Amazon EC2 Instance

What is Amazon EC2?

• EC2 is one of the most popular of AWS' offering. It is definitely used everywhere.
• EC2 = Elastic Compute Cloud = Infrastructure as a Service

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Features of Amazon EC2
EC2 is not just one service. It's composed of many things at a high level as:

• You can rent virtual machines on EC2, they're called EC2 instances.
• You can store data on virtual drives or EBS volumes.
• You can distribute load across machines, Elastic Load Balancer.
• You can scale services using an auto-scaling group or ASG.
• You can provide static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses
• Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
• Virtual networks you can create that are logically isolated from the rest of the AWS Cloud, and that you can optionally connect to your own network, known as virtual private clouds (VPCs)

EC2 sizing & configuration options

What can we choose for our EC2 instances, so, there're virtual server that were rent from AWS?
So, what Operating System can we choose for our EC2 instances?

• Operating System (OS): Linux, Windows, or Mac OS
• How much compute power & cores (CPU)
• How much random-access memory (RAM)
• How much storage space:
• Network-attached (EBS & EFS)
• hardware (EC2 Instance Store)
• Network card: speed of the card, Public IP address
• Firewall rules: security group
• Bootstrap script (configure at first launch): EC2 User Data  

EC2 User Data

So, it is possible to bootstrap our instances using the EC2 User Data script.
So, what does bootstrapping mean?
Well, bootstrapping means launching commands when the machine starts.
So, that script is only run once and when it first starts, and then will never be run again.
So, the EC2 User Data has a very specific purpose. It is to automate boot tasks, hence the name bootstrapping.
So, what tasks do you want to automate?
Usually, when you boot your instance while you want to install updates, install software, download common files from the Internet or anything you can think of really, but just know that the more you add into your User Data script, the more your instant has to do at boot time.
By the way, the EC2 User Data scripts runs with a root user.

EC2 Instance Type

Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications. Each instance type includes one or more instance sizes, allowing you to scale your resources to the requirements of your target workload.

You can use different types of EC2 instances that are optimized for different use cases as:
(https://aws.amazon.com/ec2/instance-types/)

• General Purpose
• General purpose instances provide a balance of compute, memory, and networking resources, and can be used for a variety of diverse workloads. 
• These instances are ideal for applications that use these resources in equal proportions such as web servers and code repositories.

AWS has the following naming convention:

m5.2xlarge

m: instance class

5: generation (AWS improves them over time)

2xlarge: size within the instance class

• Compute Optimized
• Compute Optimized instances are ideal for compute bound applications that benefit from high performance processors. 
• Instances belonging to this family are well suited for:
• Batch processing workloads
• Media transcoding
• High performance web servers
• High performance computing (HPC)
• Scientific modeling
• Dedicated gaming servers
• Ad server engines
• Machine learning inference
• Other compute intensive applications.
• Memory Optimized
• Memory optimized instances are designed to deliver fast performance for workloads that process large data sets in memory.
• Use cases:
• High performance, relational/non-relational databases
• Distributed web scale cache stores
• In-memory databases optimized for BI (business intelligence)
• Applications performing real-time processing of big unstructured data
• Accelerated Computing
• Accelerated computing instances use hardware accelerators, or co-processors, to perform functions, such as floating-point number calculations, graphics processing, or data pattern matching, more efficiently than is possible in software running on CPUs.
•  Storage Optimized
• Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. 
• They are optimized to deliver tens of thousands of low-latencies, random I/O operations per second (IOPS) to applications.
• Use cases:
• High frequency online transaction processing (OLTP) systems
• Relational & NoSQL databases
• Cache for in-memory databases (for example, Redis)
• Data warehousing applications
• Distributed file systems
• HPC Optimized
• High performance computing (HPC) instances are purpose built to offer the best price performance for running HPC workloads at scale on AWS. 
• HPC instances are ideal for applications that benefit from high-performance processors such as large, complex simulations and deep learning workloads.

Introduction to Security Groups

• Security Groups are the fundamental of network security in AWS
• They control how traffic is allowed into or out of our EC2 Instances.
• Security groups are going to be very easy, they only contain allow rules, so, we can say what is allowed to go in and to go out, and security groups can have rules that reference either by IP addresses, so, where your computer is from or by other security groups, so, as we'll see, security groups can reference each other.

• So here, let's take an example, we are on our computer, so we are on the public internet and we're trying to access our EC2 instance from our computer. 
• We are going to create a security group around our EC2 instance, that is the firewall that is around it and then this security group is going to have rules. 
• And these rules are going to say whether or not some inbound traffic, so, from the outside into the EC2 instance is allowed, and also, if the EC2 instance can perform some outbound traffic. 
• So, to talk from where it is into the internet.

Security Group – Deep Dive

• Security groups are a firewall on our EC2 instances.
• They're going to regulate:
• Access to ports
• Authorized IP ranges – IPv4 and IPv6
• Control of inbound network (from other to the instance)
• Control of outbound network (from the instance to the other)

When we look at security group rules, they will look just like this.

Security Group Diagram

                  

• So, we have our EC2 instance, and it has one security group allow attached to it that has inbound rules and outbound rules.
• So, I've separated them onto this diagram. So, our computer is going to be authorized on say port 22.
• So, the traffic can go through from our computer to the EC2 instance, but someone else's computer, that's not using my IP address because they don't live where I live, then if they're trying to access our EC2 instance they will not get through it because the firewall is going to block it and it will be a timeout.
• Then for the outbound rules by default, our EC2 instance for any security group is going to be by default allowing any traffic out of it. 
• So, our EC2 instance if it tries to access a website and initiate a connection it is going to be allowed by the security group. So, this is the basics of how the firewall works.

Let look at another diagram referencing Security group

• So, we have an EC2 instance, and it has a security group, what I call group number one, and the inbound rules is basically saying, I'm authorizing security group number one inbound and security group number two.
• So, why would we even do this?
• Well, if we launch another EC2 instance and it has security group two attached to it, well, by using the security group (indistinct) rule that we just set up, we basically allow our EC2 instance to go connect straight through on the port we decided onto our first EC2 instance.
• Similarly, if we have another EC2 instance with a security group one attached, while we've also authorized this one to communicate straight back to our instances.
• And so regardless of the IP of our EC2 instances because they have the right security group attached to them, they're able to communicate straight through to other instances.
• And that's awesome because it doesn't make you think about IPs all the time.
• And if you have another EC2 instance maybe with security group number three attached to it, well, because it groups number three wasn't authorized in the inbound rules of security group number one, then it's being denied, and things don't work.

Security Groups – Good to Know

• Can be attached to multiple instances
• Locked down to a region / VPC combination
• Does live “outside” the EC2 – if traffic is blocked the EC2 instance won’t see it
• It’s good to maintain one separate security group for SSH access
• If your application is not accessible (time out), then it’s a security group issue
• If your application gives a “connection refused“ error, then it’s an application error or it’s not launched, then the security group actually worked, the traffic went through, and the application was errored or it wasn't launched
• All inbound traffic is blocked by default
• All outbound traffic is authorized by default

Classic Ports to know

• 22 = SSH (Secure Shell) - log into a Linux instance
• 21 = FTP (File Transfer Protocol) – upload files into a file share
• 22 = SFTP (Secure File Transfer Protocol) – upload files using SSH
• 80 = HTTP – access unsecured websites
• 443 = HTTPS – access secured websites
• 3389 = RDP (Remote Desktop Protocol) – log into a Windows instance

SSH Summary Table

How do you connect inside of your servers to perform some maintenance or action.
So, for this, for Linux servers, we can use SSH to do a secure shell into our servers.
So based on the operating system you have on your computer, you have different ways of achieving it.

                             

• So, the SSH is a command line interface utility that can be used on Mac or Linux as well as Windows over version 10.
• Then if you have Windows less than version 10, you can use something called putty.
• Putty will exceed the exact same thing as SSH. So, when I say you should SSH, if you're on Windows,
• you can use putty. And putty is valid for any version of Windows.
• They do the exact same thing; they allow you to use the SSH protocol to connect into your EC2 instances. And then finally, there's something new called the EC2 Instance Connect, which is going to use your web browser.
• So not a terminal not putty, your web browser to connect to your EC2 instance.
• And I like it a lot because it is valid for Mac, Linux, Windows, all versions. The cool thing about EC2 Instance Connect is that it works, but it only works for now with Amazon EC2 

SSH Troubleshooting

1. There's a connection timeout
• This is a security group issue. Any timeout (not just for SSH) is related to security groups or a firewall. Ensure your security group looks like this and correctly assigned to your EC2 instance.
2. There's still a connection timeout issue
• If your security group is properly configured as above, and you still have connection timeout issues, then that means a corporate firewall, or a personal firewall is blocking the connection. Please use EC2 Instance Connect
3. SSH does not work on Windows
• If it says: ssh command not found, that means you have to use Putty
4. There's a connection refused
• This means the instance is reachable, but no SSH utility is running on the instance
• Try to restart the instance
• If it doesn't work, terminate the instance, and create a new one. Make sure you're using Amazon Linux 2
5. Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
• This means either two things:
• You are using the wrong security key or not using a security key. Please look at your EC2 instance configuration to make sure you have assigned the correct key to it.
• You are using the wrong user. Make sure you have started an Amazon Linux 2 EC2 instance, and make sure you're using the user ec2-user. This is something you specify when doing ec2-user@<public-ip> (ex: ec2-user@35.180.242.162) in your SSH command or your Putty configuration
6. I was able to connect yesterday, but today I can't
• This is probably because you have stopped your EC2 instance and then started it again today. When you do so, the public IP of your EC2 instance will change. Therefore, in your command, or Putty configuration, please make sure to edit and save the new public IP. 

EC2 Instance Connect

• Connect to your EC2 instance within your browser
• No need to use your key file that was downloaded
• The “magic” is that a temporary key is uploaded onto EC2 by AWS
• Works only out-of-the-box with Amazon Linux 2
• Need to make sure the port 22 is still opened!

EC2 Instances Purchasing Options

• On-Demand Instances – short workload, predictable pricing, pay by second
• Reserved (1 & 3 years)
• Reserved Instances – long workloads
• Convertible Reserved Instances – long workloads with flexible instances
• Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
• Spot Instances – short workloads, cheap, can lose instances (less reliable)
• Dedicated Hosts – book an entire physical server, control instance placement
• Dedicated Instances – no other customers will share your hardware
• Capacity Reservations – reserve capacity in a specific AZ for any duration

EC2 On Demand

• Pay for what you use:
• Linux or Windows - billing per second, after the first minute
• All other operating systems - billing per hour
• Has the highest cost but no upfront payment
• No long-term commitment
• Recommended for short-term and un-interrupted workloads, where you can't predict how the application will behave

EC2 Reserved Instances

• Up to 72% discount compared to On-demand
• You reserve a specific instance attribute (Instance Type, Region, Tenancy, OS)
• Reservation Period – 1 year (+discount) or 3 years (+++discount)
• Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++)
• Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ)
• Recommended for steady-state usage applications (think database)
• You can buy and sell in the Reserved Instance Marketplace
• Convertible Reserved Instance
• Can change the EC2 instance type, instance family, OS, scope, and tenancy
• Up to 66% discount

EC2 Savings Plans

• Get a discount based on long-term usage (up to 72% - same as Reserved Instance)
• Commit to a certain type of usage ($10/hour for 1 or 3 years)
• Usage beyond EC2 Savings Plans is billed at the On-Demand price
• Locked to a specific instance family & AWS region (e.g., M5 in us-east-1)
• Flexible across:
• Instance Size (e.g., m5.xlarge, m5.2xlarge)
• OS (e.g., Linux, Windows)
• Tenancy (Host, Dedicated, Default)

EC2 Spot Instances

• Can get a discount of up to 90% compared to On-demand
• Instances that you can “lose” at any point of time if your max price is less than the  current spot price
• The MOST cost-efficient instances in AWS
• Useful for workloads that are resilient to failure
• Batch jobs
• Data analysis
• Image processing
• Any distributed workloads
• Workloads with a flexible start and end time
• Not suitable for critical jobs or databases

EC2 Dedicated Hosts

• A physical server with EC2 instance capacity fully dedicated to your use
• Allows you address compliance requirements and use your existing server- bound software licenses (per-socket, per-core, pe—VM software licenses)
• Purchasing Options:
• On-demand – pay per second for active Dedicated Host
• Reserved - 1 or 3 years (No Upfront, Partial Upfront, All Upfront)
• The most expensive option
• Useful for software that have complicated licensing model (BYOL – Bring Your Own License)
• Or for companies that have strong regulatory or compliance needs

EC2 Dedicated Instances

• Instances run on hardware that’s  dedicated to you
• May share hardware with other  instances in same account
• No control over instance placement  (can move hardware after Stop / Start)

Remember that dedicated instances mean that you have your own instance on your own hardware, whereas dedicated host, you get access to the physical server itself and it gives you visibility into the lower-level hardware.

EC2 Capacity Reservations

• Reserve On-Demand instances capacity in a specific AZ for any duration
• You always have access to EC2 capacity when you need it
• No time commitment (create/cancel anytime), no billing discounts
• Combine with Regional Reserved Instances and Savings Plans to benefit  from billing discounts
• You’re charged at On-Demand rate whether you run instances or not
• Suitable for short-term, uninterrupted workloads that needs to be in a  specific AZ

Which purchasing option is right for me?
So, we'll take a resort as an analogy.

• On demand: coming and staying in resort whenever we like, we pay the full price
• Reserved: like planning ahead and if we plan to stay for a long time, we may get a good discount.
• Savings Plans: pay a certain amount per hour for certain period and stay in any room type (e.g.,  King, Suite, Sea View, …)
• Spot instances: the hotel allows people to bid for the empty rooms and the highest bidder keeps the  rooms. You can get kicked out at any time
• Dedicated Hosts: We book an entire building of the resort/hardware.
• Capacity Reservations: you book a room for a period with full price even you don’t stay in it

Price Comparison
Example – m4.large – us-east-1

Shared Responsibility Model for EC2

Summary

• EC2 Instance: AMI (OS) + Instance Size (CPU + RAM) + Storage +  security groups + EC2 User Data
• So, we have created EC2 Instances, and they were composed of an AMI, which was defining the operating system. 
• Then we defined an instance size where we defined how much CPU power we want, and how much RAM we want. 
• We described the storage for our EC2 Instance, we defined the firewall on our instances with the security groups.
• And finally, a bootstrap script called the EC2 User Data that was started when the EC2 Instance was started.
• Security Groups: Firewall attached to the EC2 instance
• So, the security groups are attached to EC2 Instances. 
• And they are a firewall outside of your instance. And you can define rules to allow which ports and which API can access your EC2 instance. 
• EC2 User Data: Script launched at the first start of an instance
• For EC2 User Data, this was a script that we launched at the first start of an instance that we used to set up our EC2 instance to be a web server and say "hello world".
• SSH: start a terminal into our EC2 Instances (port 22)
• SSH was a way for us to start a terminal from our computers into our EC2 Instances, to start issuing commands on port 22. 
• And once we did it, we were able to leverage an EC2 Instance role that was similar to IAM role, to have our EC2 instance issue commands against IAM.
• EC2 Instance Role: link to IAM roles
• Purchasing Options: On-Demand, Spot, Reserved (Standard + Convertible + Scheduled), Dedicated Host, Dedicated Instance