the target capacity with price constraints - Strategies for allocating spot instances - Lowest Price: from pool w/ lowest price (cost optimization, short workload) - Diversified: distributed across all pools (great for availability, long workloads) - Capacity Optimized: pool with the optimal capacity for the number of instances - Price Capacity Optimized (recommended): pools with highest capacity available, then select the pool with the lowest price (best choice for most workloads) ## Security - Security Groups - can be attached to multiple instances - only contain `allow` rules - Rules can reference by IP or by security group - Used in conjunction with firewalls - Scoped to a region/VPC combination - Lives outside the instance itself - It's good practice to have a separate security group just for SSH access - All inbound traffic blocked by default - All outbound traffic authorized by default - Can attach [[AWS IAM]] roles to instances - SSH - EC2 instances have a default `ec2-user` account - Can configure SSH keys during initial instance provisioning - Instances are full VMs, so use the usual security best practices > [!WARNING] > If you want to use any credentials for running `aws` commands within an instance, **DO NOT** run `aws configure` and enter your personal user info. If you do this, then anyone who logs into that instance can run `aws` commands to fetch that information. > >Instead, use IAM roles and attach permissions to instances to grant access to various things. For example, if you want to run the command `aws iam list-users`, then you should attach an appropriate IAM role to the instance rather than giving the instance your personal user info. ## Networking - AWS supports IPv4 and IPv6 ### Elastic IP Addresses - When you stop and start an instance, the public IP address changes - To prevent the IP from changing, use **Elastic IP** - Can attach to a specific instance and it will stay as long as you leave it that way - Has an hourly charge of $0.005 (~$3.5/month) - To remove the charge, terminate the IP or instances ### Elastic Network Interfaces (ENI) - Logical component in a VPC that represents a virtual network card - Each ENI can have the following attributes: - Primary private IPv4, one or more secondary IPv4 - One Elastic IP per private IP (IPv4) - One public IPv4 - One or more security groups - A MAC address - Can create independently from EC2 instances and attach them on-the-fly for failover - Bound to a specific Availability Zone ## Placement Groups - Used to control how EC2 instances are placed within AWS infrastructure - Can specify one of the following strategies: - *Cluster*: cluster instances into a low-latency group in a single AZ - 10Gbps bandwidth between instances - If the AZ fails, all instances fail - Use cases: - Big Data jobs that need to complete fast - Application that needs low latency and high network throughput - *Spread*: spread instances across underlying hardware (critical applications). Max 7 instances per group per AZ. - Minimize failure risk; instances are all on different hardware - Use cases: - High availability - Instance failures must be isolated from each other - *Partition*: spreads instances across many different partitions (which rely on different sets of racks) within an AZ. Scales to 100s of instances per group. - Spread across partitions in multiple AZs - Each partition represents a rack - Instances get partition info as metadata ## Instance Storage ### EBS Volumes - EBS stands for Elastic Block Store - Network drive you can attach to instances while they run - Allow you to persist data even after instance is terminated - Volume can only be mounted to one EC2 instance at a time - *Some* EBS volumes have a "multi-attach" feature - Bound to a specific AZ - Delete on Termination attribute - Controls EBS behavior when an EC2 instance is terminated - Enabled by default on root volume - Snapshots - Backup of an EBS volume at a point in time - Not necessary to detach volume to do snapshot, but it is recommended - Can copy snapshots across AZs or regions - Snapshot Archive - Can move snapshots to an "archive tier" that is 75% cheaper - Takes 24-72 hours to restore from archive - Has a recycle bin with retention rules - Volume types - *gp2/gp3*: general-purpose SSD, balances price and performance - *io1/io2 block express*: high-performance SSD for mission-critical stuff - *st1*: low-cost HDD designed for frequently-accessed, throughput intensive workloads - *sc1*: lowest-cost HDD volume for less frequently accessed workloads - Only gp2/gp3 and io1/io2 can be used as boot volumes - Multi-Attach - Attach the same EBS volume to multiple EC2 instances in the same AZ - Only available for io1/io2 family of volumes - Use cases: - Higher availability - Concurrent write operations - Can attach up to 16 instances at a time - Must use a filesystem that is cluster-aware - Encryption - By default, you get: - Data at rest is encrypted inside volumes - All data in flight between the instance and the volume is encrypted - All snapshots are encrypted - All volumes created from snapshots are encrypted - Encryption and decryption are handled transparently - Encrypting an unencrypted volume: 1. Create an EBS snapshot of the volume 2. Encrypt the snapshot 3. Create a new volume from the snapshot (it will be encrypted) 4. Attach the encrypted volume to your instance ### EC2 Instance Store - Used for high performance - Attaching a physical hard drive to the instance - Ephemeral; storage lost if stopped - Good for buffer, cache, temporary data ### Elastic File System (EFS) - Managed NFS that can be mounted on EC2 - Works with EC2 instances in multiple AZ - Expensive, pay per use - Access control through security groups - Scales automatically ## Amazon Machine Images (AMIs) - Represent a customization of an EC2 instance - Built for a specific region, but can be copied to others - EC2 instances can be launched from public AMIs, marketplace AMIs, or your own - Process - Start an EC2 instance and customize it - Stop the instance - Build an AMI - Launch instances from other AMIs --- > [!createdat] Created at: [[2025-01-15]]