EC2 is web service which provide resizable compute capacity in cloud in minutes, allowing you to quickly scale capacity, both up and down, as your compute requirement change.
EC2 Options
OnDemand - Allow you to pay by hr (or by second). No upfront payment or commitment. Application with sort term spike or unpredictable work loads that cannot be interrupted, app being developed for first time
Reserve - You can reserve for 1-3 yr. Price is less than OnDemand. Steady state or predictable usage. Its for a region which cannot be changed but you can change AZ
Standard - Price 75% off on demand
Convertable RI - Price 54% off on demand. You have flexibility of changing some of the attribute of EC2 instance like general purpose to cpu optimized or windows to Linux
Schedule RI
Spot - If you have flexible start and end time. If your bid price is higher than spot price EC2 instance will be provisioned. If spot price goes higher than bid, the the instance will be terminated. Some data processing which can happen 3am in the morning. If you terminate you pay for full price, if AWS terminate because spot price went above bid price you will get hour when it was terminated for free
Dedicated Host - If you don't want multi tenant scenario, like for regulatory requirement, or for licensing which does not support multi tenancy or cloud deployment, can be purchased on demand or Reserved
EC2 Instance Types
D2 Dense storage used for fileservers, data warehousing, Hadoop
R4 Memory optimized for memory intensive app
M4 General purpose app server
C4 Compute optimized, cpu intensive app/dbs
G2 Graphic intensive, video encoding, 3d app streaming
I2 High speed storage, no sql db, data warehousing
F1 Field programmable gate array, hardware acceleration for your code, change underlying hardware to choose your need
T2 Lowest cost general purpose, web server / small db
P2 Graphic general purpose GPU, m/c learning
X1 Memory optimized for SAP HANA/apache spark, extreme memory
Launching EC2
While launching EC2 instance you will be asked to use public (AWS stores) and private key (you stores) pare. You need private key to obtain password for window RDP and for linux you can use that to SSH into your instance. You can use same public key/private key combination for multiple EC2 instances.
For each ec2 instance you get ipv4 (or ipv6) public (and also private for internal use), ip address and DNS which you can use to RDP or SSH.
Termination Protection Will not allow you to terminate instance until you change instance setting
System status check - It just make sure instance is reachable. If this fail there may be issue with infrastructure hosting your instance. You can restart or replace the instance.
Instance Status check - This verifies if instance OS is accepting traffic. If this fail you can restart or change OS configuration.
Security group is a virtual fire wall where you specify what incoming/outgoing is allowed. By default everything is blocked, you need to whitelist what you want to allow.
Elastic Block Store
This allows to create storage volumes and attach them to EC2 instance. You can consider this as disk which is attached to your VM. This is block base storage where you can deploy OS, file system, db where as S2 is object storage which is not suitable for installing OS, db etc. This is placed in specific AZ and is automatically replicated within AZ which protect it from failure of a single component. This cannot be mount to multiple EC2 instances. All EBS mounted on EC2 instance will be in the same AZ.
General Purpose SSD, 3IOPS per gb, with upto 10,000 IOPS
Provisioned IOPS - Designed for I/O intensive app like large relational or No SQL db, use if needed more than 10,000IOPS, it can go upto 20,000IOPS
Magnetic Storage physical spinning disk
Throughput optimized HHD(ST1), Big data, Data warehousing, Log processing, can't be boot volume, frequently accessed sequential data
Cold HDD (SC1)- Lowest cost storage for infrequently accessed workloads, file server, can't be boot volume
Magnetic Standard - Lowest cost per gb and is bootable. Suitable where data access infrequently
RAID
Redundant array of independent disks. You put multiple disk together and that act as single disk to the OS. This is needed when you need more IO than single volume type provide. For ex you have db which is not supported by AWS and you not getting enough IO with default EBS type. In windows you can do this by RDPing into the instance and going to Disk management. Taking Snapshot while instance is running can excluded data held in cache by application and OS. This tend to not matter for single volume however for multiple volume for RAID this can be a problem. This can be solved by freezing the file system, or unmounting RAID array or shut down EC2 instance which is the easiest way.
RAID 0 - Stripped, no redundancy, good performance. If one disk fail you loose everything
RAID 1 - Mirrored, redundancy
RAID 5 Good for read bad for write , AWS does not recommend this.
RAID 10 Stripped and Mirrored, its combination of RAID1 and RAID 0
Volume
You can modify volume like type (standard to iops but not from Magnetic Standard), size
You can create snapshot. While doing this you cannot change encryption type.
You can detach volume from EC2 instance after which you can delete it or attach it to other EC2 instance.
When termination instance root volume will be terminate by default but other EBS volume attached to instance will not be deleted. By default deleting an instance will delete volume until you uncheck delete on termination while provisioning EC2 instance.
Root volume of public AMI cannot be encrypted because encryption key is held within your AWS a/c.
Additional volume on EC2 instance can be encrypted while creating EC2 instance from public AMI.
You can also use third party tool such as bit locker for windows to encrypt root volumn.
Snapshot
You can create volume and update volume type size, availability zone. You cannot encrypt EBS.
You can create AMI, while doing that you can add extra volume, but you cannot encrypt EBS.
By default snapshot are private, but you can change permission to make it public or share it with other AWS account, which can give permission to copy snapshot and create volume from it.
You can copy snapshot to other region or to the same region and you also have option on encrypt the snapshot.
Snapshot of encrypted volume are automatically encrypted. Volumes (event root) restored from encrypted snapshot are encrypted. You can share snapshot but only if it is not encrypted, because encryption key is associated with your account.
Snapshot exist on S3, you will not be able to see that in a bucket. Its a point in time copy of the volume, and are incremental.
First snapshot may take longer. It is advisable to stop instance before taking snapshot however you can take snapshot even when instance is running.
Snapshot has createVolumePermission attribute that you can set to one or more AWS account ID to share it.
AMI
AMI can be created from snapshot or EC2 instance.
You can copy AMI to other region or to the same region and you also have option to encrypt target EBS snapshot.
You can launch EC2 instance from AMI
You can create spot request from AMI
You can delete AMI by Deregistering it.
EBS Vs Instance Store
Some Amazon EC2 instance types come with a form of directly attached, block-device storage known as the instance store. Instance store volume are sometime called Ephemeral storage. Instance store volume cannot be stopped, if underlying host fails, you will loose the data, where as EBS backed instance can be stopped. You will not lose the data on this instance if it is stopped. You can reboot both and you will not lose data. By default both root volume will be deleted on termination, however with EBS volume, you can keep AWS to keep the root device volume. Instance store are less durable and are created from template stored in s3 where as EBS volume is created from snapshot. Instance store cannot be added after EC2 instance is created.
Load Balancer
Virtual app which will spread traffic across your different web server
Classic Load balancer - The AWS Classic Load Balancer (CLB) operates at Layer 4 of the OSI model. What this means is that the load balancer routes traffic between clients and backend servers based on IP address and TCP port. For example, an ELB at a given IP address receives a request from a client on TCP port 80 (HTTP). It will then route that request based on the rules previously configured when setting up the load balancer to a specified port on one of a pool of backend servers. In classic lb you register instances with lb.
Application Load balancer - It operates at layer 7 which means not only you route traffic based on IP address and TCP port, but you can add more configuration based on path etc. In application lb you register instance as targets in a target group.
Network Load Balancer
To Create load balancer you configure following
Load balancer protocol(port), Instance Protocol(port)
Security Group
Health check on EC2 instance (Response timeout, Interval, unhealthy threshold, healthy )
Elastic Load balancer will have public ip address but amazon manages it and you will never get IP as it changes internally. Here you get public dns
Instance monitored by ELB is either in-service or out service
You can have only one subnet from each AZ and you should have alteast two AZ in your lb and all of your subnet should have internet gateway if you creating internet facing lb.
ELB Connection Draining causes the load balancer to stop sending new request to the back end instances when the instances are getting deregistered or become unhealthy, while ensure that inflight requests continues to be served. User can specify max of 1hr (default 300 sec) for the load balancer to keep connection alive before reporting the instance as deregistered.
ELB Session Sticky/Affinity feature enables LB to bind user session to a specific instance. It uses your app session cookie or you can configure ELB to create session cookie ().
Health Check
CPU Credit Usage, CPU SurplusCreditBalance, CPU SurplusCreditsCharged, CPUCreditBalance, CPUUtilization
DiskReadBytes, DiskReadOps, DiskWriteBytes, DiskWriteOps
NetworkIn, NetworkOut, NetworkPacketsIn, NetworkPacketsOut
StatusCheckFailed, StatusCheckFailed_Instance, StatusCheckFailed_System
For custome like RAM utilization etc you need to write code
Cloud Watch
Here you can create dashboard, alarm, event (based on any event it can trigger some other activity), Log (here you can go at app layer and log any event). Standard monitoring is 5 min and for detail (you pay extra) is 1 min. Cloud watch is for monitoring and cloud trail is for auditing.
Cloud watch can manage resources such as EC2 instances, DynamoDB table, RDS DB instances, custom metrics generated by your applications and services and any log files your app generate. You can use cloud watch to gain system wide visibility into resource utilization, app performance, and operation health. You can keep these insights to reach and keep your app running smoothly.
Bootstrap Script
While creating EC2 instance you can specify bootstrap script. Refer following for an example on Linux m/c
#!/bin/bash
sudo su #elevate privilege to root
yum install httpd -y
yum update -y
aws s3 cp s3://rraj-test-bucket /var/www/html/ --recursive
currentDate=`date`
echo $HOSTNAME ": was created on - " $currentDate > /var/www/html/index.html
curl http://www.google.com
service httpd start
chkconfig httpd on
Placement Group
It is a logical grouping of instances within single availability zone. Using placement groups enables app to participate in low latency, 10gbps network. Its recommended for app which benefits for both low network latency and high network throughput or both. It cannot span multiple availability zone. Name of placement group should be unique in your aws a/c. Only certain type of instance can be launched in placement group (computer optimized, GPU, Memory Optimized, Storage Optimized). AWS recommend homogenous instances (instance with same size and same family) within placement group. you can't merge placement group. you can't move existing instance into placement group.
EFS
- Supports network file system version 4 protocol
- Only pay for storage you use.
- It can support thousand of concurrent NFS connections
- Data is stored across multiple AZ
- EFS is block base storage
- Read after write consistency
- Can scal upto petabyte
- It can connect to multiple EC2 instances
IAM Role
In order to access aws services, you need to configure credential by running aws configure and entering aws Access Key ID, Secret key. Doing this stores these info in .aws folder and anyone who is able to ssh will be able to access key and secret. In order to avoid this you can specify IAM role while creating EC2 instance. You need to make sure you add necessary policies to this role.
AWS Command Line
aws s3 ls
aws ec2 describe-instances
aws ec2 help
on putty hit q to escape if its showing more and you don't want to scroll further
create a user and give s3 admin access. when you run aws configure, use this users secret key and access key which will be stored in .aws folder, so if your ec2 instance is compermised, then someone can gain access to the key. This can be prevented by creating a role for EC2 servrice (as EC2 service will use this role), assign this role policy AmazonS3FullAccess. Now when you create a new EC2 instance assign this role as IAM role or for existing instance click on attach/replace IAM role
Instance Metadata - You can access this from command line from following curl command
curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/public-ipv4 > mypublicip.html
Launch Configuration and Auto Scaling
- You can increase/decrease group size based on alarm which you set.
- Alarm can be set based on average/min/max/sum/samplecount of cpu utilization/disk read/write/network in/Out