[AWS] Amazon Elastic Compute Cloud EC2
The first thing you have to know is yourself. A man who knows himself can step outside himself and watch his own reactions like an observer. -Adam Smith
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Amazon EC2’s simple web service interface allows you to obtain and configure capacity with minimal friction. It provides you with complete control of your computing resources and lets you run on Amazon’s proven computing environment.
Amazon EC2 reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change.
Amazon EC2 changes the economics of computing by allowing you to pay only for capacity that you actually use.
Amazon EC2 provides developers the tools to build failure resilient applications and isolate them from common failure scenarios.
Amazon EC2 allows you to acquire compute through the launching of virtual servers called instances. When you launch an instance, you can make use of the compute as you wish, just as you would with an on-premises server. Because you are paying for the computing power of the instance, you are charged per hour while the instance is running. When you stop the instance, you are no longer charged.
There are two concepts that are key to launching instances on AWS:
- the amount of virtual hardware dedicated to the instance
- the software loaded on the instance.
These two dimensions of new instances are controlled, respectively, by the instance type and the AMI.
User Guide for Linux Instances
Describes key concepts of Amazon EC2 and provides instructions for using the features of Amazon EC2.
User Guide for Windows Instances
Describes key concepts for Amazon EC2 and provides instructions for launching and using your Windows instance.
Features of Amazon EC2
Amazon EC2 provides the following features:
Virtual computing environments, known as instances
Preconfigured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need for your server (including the operating system and additional software)
Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types
Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place)
Storage volumes for temporary data that’s deleted when you stop or terminate your instance, known as instance store volumes
Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes
Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and Availability Zones
A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups
Static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses
Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally connect to your own network, known as virtual private clouds (VPCs)
An instance is a virtual server in the cloud. It’s configuration at launch is a copy of the AMI that you specified when you launched the instance.
The instance type defines the virtual hardware supporting an Amazon EC2 instance.
There are dozens of instance types available, varying in the following dimensions:
- Virtual CPUs (vCPUs)
- Storage (size and type)
- Network performance
An instance type essentially determines the hardware of the host computer used for your instance. Each instance type offers different compute and memory capabilities.
Select an instance type based on the amount of memory and computing power that you need for the application or software that you plan to run on the instance.
Instance types are grouped into families
- General Purpose (A1, T3, T3a, T2, M5, M5a, M4)
- Compute Optimized For workloads requiring significant processing (C5, C5n, C4)
- Memory Optimized For memory-intensive workloads (R5, R5A, R4, X1e, X1, High Memory, Z1d)
- Storage optimized For workloads requiring high amounts of fast SSD storage (H1, I3, D2)
- Accelerated Computing GPU-based instances—Intended for graphics and general-purpose GPU compute workloads (P3, P2, G3, F1)
For more information about the current generation instance types, see Amazon EC2 Instance Types.
Another variable to consider when choosing an instance type is network performance.
For most instance types, AWS publishes a relative measure of network performance: low, moderate, or high. Some instance types specify a network performance of 10 Gbps.
The network performance increases within a family as the instance type grows.
For workloads requiring greater network performance, many instance types support enhanced networking. Enhanced networking reduces the impact of virtualization on network performance by enabling a capability called Single Root I/O Virtualization (SR-IOV). This results in more Packets Per Second (PPS), lower latency, and less jitter.
Enabling enhanced networking on an instance involves ensuring the correct drivers are installed and modifying an instance attribute. Enhanced networking is available only for instances launched in an Amazon Virtual Private Cloud (Amazon VPC)
Amazon Machine Images (AMIs)
An Amazon Machine Image (AMI) is a template that contains a software configuration (for example, an operating system, an application server, and applications). From an AMI, you launch an instance, which is a copy of the AMI running as a virtual server in the cloud. You can launch multiple instances of an AMI. Your instances keep running until you stop or terminate them, or until they fail. If an instance fails, you can launch a new one from the AMI.
The Amazon Machine Image (AMI) defines the initial software that will be on an instance when it is launched. An AMI defines every aspect of the software state at instance launch, including:
- The Operating System (OS) and its configuration
- The initial state of any patches
- Application or system software
All AMIs are based on x86 OSs, either Linux or Windows.
There are four sources of AMIs:
Published by AWS—AWS publishes AMIs with versions of many different OSs, both Linux and Windows. These include multiple distributions of Linux (including Ubuntu, Red Hat, and Amazon’s own distribution) and Windows 2008 and Windows 2012. Launching an instance based on one of these AMIs will result in the default OS settings, similar to installing an OS from the standard OS ISO image. As with any OS installation, you should immediately apply all appropriate patches upon launch.
The AWS Marketplace—AWS Marketplace is an online store that helps customers find, buy, and immediately start using the software and services that run on Amazon EC2. Many AWS partners have made their software available in the AWS Marketplace. This provides two benefits: the customer does not need to install the software, and the license agreement is appropriate for the cloud. Instances launched from an AWS Marketplace AMI incur the standard hourly cost of the instance type plus an additional per-hour charge for the additional software (some open-source AWS Marketplace packages have no additional software charge).
Generated from Existing Instances—An AMI can be created from an existing Amazon EC2 instance. This is a very common source of AMIs. Customers launch an instance from a published AMI, and then the instance is configured to meet all the customer’s corporate standards for updates, management, security, and so on. An AMI is then generated from the configured instance and used to generate all instances of that OS. In this way, all new instances follow the corporate standard and it is more difficult for individual projects to launch non-conforming instances.
Uploaded Virtual Servers—Using AWS VM Import/Export service, customers can create images from various virtualization formats, including raw, VHD, VMDK, and OVA. The current list of supported OSs (Linux and Windows) can be found in the AWS documentation. It is incumbent on the customers to remain compliant with the licensing terms of their OS vendor.
Addressing an Instance
There are several ways that an instance may be addressed over the web upon creation:
Public Domain Name System (DNS) Name—When you launch an instance, AWS creates a DNS name that can be used to access the instance. This DNS name is generated automatically and cannot be specified by the customer. The name can be found in the Description tab of the AWS Management Console or via the Command Line Interface (CLI) or Application Programming Interface (API). This DNS name persists only while the instance is running and cannot be transferred to another instance.
Public IP—A launched instance may also have a public IP address assigned. This IP address is assigned from the addresses reserved by AWS and cannot be specified. This IP address is unique on the Internet, persists only while the instance is running, and cannot be transferred to another instance.
Elastic IP—An elastic IP address is an address unique on the Internet that you reserve independently and associate with an Amazon EC2 instance. While similar to a public IP, there are some key differences. This IP address persists until the customer releases it and is not tied to the lifetime or state of an individual instance. Because it can be transferred to a replacement instance in the event of an instance failure, it is a public address that can be shared externally without coupling clients to a particular instance.
Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Publickey cryptography uses a public key to encrypt a piece of data and an associated private key to decrypt the data. These two keys together are called a key pair. Key pairs can be created through the AWS Management Console, CLI, or API, or customers can upload their own key pairs. AWS stores the public key, and the private key is kept by the customer. The private key is essential to acquiring secure access to an instance for the first time.
Store your private keys securely. When Amazon EC2 launches a Linux instance, the public key is stored in the /.ssh/authorized_keys file on the instance and an initial user is created. The initial user can vary depending on the OS. For example, the Amazon Linux distribution initial user is ec2-user. Initial access to the instance is obtained by using the ec2-user and the private key to log in via SSH.
When launching a Windows instance, Amazon EC2 generates a random password for the local administrator account and encrypts the password using the public key. Initial access to the instance is obtained by decrypting the password with the private key, either in the console or through the API. The decrypted password can be used to log in to the instance with the local administrator account via RDP. At this point, you can create other local users and/or connect to an Active Directory domain.
Virtual Firewall Protection
AWS allows you to control traffic in and out of your instances through virtual firewalls called security groups. Security groups allow you to control traffic based on port, protocol, and source/destination. Security groups have different capabilities depending on whether they are associated with an Amazon VPC or Amazon EC2-Classic.
Security groups are associated with instances when they are launched. Every instance must have at least one security group but can have more.
A security group is default deny; that is, it does not allow any traffic that is not explicitly allowed by a security group rule.
A security group is a stateful firewall; that is, an outgoing message is remembered so that the response is allowed through the security group without an explicit inbound rule being required.
Security groups are applied at the instance level, as opposed to a traditional on-premises firewall that protects at the perimeter. The effect of this is that instead of having to breach a single perimeter to access all the instances in your security group, an attacker would have to breach the security group repeatedly for each individual instance.
By working with Amazon EC2 to manage your instances from the moment you launch them through their termination, you ensure that your customers have the best possible experience with the applications or sites that you host on your instances.
The following illustration represents the transitions between instance states. Notice that you can’t stop and start an instance store-backed instance.
The following table provides a brief description of each instance state and indicates whether it is billed or not.
|Instance state||Description||Instance usage billing|
|pending||The instance is preparing to enter the running state. An instance enters the pending state when it launches,for the first time, or when it is restarted after being in the stopped state.||Not billed|
|running||La instancia se está preparando para entrar en el estado de ejecución.,Una instancia ingresa al estado pendiente cuando se inicia por primera,vez, o cuando se reinicia después de estar en el estado detenido.||Billed|
|stopped||The instance is shut down and cannot be used. The instance can be restarted at any,time.||Not billed if preparing to stop, Billed if preparing to hibernate|
|shutting-down||The instance is preparing to be terminated.||Not billed|
|terminated||The instance has been permanently deleted and cannot be restarted.||Not billed, Note Reserved Instances that applied to terminated instances are billed until the end of,their term according to their payment option. For more information see Reserved Instances|
When you launch an instance, it enters the pending state. The instance type that you specified at launch determines the hardware of the host computer for your instance. AWS use the Amazon Machine Image (AMI) you specified at launch to boot the instance. After the instance is ready for you, it enters the running state. You can connect to your running instance and use it the way that you’d use a computer sitting in front of you.
As soon as your instance transitions to the running state, you’re billed for each second, with a one-minute minimum, that you keep the instance running, even if the instance remains idle and you don’t connect to it.
There are several additional services that are useful when launching new Amazon EC2 instances.
Bootstrapping A great benefit of the cloud is the ability to script virtual hardware management in a manner that is not possible with on-premises hardware. In order to realize the value of this, there has to be some way to configure instances and install applications programmatically when an instance is launched. The process of providing code to be run on an instance at launch is called bootstrapping.
One of the parameters when an instance is launched is a string value called UserData. This string is passed to the operating system to be executed as part of the launch process the first time the instance is booted. On Linux instances this can be shell script, and on Windows instances this can be a batch style script or a PowerShell script. The script can perform tasks such as:
Applying patches and updates to the OS
- Enrolling in a directory service
- Installing application software
- Copying a longer script or program from storage to be run on the instance
- Installing Chef or Puppet and assigning the instance a role so the configuration
UserData is stored with the instance and is not encrypted, so it is important to not include any secrets such as passwords or keys in the UserData.
VM Import/Export In addition to importing virtual instances as AMIs, VM Import/Export enables you to easily import Virtual Machines (VMs) from your existing environment as an Amazon EC2 instance and export them back to your on-premises environment. You can only export previously imported Amazon EC2 instances. Instances launched within AWS from AMIs cannot be exported.
Instance Metadata Instance metadata is data about your instance that you can use to configure or manage the running instance. This is unique in that it is a mechanism to obtain AWS properties of the instance from within the OS without making a call to the AWS API. An HTTP call to http://169.254.169.254/latest/meta-data/ will return the top node of the instance metadata tree. Instance metadata includes a wide variety of attributes, including:
- The associated security groups
- The instance ID
- The instance type
- The AMI used to launch the instance
This only begins to scratch the surface of the information available in the metadata. Consult the AWS documentation for a full list.
When the number of instances in your account starts to climb, it can become difficult to keep track of them. Tags can help you manage not just your Amazon EC2 instances, but also many of your AWS Cloud services. Tags are key/value pairs you can associate with your instance or other service. Tags can be used to identify attributes of an instance like project, environment (dev, test, and so on), billable department, and so forth.
AWS offers a service called Amazon CloudWatch that provides monitoring and alerting for Amazon EC2 instances, and also other AWS infrastructure. Amazon CloudWatch is discussed in detail in Chapter 5, “Elastic Load Balancing, Amazon CloudWatch, and Auto Scaling.”
Modifying an Instance
There are several aspects of an instance that can be modified after launch.
Instance Type The ability to change the instance type of an instance contributes greatly to the agility of running workloads in the cloud. Instead of committing to a certain hardware configuration months before a workload is launched, the workload can be launched using a best estimate for the instance type. If the compute needs prove to be higher or lower than expected, the instances can be changed to a different size more appropriate to the workload. Instances can be resized using the AWS Management Console, CLI, or API. To resize an instance, set the state to Stopped. Choose the “Change Instance Type” function in the tool of your choice (the instance type is listed as an Instance Setting in the console and an Instance Attribute in the CLI) and select the desired instance type. Restart the instance and the process is complete.
Security Groups If an instance is running in an Amazon VPC (discussed in Chapter 4), you can change which security groups are associated with an instance while the instance is running. For instances outside of an Amazon VPC (called EC2-Classic), the association of the security groups cannot be changed after launch.
When an Amazon EC2 instance is no longer needed, the state can be set to Terminated and the instance will be shut down and removed from the AWS infrastructure. In order to prevent termination via the AWS Management Console, CLI, or API, termination protection can be enabled for an instance. While enabled, calls to terminate the instance will fail until termination protection is disabled. This helps to prevent accidental termination through human error.
Note that this just protects from termination calls from the AWS Management Console, CLI, or API. It does not prevent termination triggered by an OS shutdown command, termination from an Auto Scaling group, or termination of a Spot Instance due to Spot price changes
You are charged for Amazon EC2 instances for each hour that they are in a running state, but the amount you are charged per hour can vary based on three pricing options: On-Demand Instances, Reserved Instances, and Spot Instances.
On-Demand Instances The price per hour for each instance type published on the AWS website represents the price for On-Demand Instances. This is the most flexible pricing option, as it requires no up-front commitment, and the customer has control over when the instance is launched and when it is terminated. It is the least cost effective of the three pricing options per compute hour, but its flexibility allows customers to save by provisioning a variable level of compute for unpredictable workloads.
Reserved Instances The Reserved Instance pricing option enables customers to make capacity reservations for predictable workloads. By using Reserved Instances for these workloads, customers can save up to 75 percent over the on-demand hourly rate. When purchasing a reservation, the customer specifies the instance type and Availability Zone for that Reserved Instance and achieves a lower effective hourly price for that instance for the duration of the reservation. An additional benefit is that capacity in the AWS data centers is reserved for that customer. There are two factors that determine the cost of the reservation: the term commitment and the payment option.
The term commitment is the duration of the reservation and can be either one or three years.
The longer the commitment, the bigger the discount.
There are three different payment options for Reserved Instances:
All Upfront—Pay for the entire reservation up front. There is no monthly charge for the customer during the term.
Partial Upfront—Pay a portion of the reservation charge up front and the rest in monthly installments for the duration of the term.
No Upfront—Pay the entire reservation charge in monthly installments for the duration of the term.
Spot Instances For workloads that are not time critical and are tolerant of interruption, Spot Instances offer the greatest discount. With Spot Instances, customers specify the price they are willing to pay for a certain instance type. When the customer’s bid price is above the current Spot price, the customer will receive the requested instance(s). These instances will operate like all other Amazon EC2 instances, and the customer will only pay the Spot price for the hours that instance(s) run. The instances will run until:
- The customer terminates them.
- The Spot price goes above the customer’s bid price.
- There is not enough unused capacity to meet the demand for Spot Instances.
If Amazon EC2 needs to terminate a Spot Instance, the instance will receive a termination notice providing a two-minute warning prior to Amazon EC2 terminating the instance.
Because of the possibility of interruption, Spot Instances should only be used for workloads tolerant of interruption. This could include analytics, financial modeling, big data, media encoding, scientific computing, and testing.
There are several tenancy options for Amazon EC2 instances that can help customers achieve security and compliance goals.
Shared Tenancy Shared tenancy is the default tenancy model for all Amazon EC2 instances, regardless of instance type, pricing model, and so forth. Shared tenancy means that a single host machine may house instances from different customers. As AWS does not use over provisioning and fully isolates instances from other instances on the same host, this is a secure tenancy model.
Dedicated Instances Dedicated Instances run on hardware that’s dedicated to a single customer. As a customer runs more Dedicated Instances, more underlying hardware may be dedicated to their account. Other instances in the account (those not designated as dedicated) will run on shared tenancy and will be isolated at the hardware level from the Dedicated Instances in the account.
Dedicated Host An Amazon EC2 Dedicated Host is a physical server with Amazon EC2 instance capacity fully dedicated to a single customer’s use. Dedicated Hosts can help you address licensing requirements and reduce costs by allowing you to use your existing server bound software licenses. The customer has complete control over which specific host runs an instance at launch. This differs from Dedicated Instances in that a Dedicated Instance can launch on any hardware that has been dedicated to the account.
A placement group is a logical grouping of instances within a single Availability Zone. Placement groups enable applications to participate in a low-latency, 10 Gbps network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. Remember that this represents network connectivity between instances. To fully use this network performance for your placement group, choose an instance type that supports enhanced networking and 10 Gbps network performance.
An instance store (sometimes referred to as ephemeral storage) provides temporary block level storage for your instance. This storage is located on disks that are physically attached to the host computer. An instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.
The size and type of instance stores available with an Amazon EC2 instance depend on the instance type. At this writing, storage available with various instance types ranges from no instance stores up to 24 2 TB instance stores. The instance type also determines the type of hardware for the instance store volumes. While some provide Hard Disk Drive (HDD) instance stores, other instance types use Solid State Drives (SSDs) to deliver very high random I/O performance.
Instance stores are included in the cost of an Amazon EC2 instance, so they are a very costeffective solution for appropriate workloads. The key aspect of instance stores is that they are temporary. Data in the instance store is lost when:
- The underlying disk drive fails.
- The instance stops (the data will persist if an instance reboots).
- The instance terminates.
Therefore, do not rely on instance stores for valuable, long-term data. Instead, build a degree of redundancy via RAID or use a file system that supports redundancy and fault tolerance such as Hadoop’s HDFS. Back up the data to more durable data storage solutions such as Amazon Simple Storage Service (Amazon S3) or Amazon EBS often enough to meet recovery point objectives.