AWS EC2

  • EC2 stands for elastic compute cloud.
    • It is infrastructure as a service.
  • We can rent virtual machines.
  • Store data on virtual drives.
  • Distribute load across machines.
  • Scale services using an auto skilling group(ASG).
  • We can choose machines with operating systems, windows, Linux, or macOS.
  • We can customise power and cpu cores on our virtual machine.
  • We can customise on random access memory(RAM) As per our requirement.
  • We can customise storage space
    • Network attached(EBS and EFS)
    • Hardware attached(EC2 Instance Stores)
  • We can customise the speed of our network card, public IP address.
  • We can add firewall rules in our security group.
  • We can add a boot strap script, which is the configuration script run at First launch.
    • We can boot App using an EC2 user data script.
    • Boot strapping means launching commands when a machine starts.
    • The script is only run once Add the instance of First start.
  • EC2 userdata is used To automate boot tasks, such as
    • Installing updates
    • Installing software
    • Downloading common files from the internet.
    • Any other security scripts, et cetera, needed to be a part of initial setup.
  • The EC2 user data scripts runs with root user privilege.
AWS Budget Setup
  • From root account enable IAM user and roll access to billing information.
    • This helps IM users with admin access to access billing information.
  • Go to your account information and click on billing and payments. It will show our current billing and billing forecast.
    • You can find this in billing and cost management under your account information.
  • We get following information
    • Cost breakdown
    • Current active services and related cost.
    • We can get our bills
    • Information regarding free tier
  • Create a zero spend budget so that we can get alert for any additional spends.
Launching EC2 instance
  • In EC2 service click on instances. Click on launch instance.
    • Add name and additional tags.
    • Select operating system.
    • Select architecture.
    • Select instance type based on your hardware requirements
    • To use SSH to login to instance Create key pair
      • Give it a name and type
      • If we are using Mac or Linux all Windows 10 and above, we should use .PEM Format which is open SSH supported.
      • If we have previous version of Windows use .PPK Format, which is Putty supported.
    • Configure network settings
    • To create web server, allow HTTP traffic from Internet.
    • Configure storage.
    • To execute boot script, add to the user data section.
    • Click on launch, instance, it will take 15 seconds to boot up.
    • Once booted, our running, instance, will show in the instances.
    • Copy public IP address and we will be able to access our instance from Internet.
    • Stop the instance by clicking instance and selecting from instance state.
    • Delete the instance by terminating instance from instance state.
    • When we restart instance, the public IP changes.
AWS EC2 Image Builder
  • Allows you to create AWS EC2 images. These are virtual images and container images.
  • It’s really simple to use with a graphical interface.
  • We can use EC2 image builder to test and validate our images. We may need to test and validate the images for security, compliance and functionality, using AWS provided tests or your own custom tests.
  • EC to image builder automates the process of creating and maintaining your images.
    • When software updates are available, image builder can automatically create a new image, run validation tests on the new image, and make it available to the AWS regions of your choice.
    • Image builder allows you to share your AMI with other AWS accounts that you own.
  • Steps to create an image
    • Provide a base OS image. Example Amazon Linux 2 AMI.
    • Define software to install, example .Net, Node JS, python, latest security, updates, latest Kernel, security settings.
    • Run test on the new image for example, does it boot correctly etc.
    • Distribute the image to the regions of your choice. (By default, the region you are operating in).
  • EC2 image builder terminology
    • Image pipeline
      • Defines the configuration and end to end process of building images, including the image recipe, distribution and test settings.
    • Image recipe
      • Image builder creates a recipe for each image, which can be shared, version controlled, and re-used.
    • Source image 
      • Example Amazon Linux 2 AMI.
    • Build components
      • Example Apache tomcat.
EC2 Instance Types
  • There are different types of EC2 instances that are optimised for different use cases.
  • There are seven different types of EC2 instances.
  • AWS follows following naming convention.
    • m5.2xlarge
      • M is the instance class
      • 5 is the generation Of instance, which AWS improves overtime.
      • 2X large is the size within the instance class. The more size, the more memory and CPU, we have.
  • Types of Instances
    • https://aws.amazon.com/ec2/instance-types/
    • General purpose type
      • Great for Diversity of workload such as web servers on code repositories.
      • Have a good balance between compute, memory, and networking.
      • T2.micro is a general purpose EC2 instance.
    • Compute optimised instance, types
      • Great for Compute intensive tasks that require high-performance Processors
      • For example, batch processing workloads, media transcoding, high performance, web servers, high-performance computing(HPC),Scientific modelings and machine learning,Dedicated gaming servers.
      • All compute optimise instances start with C for, example C5, C6, et cetera.
    • Memory optimised
      • Fast for work performance, loads that processes large data sets in memory.
      • Used for high-performance relational/Non-relational databases, distributed web scale cache store, In memory databases optimised for BI(Business intelligence), Applications performing real time, processing of big unstructured data.
      • Name starts with R or X Example are R5, X1 et cetera.
    • Storage optimised instance types
      • Great for Storage intensive tasks that require high, sequential read and write access to large data sets on local storage.
      • Use cases
        • High frequency online transaction processing (OLTP) systems.
        • Relational and No SQL databases.
        • Cache for in-memory Databases, for example, Redis.
        • Database warehousing applications.
        • Distributed File systems
        • Instances start with I,G,H
Security Groups
  • Security groups are the fundamental of network security in AWS.
  • They control how traffic is allowed into or out of our EC2 instances.
  • Security groups only contain allow rules.
  • Security group rules can be referenced by IP or by security group.
  • Security groups are acting as a firewall on EC2 instances.
  • They regulate
    • Access to ports.
    • Authorised IP ranges - IPv4 and Ipv6
    • Control of inbound network from other instances
    • Control of outbound network to other instances
  • Security groups can be attached to multiple instances.
  • They a locked down to a region/VPC combination.
  • They will live outside the EC2 instance if traffic is blocked. The EC2 instances will not see it.
  • For SSH access, we should maintain a separate security group.
  • If our application is not accessible, it is a security group issue.
  • If our application gives a connection refused error then it is an application error or it's not launched.
  • By default, all the inbound traffic is blocked.
  • All outbound traffic is authorised by default.
  • If a security group S1 allows access to another security group S2 then the instance attached to S1 can communicate, with instance, attached to S2.
  • Ports used
    • 22=SSH(Secure Shell) - log into a linux instance.
    • 21=FTP(File Transfer Protocol) - upload files into a file share
    • 22=SFTP(Secure File Transfer Protocol) - upload files using SSH
    • 80=HTTP- access to unsecured websites.
    • 443=HTTPS - access secured websites.
    • 3389=RDP(Remote Desktop Protocol) - login to windows instance.
  • SSH allows us to control remote machine using command line.
  • SSH connections Summery
    • For Linux to connect in our instance, use SSH.
    • For Macintosh use SSH.
    • We can also login into our instance, using EC2 instance, connect, which opens the shell on browser by which we can login.
    • For Windows 10 and above use SSH and for down versions use putty.
    • SSH can be used on Macintosh, Linux and Windows 10 and above.
    • Putty Can be used on any version of Windows.
    • EC2 instance, connect uses web browser and can be used on any operating system. However, it currently only works Amazon Linux 2.
  • Consuming SSH on Linux/MacOs
    • Using the public IP of our machine and SSH port, open on a security group to public/specific connecting IP.
    • Download the PEM file of your machine on your local system.
    • Copy the public IP of your EC 2 instance.
    • In the inbound rules of your security group, check if port 22 is open for all IP or The IP of the machine, you will be connecting with.
      • Source of the port 22 should be 0.0.0.0/0 or your machine ip.
    • In the terminal of your machine, do
      • Make sure you are in the direct where you downloaded your key.
      • Permissions of the downloaded key file should be 0400
        • Chmod 0400 key.pem
      • Login using ssh -i yourkey.pem ec2-user@public ip of EC2
    • You will be logged into your EC2 instance.
    • If we stop and start our instance, the public IP may change.
  • Consuming SSH in Windows using Putty
    • We use putty to SSH using Windows nine and below systems.
    • Download putty For Windows and install it in your Windows operating system.
    • Upload/import PEM file in putty key generator.
    • Save it as a private key in putty key generator.
    • Save The public PEM file in your local system.
    • Thus, now we have generated a PEM file from PPK file.
    • In the Putty application, enter the host and port and save the connection.
    • Specify the PEM key.
      • Click on SSH category.
      • Click on Auth.
      • Specify the key path.
      • Save once again, the connection.
    • Click on open and it will auto login to your EC2 console.
  • Consuming SSH in Windows using SSH command.
    • Open power Shell and navigate to the directory of your PEM file.
    • Check for the port rules in security group. It should be open for the IP address of your machine or all of the machines.
    • ssh -i ./file.pem ec2-user@public ip of EC2 instance.
    • We Will login to our EC 2 instance.
    • If there are any permissions issues
      • Make sure you are the owner of PEM file.
      • System and administrator may not need to have access to it, so move their permissions.
      • Remove all inherited permissions.
      • Give yourself full control over the file
    • We can also use command prompt.
  • Using EC2 instance connect
    • In your instance, click on connect on top, we will get multiple options like EC2 instance connect, Session Manager, SSH client, EC2 serial console.
    • Select EC2 instance connect.
    • Add a username.
    • Click connect, it will open a new browser. Tab logged into your EC2 instance from browser.
    • We need SSH port open for IPV4 and IPV6 for EC2 instance connect.
  • EC2 instance roles
    • Never use AWS configure on your EC2 instance.
    • This configure is your AWS access key, security axis key on your instance.
    • This can be traceable by other users in your account.
    • Instead, add IAM role to your instance.
      • The IAM role should have policy attached, which is IAM read only access.
    • In your instance, go to actions, then security, and then modify IAM role.
    • Choose your IAM role and click on save.
    • Provide AWS credentials to EC2 instances only through IAM roles.
  • SSH Troubleshooting
    • There's a connection timeout
      • This is a security group issue. Any timeout (not just for SSH) is related to security groups or a firewall. Ensure your security group looks like this and correctly assigned to your EC2 instance.
      • If your security group is properly configured as above, and you still have connection timeout issues, then that means a corporate firewall or a personal firewall is blocking the connection.
    • SSH does not work on Windows
      • If it says ssh command not found then use putty
    • There's a connection refused
      • This means the instance is reachable, but no SSH utility is running on the instance.Try to restart the instance
      • If it doesn't work, terminate the instance and create a new one. Make sure you're using Amazon Linux 2
    • Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
      • You are using the wrong security key or not using a security key. Please look at your EC2 instance configuration to make sure you have assigned the correct key to it.
      • You are using the wrong user. Make sure you have started an Amazon Linux 2 EC2 instance, and make sure you're using the user ec2-user. This is something you specify when doing  <ec2user@your public ip> in your SSH command or your Putty configuration
    • I was able to connect yesterday, but today I can't'
      • This is probably because you have stopped your EC2 instance and then started it again today. When you do so, the public IP of your EC2 instance will change. Therefore, in your command, or Putty configuration, please make sure to edit and save the new public IP.
EC2 Instance Purchasing options
  • On demand Instances
    • Short workload’s, predictable pricing, pay by second
    • For Linux and Windows billing starts after first minute And is done per second. For other operating systems, billing is done per hour.
    • It has highest cost, but no upfront payment.
    • No long-term commitment.
    • Recommended for short-term and uninterrupted workload.
    • Application behaviour is unpredictable.
    • We use when we want to temporarily reserve, an instance.
  • Reserved(1 to 3 years)
    • Long workload
    • Up to 72% discount compare to on demand instances.
    • We reserve a specific instance, attribute, for example(Instance type, Instance region, tenancy, OS).
    • We specify our observation period for example, one year to 3 years.
    • Payment options
      • No upfront
      • Partial upfront
      • All upfront
    • Scope can be regional or zonal
      • Capacity is reserved in availability zone
    • Recommended for steady state usage, applications like Databases, et cetera.
    • We can buy and sell reserved instances in marketplace.
    • When we want to use for long time, and we have advanced future plans.
  • Convertible reserved instances
    • Long workload with flexible instances.
    • We can change the EC2 instance Type, instance family, operating system, scope, and tenancy.
    • Up to 66% discount.
  • Savings plan(1 to 3 years)
    • Commitment to an amount of usage, long workload.
    • Get a discount based on long-term usage(Up to 72% same as reserved instance)
    • Commit to a certain type of usage($10/hour for 1 or 3 years)
    • Usage beyond EC2 savings plan is billed at the on demand price.
    • Locked to specific instance family, and AWS region.
    • Flexible across
      • Instance size
      • Operating system(Linux/Windows)
      • Tenancy(Host/dedicated/default)
    • Pay per hour of usage for a certain period and which easily between instances.
  • Spot instances
    • Short workload, cheap, can lose instances(Less reliable)
    • Can get a discount of up to 90% compared to on demand.
    • Instances that you can lose at any point of time, if your Maximum price is less than the current spot price.
    • The most cost efficient instances in AWS.
    • Useful for workloads That are resilient to failure
      • Batch jobs
      • Data analysis
      • Image processing
      • Any distributed workload
      • Workload with flexible start and end time
    • Not suitable for critical jobs or databases.
    • Spot instances are bid based systems for empty instances. The highest bidder gets the instances.
    • Instance may be closed for you any time.
  • Dedicated hosts
    • Book an entire physical server, control instance placement
    • A physical server with EC2 instance, capacity fully dedicated to your use.
    • Allows you to address compliance requirements and use your existing server bound software licenses(Per socket, paper core,pe-vm software licenses)
    • Purchasing options
      • On demand
        • Pay per second for active dedicated host.
      • Reserved
        • One or three years(No upfront, partial upfront, all upfront)
    • The most expensive option
    • Useful for software that have complicated licensing model(BYOL-Bring your own license)
    • For companies that have strong regulatory or compliance needs.
    • In dedicated host, we get access to the physical server itself And we get visibility into the lower level hardware.
    • Dedicated host when we book entire hardware and software of machine.
  • Dedicated instances
    • No other customers, share your hardware.
    • Instances that run on hardware dedicated to you.
    • May, share hardware with other instances in same account.
    • No control over Instance, placement(Can move hardware after start/stop).
    • In dedicated instances, we get our own instances, on our own hardware.
  • Capacity reservation
    • Reserve capacity in a specific availability zone for any duration.
    • Reserve on demand instances capacity in a specific availability zone for any duration.
    • You always have access to EC2 capacity when you need it.
    • No time commitment(Create/cancel any time), No billing discounts.
    • Combine with regional and reserved instances and saving plans to benefit from billing discounts.
    • You are charged at on demand rate, whether you run instance’s or not.
    • Suitable for short-term, uninterrupted workload that needs to be in a specific availability zone.
    • Capacity reservation is when you hire a machine You will be charged, no matter if you use it or not.

Comments

Post a Comment

Popular posts from this blog

Infrastructure Setup using Cloud Formation Templates

Services Required to create CICD Code Build Build code and deploy image in jfrog Code Pipeline Has (Continuous Integration Continuous Deployment)CICD flow Cloud Formation To deploy and create infrastructure we use yml files. S3 Store our data packages and yml files which are used by CFT. ECS To deploy our application on fargate servers We can also create our manual EC2 instances from pipeline. Secrets Manager Manages all the secrets. ELB/ALB Elastic/Application Load Balancer To map context paths of different services GitHub Stores our code Jfrog Used to store all the docker images Dockerfile Used to create a customised docker image Scanning for Vulnerabilities free code Sonarcube Checkmarx Twistlock Cloudwatch Used to store logs We create log group for each of instances Lambda Functions Used for serverless technologies. Creating a new Environment Create the YML images of the different resources required in the environment. The CFT templates are stored in S3 or can be uploaded from syst...
Read more

High Level Diagrams(HLD's)

Image
High Level Diagram for Building a Serverless application using Step Functions, API Gateway, Lambda, and S3 in AWS HLD for Building and Troubleshooting a Serverless Web
Read more

VPC,Cloud Front,EC2,RDS in AWS

 VPC allows you to provision a logically isolated section of AWS where we can launch AWS resources in a virtual network. Cloud Front is a Fast Highly Secure and Programmable Content Delivery Network EC2 provides compute resources  RDS is Amazon's Relationship Database System.
Read more