EC2 Flashcards
An EC2 Instance in stopped state will still be charged for ??
- Storage
- Network(free, except for EiP)
An EC2 Instance in
Running state is charged for??
- memory
- storage
- Network
- CPU
Install Stress utility
$sudo yum install stress -y
To run
$ stress -c 1 -t 3600
Options
-t [timeout]
-c [CPUs]
CHMOD 400
For restricting access to our .pem file to master user Only. Before $ chmod 400 xyz.pem file is available to all users in the local Host
Block Storage Structure
Block storage has no in-built structure,it’s just a Collection of Uniquely Addressable blocks. Its up to the OS to create a file system
EC2 Family
- Compute Optimized
- Memory Optimized
- Storage Optimized
- General Purpose
- Accelerated Computing
EC2 Instane Type
EBS
Whenever a block storage is attached to an EC2, ec2 creates a FileSystem on it, such as ext3, ext4,NTFS or XFS
EBS Life Expectancy
EBS volumes are detached and Persistent. They are resilient to an AZ. LifeCycle is not Linked to any Instance.
Can be Backed up into S3 as a Snapshot. Now Making EBS a regional storage.
GP2 Use Case
- Boot volumes,
- low-latency interactive apps,
- dev & test
GP3 Use Case
Way fastre (3000 IOPS-16,000)IOPS
- Virtual desktops,
- medium sized single instance databases such as MSSQL Server and Oracle DB,
- low-latency interactive apps,
- dev & test,
- boot volumes
io1,io2
- With io1/2/BlockExpress OPS can be adjusted Independently of size..
- io1 5010PS/GB (MAX)
- io2 50010PS/GB (MAX)
- BlockExpress 100010PS/GB (MAX)
- 4 GB-16 TB i01/2
- 4 GB-64 TB BlockExpress
EC2 Lifecycle
STOP
- Host is changed,
- Public ipv4 address will change to that of a new host.
- Instance Store is lost
Instance RESTART
- Host and Instance store persist
EBS Encryption on storage vs on memory
When an EBS is encrypted, the data stored on the EBS is the cyphertext version, only the MAIN memory sees the Plain-Text
DEK and Snapshots Lifecycle
When KMS encryption is enabled on an EBS, a new DEK is issued, and that DEK is linked to the lifespan of the Volume and all its descendants (subsequent snapshots and its copies). Encryption cannot be removed.
Encryption transfer over new volumes
Every new volume uses a new unique encryption key
Ec2 instance dns
EC2 instance dns (eg ec2-10-16-121-83.compute1.amazon.com) resolves to the ip address on the ENI of the ec2 instance. So does the Public ipv4 address.
Ec2 encryption level
Ec2 encryption happens at the host level. This is usually between the Host and the EBS. The ec2 so is just granted the decryption keys (DEK) in other to see the plaintext.
ENI and private ipv4 behavior during shutdown or termination.
The private ip address of an instance is actually attached to the ENI of the instance. Once the instance is shutdown or Terminated, that ENI is moved to a new host(out of our scope). Launching a new instance would mean collecting a new ENI which is linked to a subnet and a particular Vgc, hence, a new private ipv4
Licensing
Licensing is usually done on a MAC Address. And the MAC address is usually embedded on the ENI. Therefore, for secondary ENIs(which can always be moved between instances), the License can be moved from one instance to the other.
Security group resident
Security group is usually a setting attached to an ENI and not the instance, more than one instance can reference a single security group.
Public/Private IPv4 NATting
Public IPv4 is controlled and manipulated by the Internet gateway. It is resolved by the gateway, the instance/ENI are not aware of the public IPv4.
Direct IPv4 targeted applications.
For ip specific interactions, multiple security groups might need to be created for each of the IP Addresses to be targeted.
Ec2 DNS hostname resolution
Within the vpc, the instance dns Hostname resolves to the private ip, outside the vpc, the IPv4 dns resolves to a public IPv4
EIP
In order to maintain a registered dns Name on an ec2 through change of underlying hosts, use the EIP. EIP can be re-associated with any IPv4 address.
AMI modification
Ami cannot be edited.
You would have to Launch an instance, update the settings you want to update, and then, create a. Ew ami
AMI ownership
AMI can be Private, Public, or Shared by explicitly granting access to another AWS identity
AMI Pricing
Ami is billed to the storage cost of the AMI IT HOLDS
AMI on running Instance
Always stop instance before creating AMI for best results
move an ec2 instance from a private subnet to a public subnet
It’s not possible to move an existing instance to another subnet, Availability Zone, or VPC. Instead, you can create a new Amazon Machine Image (AMI) from the source instance to manually migrate the instance. Next, use the new AMI to launch a new instance in the desired subnet, Availability Zone, or VPC.
When you stop an instance
When you stop an instance, the instance shuts down. When you start an instance, the instance is typically migrated to a new underlying host computer and assigned a new public IPv4 address. Private ipv4 is intact
What changes when you stop an EC2 instance?
When an instance stops,
When you stop a running Amazon EC2 instance, several changes occur. Here are the possible changes:
- Instance State: The instance state changes from “running” to “stopped.”
- Public IP: If your instance has a public IP address associated with it, the public IP address is released when the instance is stopped. When you start the instance again, it may get a different public IP address.
- Elastic IP: If you have associated an Elastic IP address with the instance, the Elastic IP remains associated with the instance even when it’s stopped.
- Internal/Private IP: The internal or private IP address of the instance remains the same when the instance is stopped.
- CPU and Memory: The instance’s CPU and memory usage drop to zero while it’s stopped.
- Data on Instance Store Volumes: If your instance has instance store volumes (ephemeral storage) attached to it, the data on those volumes is lost when the instance is stopped. Instance store volumes are not designed for long-term data storage.
- Data on EBS Volumes: If your instance has Amazon Elastic Block Store (EBS) volumes attached to it, the data on those volumes is preserved when the instance is stopped. EBS volumes are designed for persistent data storage.
- Billing: You are not billed for the instance’s running time when it’s stopped. However, you are still charged for the storage associated with the instance, such as EBS volumes or EFS file systems.
- Instance Metadata: The instance metadata remains available even when the instance is stopped.
- Lifecycle Hooks: If you have configured lifecycle hooks for the instance, they may be triggered when the instance is stopped or the state changes.
- Auto Scaling: If the instance is part of an Auto Scaling group, the Auto Scaling group may launch a new instance to replace the stopped instance based on its configuration.
It’s important to note that stopping an instance is different from terminating it. When you stop an instance, you can start it again later, and it retains its configuration and associated resources.
- It loses the data stored on the instance RAM.
- It loses the assigned public IPv4 address
- if an Elastic IP address is not associated with the instance.
- It retains assigned private IPv4 addresses, Elastic IP addresses associated with the instance, any IPv6 addresses, and any attached Amazon EBS volumes and the data on those volumes.
AMI Copy
AMI can be copied from one region to another, however, the new AMI is a brand New AMI. It carries a brand new AMI ID, permissions are not transferred.
However, in Sharing AMI directly with a trusted account, receiving identity can be granted express permissions.
Note from AWS
You use a shared AMI at your own risk. Amazon can’t vouch for the integrity or security of AMIs shared by other Amazon EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center, and perform the appropriate due diligence. We recommend that you get an AMI from a trusted source, such as a verified provider.
Ec2 instance Check
Check 1/2: System Check
- Loss of System Power
- Loss of network Connectivity
- Host software issues
- Host hardware issues
Check 2/2: Instance Check
- Corrupted file system
- Incorrect Instance Networking
- OS Kernel Issues
Ec2 Instance check Troubleshooting
- Stop/Terminate and Start instance Manually
- Ec2 Auto Recovery(move instance to a new Host, all instance components(ipv4,softwares and settings, etc) preserved.
Ec2 Recovery
Using Cloudwatch Alarm to trigger Automatic actions on an ec2( Reboot, Restart, Shutdown, Terminate, Stop).
This is dependent on the availability of Host Capacity in that AZ
Ec2 Recovery Cons
Caveat: not effective against Az failure
Does not work on Instance stores Volume
Not supported by all types on instance
Instance Termination Protection
Require express permissions to Terminate instance API call.
Role separation for enable Termination and Disable Termination is highly recommended in Production Workloads
Ec2 Vertical Scaling
Definition: Resizing the Instance
Notes
- There must be downtime
- Scale only during Outage window or agreed Schedule
Ec2 Horizontal Scaling
Definition: Smaller redundant copies of Instances sharing the Load
**Features: **
Requires Off-Host Sessions (a node dedicated to keeping and providing session data)
Server is stateless
No Scaling Limit(infinite)
Less Expensive
Allows for more granular scaling
Instance metaData Authentication
Has no Authentication, it is not encrypted
Ec2 Instance Metadata
EC2 Service that provides instance data to users and services as needed
Features:
* Accessible inside ALL instances
*http://169.254.169.254
* Environment
* Networking(Passing SSH keys bts of instance connect)
* Authentication(eg, assume role temporary credentials).
* User-Data
* NOT AUTHENTICATED or ENCRYPTED
Detaching primary ENI
Eth0 Can Not be detached
Move ENI
Move ENI, secondary Private IP, Security group , and Elastic IP moves too
Multiple routes to Ec2 instance
This is possible by attaching more ENIs to the ec2, each with its security group
Instance Connect vs Cloudshell
EC2 Instance Connect is most useful for connecting to existing EC2 instances via SSH while CloudShell is most useful for running AWS CLI commands and general purpose scripting.
Cloudwatch Agent Log group name
Logstream will be named after the instance ID
Cluster Placement and EC2 Host
All Instances within a cluster group are most likely running on the same host.
All Instances in a cluster placement are directly connected together in an upto 10GB/s bandwidth for single Stream data transfer rate against the normal 5GBps of normal bandwidth
Single Az,
Subsequent instances follow suit with the AZ of the first instance
EC2 Placement Groups
Cluster - Pack instances close together
*Spread - Keep instances separated
* Partition - groups of instances spread apart
Cluster Placement Latency
Lowest possible inter-instance Latency
Max packets per session(PPS)
This speed is proportional to the Instance in use
High performance Networking instances
Enhanced Networking enabled
Instance connect. /var/log
EC2 Logs for diagnostics, most especial user data installations
/var/log
in this directory are log files
use
~ sudo cat var/log/FileName
Key files
- /cloud-init-output - General bootstrap logs.
- /cfn-init-cmd.log -Cloudformation deployment log
- /cfn-init.log - Cloudformation deployment log
