Welcome to my field notes!

Field notes are notes I leave myself as I go through my day to day work. The hope is that other people will also find these notes useful. Note that these notes are unfiltered and unverified.

AWS Solutions Architect - EC2

Author

TJ Palanca

Published

October 5, 2022

General

  • Scalable compute capacity in the cloud
  • Typically run as guest operating systems (VMs) on a host server
  • Easily scalable to various instance types
  • Uses preconfigured templates called AMIs (Amazon Machine Images)
  • SSH/login via key pairs (Amazon has public key you have private key)

Storage

  • 2 types
    • ephemeral storage (instance store) - disappear when you stop, hibernate, or terminate
    • elastic block storage (EBS) - can be attached to instances
      • primary storage for data that requires frequent updates (database, app storage)
      • flexible and can be scaled while it’s being used
      • throughput-intensive applications that perform continuous disk scans
      • persiste independently of the isntance can be re-attached to new ones
      • can attach many EBS but have to be in the same AZ
      • can use multi-attach to mount a volume to multiple instances at the same time
        • Provisioned IOPS SSD only
        • only Nitro enabled - t3 is an example
        • you can do this to enabled high speed I/O shared data
        • Elastic Filesystem => more attachment scenarios, but slower
  • Block level vs object storage

Elastic Block Storage (EBS)

  • Most common
    • GP2 and GP3 (General Purpose SSD)
    • Provisioned IOPS SSD (io1 and io2) - for mission critical, high througput
  • Less common
    • Throughput optimized HDD (st1) - lower cost for throughput intensive workloads
    • Cold HDD (sc1) - lowest cost drive, used for less frequently accessed workloads
    • Magnetic (standard) - infrequently accessed
  • EBS Encryption
    • encrypts the volume AES-256 using a KMS key
    • secures data-at-rest and data-in-transit (encryption happens on the ec2 instance)
    • encrypts: traffic between EC2 and BES, EBS data at rest, and snapshot, and all volumes created from the snapshot

Networking and Security

  • firewall specifies the IPs allowed/denied for inbound/outbound traffic
  • VPCs are virtual networks that re logically isolated from rest of AWS cloud
  • VPC is a virtual network
    • composed of subnets that have specific CIRD blocks, can be public with traffic routed to an internet gateway
    • configured by selecting IP address ranges, creating subnets, routing tables, network gateways, and security settings
    • can be linked to an on-prem data center and to the data center
  • Security Group is a virtual firewall for EC2 instances
  • NACL (network access control list) - each subnet can be associated with one NACL and has separate inbound and outbound rules
  • Security groups are stateful - inbound/outbound, good for allowing access, NACLs are stateless, good for denying access
  • Elastic IP - can be assigned to multiple instances that act as one (failover)
  • Elastic network interface - virtual network card?? no idea what this is
  • EC2 instances can be given an IAM role
  • Side note in an example he was running an “Apache NGINX” server? That’s weird.

Images (AMIs)

  • one or more EBS instances
  • template for the root volume if ephemeral
  • launch permissions that control AWS accounts that
  • block device mapping to determine mounting

Instance Types

Size

Purchasing Options

  • On Demand - pay per second of running
    • if you stop the instance you still get billed for the storage
    • irregular workloads that cannot be interrupted
  • Savings Plans - make a commitment of usage (in $) for a discount
    • can save on EC2, Fargate, and Lambda
    • two types
      • compute savings plan - just for a dollar
      • ec2 instance savings plan - specific type in a specific region
  • Reserved instances - make a commitment of a specific type of instance for a discount
    • type, region, tenancy, OS is fixed for a specific number of years/days
    • upfront payment options
    • standard vs convertible
  • Spot instances - bid on unused Ec2 instances, but cna be interrupted
    • hourly price (spot price) that is based on supply and demand
    • you set a maximum price and the instance only runs when it’s below
    • data analysis, batch jobs that can restart, background processing, optional tasks
    • instance rebalance recommendation - warning you if it will die
  • Dedicated Hosts - fully dedicated host, used for per-host licenses
    • physical server with no shared VMs
    • visibility of number of sockets and physical cores
    • same physical server every time
    • bring your own license (like Windows Server)
  • Dedicated instances - run on single-tenant hardware
    • run in a VPC that is dedicated, so they are physically not just logically isolated

Capacity Reservations

  • Just a reservation, no commitment - you will be charged
  • Used by running instances that match those attributes
  • is this so you don’t run out

Operations

Launching

  • Several options around size, networking, security groups, VPCs
  • IPv6 is a thing
  • Tags to identify it
  • Can choose a key pair so that we can access
  • User data is a bootstrap script and is commonly used

Accessing

  • Key pair has private key and public key
  • EC2 stores public key, you store private key - in ~/.ssh/authorized_keys
  • Use private key in place of a password

Best Practices

Security

  • Least permissive security group, use Systems Manager Session Manager so that you don’t have to open port 22 to the public
    • SSM agent runs on the EC2 instance and that allows us to access without port 22

Storage

  • Use separate EBS volumes for operating system versus data
  • Use the instance store for temp data only!

Backup and Recovery

  • Create AMI to backup the instance
  • Create EBS Snapshots to backup any EBS volumes