EC2 Fundamentals - AWS Solutions Architect Associate Certification

Chapter 2: EC2. AWS Solutions Architect Associate Complete Course

Hello everyone. In this chapter, let’s start with the AWS Core Services. In this case, we will study EC2, possibly the most important AWS Service.

AWS EC2 for the AWS Solutions Architect Associate Certification.

Remember that all the chapters from the course can be found at the following link:

Complete Course for the AWS Solutions Architect-Associate Certification

EC2 stands for Elastic Compute Cloud, a web service that provides secure, resizable compute capacity in the cloud. It offers the broadest and deepest compute platform with a choice of processor, storage, networking, operating system, and purchase model. Therefore, with EC2, you can create, among other things, servers, configure their network, hard disks, and load balancers in the cloud. Although transparent to us in some cases, most AWS services use EC2 on the back end.

Once we have understood what EC2 is all about, let’s analyze the service. EC2 is mainly composed of:

• Virtual machines → EC2
• Block-storage service → EBS
• Load Balancer → ELB
• Elasticity of the resources → Auto Scaling Group

In this course, we will see all of them. Let’s start with EC2. These are the main points that we will discuss in this chapter:

1. EC2 Instances
2. EC2 Launch Types
3. EC2 User Data
4. EC2 AMI
5. EC2 Instance Connection
6. EC2 Security Groups
7. EC2 Instance Lifecycle
8. EC2 Placement Groups
9. EC2 Elastic Network Interfaces

EC2 INSTANCES

In EC2, we will create instances that we will use to compute; therefore, they will be our servers. They are pay-as-you-go instances; you only pay for the running time. There are many types of instances, each useful for a different thing. The main ones would be these:

• R → Use it when the application requires a lot of RAM.
• C → Use it when the application requires a lot of CPU.
• M → Balanced applications. Medium.
• I → Use it when the application requires a lot of I/O.
• G → Use it when the application requires a lot of GPU.
• T2/T3 → Burstable instances. Good performance. If you must process something unexpected, the CPU can improve and burst. But it uses burst credits, and the CPU performs terribly if all the credits run out. T2.micro has a free tier in case you need to practice.
• T2/T3 — unlimited → Same as above, but if you go out of credits, you pay more not to lose performance. So keep an eye on the price!

You can find more information about the instances at the following link.

Some EC2 Instances On-Demand Pricing

EC2 LAUNCH TYPES

We can reserve EC2 instances differently, each committing us somehow while applying better offers. They are the following:

1. On-Demand → You only pay for the capacity you use—the most expensive but without compromise. There will be no problem if you want to start a server and turn it off four hours later.

2. Reserved Instances (RI) → Used in applications with stable load or predictive use. You commit for 1 or 3 years but get better prices than On-Demand instances. You can choose between three payment options; the All Upfront option, the Partial Upfront option, and the No Upfront option. Depending on the payment option, you can get even better discounts.

• Standard → You cannot upgrade the instance’s capacity, but you get a better price.
• Convertible → You can upgrade the capacity if necessary.
• Scheduled → You reserve instances for specific periods, like once a week. Imagine that we increase users on Fridays from 17.00 to 20.00. It would make sense to use this type of instance.

3. Spot Instances → Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud, getting the best price. Still, if a customer needs that capacity, you must give it to them, i.e., AWS can terminate your instance whenever you want. You save a lot of money, up to 90% of On-Demand instances. We have to define the max price we are willing to pay and keep the instance as long as the price is lower than your max. If the price increases, you have 2 minutes to stop or terminate your instance. It is typically used for batch Jobs, Data Analysis, or Image Processing.

• Spot block → You can block your instance for 1 to 6 hours so that AWS doesn’t terminate it.

3. Dedicated Host → You have a fully dedicated physical server with complete control of Hardware and Software. Suitable for software with a complicated licensing model or strong regulatory/compliance needs.

4. Dedicated Instances → Instances running on hardware dedicated to a single customer. Dedicated Instances may share hardware with other instances from the same AWS account.

Price Difference between AWS EC2 Launch Types

EC2 USER DATA

When an instance starts, it runs the boot process, which runs only once to install updates, software, etc. EC2 User Data is to automate the boot tasks like:

• Installing updates or software
• Installing files from the internet
• Whatever you want to do in the boot process.

We can specify the User Data when we create an EC2 instance:

EC2 User Data

EC2 AMI

Amazon Machine Image is the software that will come with the instance, and it’s required to launch it. Some examples are Linux, Windows, etc.

• You can create your own AMIs from an instance; you only have to save this updated configuration as a custom AMI. Instances launched from this new custom AMI include the customizations you made when you created the AMI.
• AMIs are stored in S3. Therefore, it hardly costs any money.
• You can upload your own AMIs to the AWS MarketPlace. You can also download custom AMIs from there. Typically, these AMIs contain different things, like pre-installed packages or preconfigured monitoring software.

For example, if an instance takes 15 minutes to start because the User Data process is very long, an excellent way to reduce it would be to create an AMI after this process so that the following instances we create would not have to do it.

You can also share your AMI. A shared AMI is an AMI created and made available for other developers to use. You can publish your custom AMIs and download public custom AMIs in the AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors, where you can find, among other things, AMIs.

AMIs can also be shared privately, although they are a regional resource. Therefore, to make an AMI available in a different Region, copy the AMI to the Region and share it.

EC2 INSTANCE CONNECTION

Once we have created the instance, there are different ways to access it:

• SSH → Depending on your operating system, we should connect using SSH in one way or another. We use SSH with both Mac and Linux and Putty with Windows. You can find more details in the following guide.
• EC2 Instance Connect → You can also establish a connection through the browser. It is the same as above but without worrying about the key or anything. It does not work if you block the SSH port in the EC2 instance.

EC2 Instance Connect

EC2 SECURITY GROUPS

Security Groups are a fundamental part of network security in AWS. They act as a virtual firewall to control inbound and outbound traffic for your instance. They can be attached to many instances. An instance can also have many Security Groups. It is outside EC2, so if you block traffic, this traffic will not be logged in EC2. If you get a Connection Timeout Error while accessing the instance, it will probably be an error with the Security Group (Exam Question).

• Inbound Traffic → Inbound traffic is the incoming traffic that tries to access the instance. For example, if we remove the SSH Port (22) assigned to the machine, we will not connect to the instance. To accept HTTP traffic, we would also have to activate it.
• Outbound Traffic → Outgoing traffic destined for services on the internet or outside the network, so the traffic that leaves the instance. For example, if we want to request to Google from our instance, this will be outbound traffic.

When you create a Custom Security Group, all inbound traffic is NOT allowed by default as they don’t have inbound allow rules; and all outbound traffic is allowed by default. It doesn’t happen with the Default Security Group created in the VPC, which allows all the Inbound Traffic by Default.

Differences between default and custom Security Groups.

Main characteristics of the security groups:

• You can specify allow rules but not deny rules (typical exam question).
• You can establish separate rules for inbound and outbound traffic.
• Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

As we can see in the following image, the Security Group lives outside of EC2, so no traffic blocked by the Security Group would be logged on the EC2 instance. SG1 allows traffic in port 22 from the first IP; that’s why it enters into EC2 but doesn’t allow it from the second instance.

EC2 Security Groups

As we will see later, an important thing to know about the security groups is the possibility of only allowing traffic from another security group. You can reference other Security Groups instead of IP ranges. We’ll understand this concept better when we talk about Load Balancers.

EC2 INSTANCE LIFECYCLE

The instance can be in different states from the moment you launch it through to its termination:

• Start → When you start your instance, it enters the pending state. It runs the OS boot & User Data script for the first time. The rest of the time, it just runs the OS boot.
• Stop → It stops the instance, and the EBS data (storage data) remains there next time.
• Stop — Hibernate → It performs the hibernation (suspend-to-disk), which saves the contents from the instance memory (RAM) to your Amazon EBS root volume so that the next time you start your instance, it spends less time to boot it. The EBS must be encrypted.
• Terminate → It terminates the instance. By default, Amazon EBS root device volumes are automatically deleted when the instance terminates. For data on Amazon EBS volumes, Amazon EC2 uses the value of the DeleteOnTermination attribute for each attached Amazon EBS volume to determine whether to preserve or delete the volume.

Below, we can see a diagram of the instance lifecycle:

EC2 Instance Lifecycle

EC2 PLACEMENT GROUPS

Instances can be placed in different places, for example, on the same server or on different servers. Each strategy has its advantages and disadvantages. Placement Groups are used to have control over these strategies. We have the following types:

• Cluster → Used when we want low latency between instances, as it packs instances together inside an Availability Zone. It’s a logical grouping of instances within a single Availability Zone. Useful for Big Data jobs that we must complete quickly, High-Performance Computing Applications, etc. Some advantages are the low network latency and high network throughput, although if there is a hardware failure, all the instances will fail simultaneously.

Cluster Placement Group

• Spread → Strictly places a small group of instances across distinct underlying hardware to reduce correlated failures. So it’s used to minimize the risk of failure, as they are all in different hardware. It is used in critical applications that need high availability. Each rack has its network and power source. Each spread placement group can have a maximum of seven running instances per Availability Zone. For example, in a Region with three Availability Zones, you can run a total of 21 instances in the group, with seven instances in each Availability Zone.

Spread Placement Group

• Partition → Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. Between partitions, instances can fail simultaneously but would not fail in other partitions, as each rack has its network and power source. Large distributed and replicated workloads like Hadoop, Cassandra, and Kafka typically use this strategy.

Partition Placement Group

EC2 ELASTIC NETWORK INTERFACES

Computers in a private network can talk to each other with a private IP, but they need a public IP to communicate externally.

• Public IP → It’s used to identify a machine on the internet. It’s unique; two computers cannot have the same one.
• Private IP → It’s used to identify a machine on a private network. Unique IP in the private network.

It’s important to know that it changes its public IP when you stop and start an instance again. For that reason, Elastic IPs exist, which gives the instance a fixed public IP so that it does not change. The private IP is going to remain the same.

An elastic network interface is a logical networking component in a VPC that represents a virtual network card. It can include the following attributes:

1. A primary private IPv4 address from the IPv4 address range of your VPC.
2. One or more secondary private IPv4 addresses from the IPv4 address range of your VPC.
3. One Elastic IP address (IPv4) per private IPv4 address.
4. One public IPv4 address.
5. One or more IPv6 addresses.
6. One or more security groups.
7. A MAC address.
8. A source/destination check flag.
9. A description.

And this is all about EC2. In the next chapter, we will look at the typical questions that appear in the exam to see if we have understood everything.

Thanks for Reading!

If you like my work and want to support me…

1. You can follow me on Medium here.
2. Feel free to clap if this post is helpful for you! :)
3. More AWS practice exam questions? Find them at FullCertified.com!