Instance - running virtual machines
- Images
- pre-configured templates (AMI) with OS and applications (Amazon provided or community / custom provided)
- category:
- backed by EBS (root device is EBS) or
- backed by instance storage (root device is instance storage, template stored in S3)
- VM Import / Export - convert local environment to image
- Instance type - configuration of CPU, memory, storage, networking capacity
- Access
- key pairs (only public key on cloud, private key with user)
- Storage
- instance store volumes - deleted when stopped
- EBS - persistent storage
- Network
- Security group - firewall
- Elastic IP addresses - static IP assigned to instance
- VPC - virtual network
- Elastic Load Balancing - automatically redirect traffic
- Meta data
Autoscaling - EC2 auto scaling service
Other services may also launch EC2 instances
Nitro-based Instances: AWS-built hardware and software components that enable high performance, high availability, and high security. In addition, the Nitro system provides bare metal capabilities that eliminate virtualization overhead and support workloads that require full access to host hardware.
Many purchase options, including:
On demand - pay by second, without commitment or upfront
Saving plans - with commitment in US$/hour for a period
Reserved instance - commitment to specific instance configuration (type 7 region) for a period
Spot - run on unused resource
(more...)
VPC, Security Group, VPN, etc. see network
EBS encryption - for storage
Network encryption for data on wire
AWS Systems Manager Patch Manager recommended
Then depends on the OS & software
Use key pair. In case of lose private key, stop instance, attach as data volume, replace public key
Can add multiple users to instance, with multiple key pairs
Use IAM to manage permission for AMI (e.g. LaunchPermission), EBS (e.g. createVolumePermission for snapshot) etc.
Use IAM to manage instance (as an AWS resource) - start, stop, etc.
Use IAM to manage privilege of applications on EC2: IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you. When you launch an EC2 instance, you can specify a role for the instance as a launch parameter. Applications that run on the EC2 instance can use the role's credentials when they access AWS resources.
- use IAM to control access
- use VPC / security group to control network access
- least priviledge
- Disable Password-Based Remote Logins for root (instance root, not AWS account root)
- Regularly patch, update, and secure the operating system and applications (
Pending - preparing to run
Running
Stopping
Stopped:
- normal shutdown, instance store volume deleted, EBS remain attached, can attach/remove EBS, create AMI, change kernel, RAM disk, instance type
- instance root device - cannot stop, termination only
- hibernate - enter stopping (charge) then stopped state
Terminate - normal shutdown, root device volume deleted (by default), EBS preserved, instance deleted
instanceInitiatedShutdownBehavior & disableApiTermination attributes of instance can control instance stop or terminate upon shutdown
Retirement - failure detected, scheduled for retirement. EBS - can start again. Instance storage type, cannot.
Region, Availability Zone, Local Zone
Root device volume contains the image (AMI)
Backed by (determined by the image):
- S3 - temporary storage, load image from S3 (slow)
- Do NOT support STOP (terminate only) & data deleted upon termination
- S3 cost charged
- EBS - an EBS volume from an EBS snapshot
- Recommended: launches faster, persistent
- Supports instance stop (data persisted)
- Terminate - deleted, unless DeleteOnTermination set to false
- Can, during stop, modify instance (change size, upgrade kernel, etc.)
- Debugging - easy to create snapshot, run a new instance for debugging
- EBS cost charged
EBS - persistent block device
See "EBS" page
temporary
EFS - shared network drive
Separate - OS, data, temporary
Backup - use snapshot on EBS for backup
Address:
- IPv4 + optional IPv6 (IPv6 reachable form Internet)
- internal hostname
- Public IPv4 & hostname (also based on IP)
- Elastic IP Addresses (IPv4) - reserved IP, can allocate (attach & release), small charge if not used, support reverse DNS
- Bring Your Own IP - available at certain region
- Amazon DNS Server - resolves IPv4 hostname to address
- Network interface (Elastic) - logical NIC, manageable
- Can attach to instance when running (hot), stopped (warm) or at launching (code)
- Can detach secondary interface from instance
- Can move from one instance to another (same AZ & VPC)
- Launching with multiple interfaces - automatic configure host (route table, etc.)
- Warm / hot attachment may require manual setup
- Attach second interface does not increase bandwidth (not physical)
Placement Groups:
- by default, instances spread out
- Placement Group - to regulate placement for performance etc. (place two instances in same host etc.)
- Cluster - close together inside an AZ
- Partition - spread out, different partition does not share hardware
- Spread
Network Maximum Transmission Unit (MTU)
Some advanced features ignored here...
Best practice
Use fail-over:
- Deploy critical component across AZ
- Simple solution: manually attach a network interface or Elastic IP address to a replacement instance.
- Use Amazon EC2 Auto Scaling
Monitor, Regular test
Design application to handle auto IP address
Elastic Interface: Amazon Elastic Inference (EI) is a resource you can attach to your Amazon EC2 CPU instances to accelerate your deep learning (DL) inference workloads.
Include:
- (EBS backed) One or MORE EBS volumes | (instance storage backed) template for root volume on S3
- Launch permission
- Block device mapping
Types:
- Region, OS, Architecture (32/64 bit), Launch permission, Storage type (EBS, instance)
Linux AMI virtualization type:
- paravirtual (PV)
- hardware based (HVM) - recommended
AMI what to do with:
- Copy (cross region, account, encrypt/decrypt)
- Create: from snapshot
- Register EBS snapshot as AMI, de-register
- Buy, share, sell (there's a market)
- Encrypt (EBS based) with EBS encryption
Amazon Linux
- Amazon maintained
- version: Amazon Linux AMI (recommended migrate to) -> Amazon Linux 2: Amazon Linux 2 RECOMMENDED
- Connection: by default no password, no remote root, use key pair, user "ec2-user", sudo
- /etc/image-id file identify image
- Provides AWS command line tools etc.
- Package management - yum
- Update: Amazon Linux is configured to download and install critical or important security updates at launch time; at run time the default setting for repo_upgrade is security (other options include bugfix, all, none)
- Extra library: `amazon-linux-extras`
- cloud-init: tool for boot Linux in cloud environment, many common tasks (set hostname etc.)
- Can be run on-premise on: VMWare, KVM, VirtualBox, Microsoft Hyper-V
User provided kernel
From console.
From Launch Template - saved settings
From existing instance ("Launch More Like This") - copy some settings from an existing instance (not clone image)
Launching a Linux Instance from a Backup - make EBS snapshot, then launch from that
From marketplace
EC2 Fleet - only through API / CLI, group & combine on-demand and spot instances
SSH (PuTty)
EC2 Instance Connect (install on Amazon Linux or Ubuntu only)
AWS Systems Manager Session Manager (Linux & Windows)
Windows Subsystem for Linux (Windows only)
Recover:
- CloudWatch found a problem (StatusCheckFailed_System)
- SNS message (before and after)
- Recover - reboot, during which migrated (to another host), memory state lost
- Retained state: A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. Also run in same placement group (if)
General:
- system status check (AWS managed, host environment)
- instance status check - "aws ec2 describe-instance-status" or from console (user managed)
- Amazon CloudWatch Alarms - then SNS
- Amazon CloudWatch Events - then some action
- Amazon CloudWatch Logs
- Amazon EC2 Monitoring Scripts
- AWS Management Pack for Microsoft System Center Operations Manager (Microsoft integration)
Manual tools:
- EC2 Dashboard
- CloudWatch Dashboard