EC2
Instances
- Instance Types
-
- Defines the virtual HW supporting EC2
- 4 dimensions
- Virtual CPUs
- Memory
- Storage (size & type)
- Network performance
- Grouped into families based on their ratio
vCPU/mem (scale linearly)
| Family |
Type |
| C4 |
Compute Optimised |
| R3 |
Memory Optimised |
| I2 |
Storage Optimised |
| G2 |
GPU-Based Instances |
- Network Performance
-
- Options
LOW
MODERATE
HIGH
ENHANCED NETWORKING (only in VPC + enables SR-IOV)
- Single Root I/O Virtualization (
SR-IOV)
- more packets per second
- lower latency
- less jitter
Lifecycle
- Bootstrapping
-
- Configure instances & install apps when instance is launched
- Parameter
UserData passed to the OS to be executed at 1st boot (stored unencrypted)
- Instance Metadata
-
- Obtain AWS properties of the instance from the OS without calling AWS APIs
- HTTP call to
http://169.254.169.254/latest/meta-data/ returns the top node of the metadata tree
First Launch
| OS |
Process |
| Linux |
ec2-user@ip- Public key stored in
auth_keys
|
| Windows |
- Random password generated for the local admin
- Then encrypted with the public key
- Decrypted password used to login via RDP
|
Modify Instance after Launch
| Change |
How-To |
| Instance Type |
- Change to different size
- To resize = STOP -> Change Type -> Restart
|
| Security Groups |
|
- VM Import/Export
-
- Can only export previously imported EC2 instances
- Instances launched within AWS from AMIs cannot be exported
- Termination Protection
-
- When state is
Terminated, the instance is shut down & removed
- Protection = calls to terminate the instance will fail till the protection is disabled
- Does NOT prevent termination from:
- OS shutdown
- Autoscaling group
- Spot instance
Provisioning Options
Pricing
| Pricing |
Description |
| ON-DEMAND |
- No up-front commitment
- Least cost effective
|
| RESERVED |
- Capacity reservations for predictable workloads
- Save up to 75% over ON-DEMAND
- Cost of reservation =
COMMITMENT * PAYMENT OPTION (all/partial/no upfront) - Specify: instance type + AZ
- Can change (w/o fee)
- AZ in same region
- EC2-VPC <-> EC2-Classic
- Instance type within same family (Linux only)
|
| SPOT |
- Workloads NOT time critical & tolerant of interruption
- Specify the price you are willing to pat for an instance type
- When
BID > current spot price → receive instance - Runs until
- You terminate it
spot price > BID (2 min warning)- AWS out of unused capacity
- If AWS terminates it before 1h -> $0, otherwise charged by the second after 1h
|

Tenancy
|
|
| Shared Tenancy |
- Default model
- 1 host may house instances from different customers
- Each instance is still fully isolated from the others
|
| Dedicated Instances (DI) |
- Run in a VPC on HW that is dedicated to a single customer
- Physically isolated at the host HW level from instances belonging to other AWS accounts
- May share HW with other instances from the same AWS account that are not DI
|
| Dedicated Hosts (DH) |
- Physical server fully dedicated to a customer
- Gives additional visibility and control over how instances are placed on a physical server
- You can consistently deploy your instances to the same physical server over time
- Enable to use existing server-bound software licenses and address corporate compliance and regulatory requirements
|
| DI vs DH |
- DI are charged by the instance / DH by the host
- DH is different from DI as that can launch on ANY HW dedicated to the account
| Feature | DI | DH | | Use dedicated physical servers | X | X | | Per instance billing | X | | | Per host billing | | X | | Visibility of sockets, cores, host ID | | X | | Affinity between host-instance | | X | | Targeted instance placement | | X | | Automatic instance placement | X | X | | Add capacity using an allocation request | | X |
|
- Placement Group
-
- Logical grouping of instances within a single AZ
- Designed to influence EC2 instance placement within the region for performance
| Grouping |
Description |
| EC2 Cluster Placement Group |
- EC2 in same rack (same AZ)
- Majority of traffic between group nodes
- No blocking, no oversubscription
- High throughput, Low latency
- Not designed for resilience
- Enhanced Networking
- Elastic Network Adapters (ENA) require Enhanced Networking to be enabled on the instance → apps share
10GBPs network - Elastic Fabric Adapter (EFA) is an ENA with added capabilities, and benefits from Cluster Placement Groups
 |
| EC2 Partition Placement Group |
- Partition = set of racks
- Distributed + Replicated workloads
- Can span multiple AZ
- Designed for performance and resilience
 |
| EC2 Spread Placement Group |
- Each instance = separate rack → can span multiple AZ
- Critical instances that must be kept separate
- Designed for guaranteed resilience
 |
Connectivity
- Security Groups
-
- Types
- EC2 = control OUTGOING traffic
- VPC = control OUTGOING & INCOMING traffic
- Default
DENY = does not allow traffic which is not explicitly allowed by a rule (RULE = PROTOCOL + SRC/DST + PORT)
- STATEFUL FIREWALL = outgoing message is remembered so that the response is allowed without an explicit inbound rule
Addressing
| Type |
Notes |
| Public DNS Name |
- Created automatically at launch
- Persists only when VM is running
- Can't be transferred
|
| Public IP |
- Can't be specified
- Persists only when VM is running
- Can't be transferred
|
| Elastic IP |
- Reserved independently & associated with an EC2
- Persists until released (billed hourly when not associated with an instance)
- Can be transferred
|
Key Pairs
| Use Case |
Description |
| Delete key |
- When you delete a key in the console, it doesn't get deleted from running EC2 instances (it is still in the instance metadata)
|
| Change a key to an already provisioned EC2 |
- Take a snapshot of the EC2 instance and then deploy it as a new instance (
Actions > Create AMI Image > Launch a new instance from the image > Create new key pair) - This will append a new public key to the
authorized_keys file, it still keeps the original key - Still able to login with the old key
|
| Key management |
- You cannot use KMS with SSH for EC2
- You can use CloudHSM (because you can export keys from it)
|
- Instance Connect
-
- Provides a way to get SSH keys for EC2s, which allows for:
- key management
- short-lived keys
- additional audit trail
- You can control SSH access to your instances using AWS IAM policies as well as audit connection requests with AWS CloudTrail events
- Similar to SSM Session Manager, but that can't be used for all of the situations that people use SSH for
Storage
| Storage Type |
Description |
| Instance Store |
- Ephemeral Block-Level Storage (in RAM)
- Located on disks physically attached to the host
- Ideal for
- Temporary storage that changes frequently (buffers, caches)
- Or data replicated across instances (load balanced web servers)
- Data lost when
- Disk drive fails
- Instance Stops (persists if rebooted)
- Instance Terminates
- Instance maximums
- Up to
160,000 IOPS across multiple volumes 4750 MB/s across multiple volumes
|
| EBS |
See Other Storage Types |
AWS Hypervisors
- EC2 runs on Xen Hypervisors
- XEN can have guest OS running either as:
|
|
| Hardware Virtual Machine (HVM) |
- Guests are fully virtualized
- The VMs on top of the hypervisors are not aware that they are sharing processing times with other VMs
- Windows EC2 instances can only be HVM, whereas linux can be both HVM and PV
|
| Paravirtualization (PV) |
- Lighter form of virtualization
- Guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU
- Instances run in ring1
|
