Skip to content

EC2

Instances

Instance Types
  • Defines the virtual HW supporting EC2
  • 4 dimensions
    • Virtual CPUs
    • Memory
    • Storage (size & type)
    • Network performance
  • Grouped into families based on their ratio vCPU/mem (scale linearly)
Family Type
C4 Compute Optimised
R3 Memory Optimised
I2 Storage Optimised
G2 GPU-Based Instances
Network Performance
  • Options
    • LOW
    • MODERATE
    • HIGH
    • ENHANCED NETWORKING (only in VPC + enables SR-IOV)
  • Single Root I/O Virtualization (SR-IOV)
    • more packets per second
    • lower latency
    • less jitter

Lifecycle

Bootstrapping
  • Configure instances & install apps when instance is launched
  • Parameter UserData passed to the OS to be executed at 1st boot (stored unencrypted)
Instance Metadata
  • Obtain AWS properties of the instance from the OS without calling AWS APIs
  • HTTP call to http://169.254.169.254/latest/meta-data/ returns the top node of the metadata tree

First Launch

OS Process
Linux
Windows
  • Random password generated for the local admin
  • Then encrypted with the public key
  • Decrypted password used to login via RDP

Modify Instance after Launch

Change How-To
Instance Type
  • Change to different size
  • To resize = STOP -> Change Type -> Restart
Security Groups
  • Only if in VPC
VM Import/Export
  • Can only export previously imported EC2 instances
  • Instances launched within AWS from AMIs cannot be exported
Termination Protection
  • When state is Terminated, the instance is shut down & removed
  • Protection = calls to terminate the instance will fail till the protection is disabled
  • Does NOT prevent termination from:
    • OS shutdown
    • Autoscaling group
    • Spot instance

Provisioning Options

Pricing

Pricing Description
ON-DEMAND
  • No up-front commitment
  • Least cost effective
RESERVED
  • Capacity reservations for predictable workloads
  • Save up to 75% over ON-DEMAND
  • Cost of reservation = COMMITMENT * PAYMENT OPTION (all/partial/no upfront)
  • Specify: instance type + AZ
  • Can change (w/o fee)
    • AZ in same region
    • EC2-VPC <-> EC2-Classic
    • Instance type within same family (Linux only)
SPOT
  • Workloads NOT time critical & tolerant of interruption
  • Specify the price you are willing to pat for an instance type
  • When BID > current spot price → receive instance
  • Runs until
    • You terminate it
    • spot price > BID (2 min warning)
    • AWS out of unused capacity
  • If AWS terminates it before 1h -> $0, otherwise charged by the second after 1h

Tenancy
Shared Tenancy
  • Default model
  • 1 host may house instances from different customers
  • Each instance is still fully isolated from the others
Dedicated Instances (DI)
  • Run in a VPC on HW that is dedicated to a single customer
  • Physically isolated at the host HW level from instances belonging to other AWS accounts
  • May share HW with other instances from the same AWS account that are not DI
Dedicated Hosts (DH)
  • Physical server fully dedicated to a customer
  • Gives additional visibility and control over how instances are placed on a physical server
  • You can consistently deploy your instances to the same physical server over time
  • Enable to use existing server-bound software licenses and address corporate compliance and regulatory requirements
DI vs DH
  • DI are charged by the instance / DH by the host
  • DH is different from DI as that can launch on ANY HW dedicated to the account
FeatureDIDH
Use dedicated physical serversXX
Per instance billingX
Per host billingX
Visibility of sockets, cores, host IDX
Affinity between host-instanceX
Targeted instance placementX
Automatic instance placementXX
Add capacity using an allocation requestX
Placement Group
  • Logical grouping of instances within a single AZ
  • Designed to influence EC2 instance placement within the region for performance
Grouping Description
EC2 Cluster Placement Group
  • EC2 in same rack (same AZ)
  • Majority of traffic between group nodes
  • No blocking, no oversubscription
  • High throughput, Low latency
  • Not designed for resilience
  • Enhanced Networking
    • Elastic Network Adapters (ENA) require Enhanced Networking to be enabled on the instance → apps share 10GBPs network
    • Elastic Fabric Adapter (EFA) is an ENA with added capabilities, and benefits from Cluster Placement Groups
EC2 Partition Placement Group
  • Partition = set of racks
  • Distributed + Replicated workloads
  • Can span multiple AZ
  • Designed for performance and resilience
EC2 Spread Placement Group
  • Each instance = separate rack → can span multiple AZ
  • Critical instances that must be kept separate
  • Designed for guaranteed resilience

Connectivity

Security Groups
  • Types
    • EC2 = control OUTGOING traffic
    • VPC = control OUTGOING & INCOMING traffic
  • Default DENY = does not allow traffic which is not explicitly allowed by a rule (RULE = PROTOCOL + SRC/DST + PORT)
  • STATEFUL FIREWALL = outgoing message is remembered so that the response is allowed without an explicit inbound rule

Addressing

Type Notes
Public DNS Name
  • Created automatically at launch
  • Persists only when VM is running
  • Can't be transferred
Public IP
  • Can't be specified
  • Persists only when VM is running
  • Can't be transferred
Elastic IP
  • Reserved independently & associated with an EC2
  • Persists until released (billed hourly when not associated with an instance)
  • Can be transferred

Key Pairs

Use Case Description
Delete key
  • When you delete a key in the console, it doesn't get deleted from running EC2 instances (it is still in the instance metadata)
Change a key to an already provisioned EC2
  • Take a snapshot of the EC2 instance and then deploy it as a new instance (Actions > Create AMI Image > Launch a new instance from the image > Create new key pair)
  • This will append a new public key to the authorized_keys file, it still keeps the original key
  • Still able to login with the old key
Key management
  • You cannot use KMS with SSH for EC2
  • You can use CloudHSM (because you can export keys from it)
Instance Connect
  • Provides a way to get SSH keys for EC2s, which allows for:
    • key management
    • short-lived keys
    • additional audit trail
  • You can control SSH access to your instances using AWS IAM policies as well as audit connection requests with AWS CloudTrail events
  • Similar to SSM Session Manager, but that can't be used for all of the situations that people use SSH for

Storage

Storage Type Description
Instance Store
  • Ephemeral Block-Level Storage (in RAM)
  • Located on disks physically attached to the host
  • Ideal for
    • Temporary storage that changes frequently (buffers, caches)
    • Or data replicated across instances (load balanced web servers)
  • Data lost when
    • Disk drive fails
    • Instance Stops (persists if rebooted)
    • Instance Terminates
  • Instance maximums
    • Up to 160,000 IOPS across multiple volumes
    • 4750 MB/s across multiple volumes
EBS See Other Storage Types

AWS Hypervisors

  • EC2 runs on Xen Hypervisors
  • XEN can have guest OS running either as:
Hardware Virtual Machine (HVM)
  • Guests are fully virtualized
  • The VMs on top of the hypervisors are not aware that they are sharing processing times with other VMs
  • Windows EC2 instances can only be HVM, whereas linux can be both HVM and PV
Paravirtualization (PV)
  • Lighter form of virtualization
  • Guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU
  • Instances run in ring1