EC2 Flashcards
What are the four ways to pay for EC2?
On-Demand
Reserved
Spot
Dedicated
Conditions on payment for termination of a Spot EC2 instance
If the customer terminates the instance, they pay for the hour. If AWS terminate the instance, Amazon pays for the hour.
What’s is the scope of an AMI? (Global, regional…)
AMI’s are regional. An AMI can only be launched from the region in which is stored. However, AMI’s can be copied to other regions using the console, CLI or AWS EC2 API.
What is a more secure alternative to storing access keys on EC2 instances?
Roles are more secure and easier to manage
How many IAM roles can be associated with an EC2 instance?
You can only associate one IAM role with an EC2 instance.
When can a role be assigned to an EC2 instance?
The role can be assigned at creation time or assigned/replaced/unassigned in runtime (Actions -> Instance Settings -> Attach/Replace IAM role, Select role or “No Role”).
What is the URL to get instance metadata?
http://169.254.169.254/latest/meta-data/
What is the URL to get user data?
http://169.254.169.254/latest/user-data
Using the console, can I add a role to an EC2 instance after the instance has been launched?
Yes. Roles can be assigned/replaced/unassigned using the console after the instance has been launched (Actions -> Instance Settings -> Attach/Replace IAM role, Select role or “No Role”). Previously, roles could be assigned only when the EC2 instance was launched (that is when it was being provisioned).
Can I change permissions to a role, even if that role is already assigned to an existing EC2 instance?
Yes. These changes will take effect immediately.
Do EC2 instances need to be restarted to apply changes to Security Groups?
No, changes to Security Groups take effect immediately.
Is it possible to use the same Security Group in several EC2 instances?
Yes. You can have any number of EC2 instances within a Security Group.
Can an EC2 instance use multiple Security Groups?
Yes. You can have multiple Security Groups attached to EC2 instances.
Can you specify Deny rules using Security Groups?
No, Security Groups deny everything by default. You can only specify Allow rules.
What does it mean that Security Groups are STATEFUL?
If you create an inbound rule allowing traffic in, that traffic is automatically allowed out again.
What are the default traffic allowances for the default VPC Security Group?
The default VPC Security Group has an inbound all traffic rule from itself. So, all instances in this security group can communicate with them. It has also the usual all outbound traffic enabled.
How are instances monitored by ELB reported?
InService or OutOfService
How can I run a configuration script during launch?
You can specify User Data to run a configuration script during launch. When creating: Advanced Details -> User Data (during instance creation). In runtime: Actions -> Instance Settings -> View/Change User Data.
What types of Placement Groups exist?
- Cluster Placement Group: Low network latency, high network throughput
- Spread Placement Group: Individual critical EC2 instances
- Partition Placement Groups: Multiple EC2 instances; HDFS, HBase, and Cassandra.
If an Amazon EBS volume is an additional partition (not the root volume), can I detach it without stopping the instance?
Yes, although it may take some time.
Can the public IP address of an EC2 instance be managed in the instance?
No. The public IP address is not managed in the instance. It is instead ana lias applied as a NAT of the private IP address. It can not be managed via instance meta-data.
Which are the possible values for the “tenancy” attribute of an instance?
- default: your instance runs on shared hardware.
- dedicated: your instance runs on single-tenant hardware.
- host: your instance runs on a Dedicated Host, which is an isolated server with configurations that you can control.
What amount of access should be given to users?
Always give your users the minimum amount of access required to do their job
Can policies attached to roles be updated? When do the changes take effect?
You can update a policy attached to a role, and it will take immediate effect
Can roles be detached or attached to running EC2 instances?
You can attach and detach roles to running EC2 instances without having to stop or terminate those instances
How are role permissions controlled?
Policies control a role’s permissions
When do changes to security groups take effect?
Changes to security groups take effect immediately
How many EC2 instances can share a security group?
You can have any number of EC2 instances within a security group
How may security groups can be attached to an EC2 instance?
You can have multiple security groups attached to EC2 instances
In a security group, is inbound traffic blocked or allowed by default?
All inbound traffic is blocked by default
In a security group, is outbound traffic blocked or allowed by default?
All outbound traffic is allowed
What is a bootstrap script?
A bootstrap script is a script that runs when the instance first runs. It passes user data to the EC2 instance and can be used to install applications as well to do updates and more.
What is user data in the context of EC2?
User data are simply bootstrap scripts
What is metadata in the context of EC2?
Metadata is data about the EC2 instance. You can use bootstrap scripts (user data) to access metadata
What are the networking devices available in EC2?
- ENI
- EFA
- Enhanced networking
What is a scenario for using ENI?
For basic networking. Perhaps you need a separate management network from your production network or a separate logging network, and you need to do it at a low cost. In this scenario, use multiple ENIs for each network.
What is a scenario for using EFA?
For when you need to accelerate High-Performance Computing (HPC) and machine learning applications or if you need to do an OS bypass. If you see a scenario question mentioning HPC or ML and asking what network adapter you want, choose EFA.
What is a scenario for using Enhanced Networking?
For when you need speeds between 10 Gbps and 100 Gbps. Anywhere you need reliable, high throughput.
Which placement groups can span multiple AZ? Which can’t?
A cluster placement group can’t span multiple AZs. A spread and partition placement group can.
Can any type of instance be launched in a placement group?
No. only certain types of instances can be launched in a placement group (compute optimised, GPU, memory optimised, storage optimised)
Can placement groups be merged?
No, you can’t merge placement groups.
Can you move an existing instance into a placement group?
You can move an existing instance into a placement group. Before you move the instance, it must be in the stopped state. You can move or remove an instance using the AWS CLI or the AWS SDK, but you can’t do it via the console yet.
What EC2 pricing option can you use for special licensing requirements?
Dedicated hosts. An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, and SUSE Linux Enterprise Server.
Can you block Spot instances from terminating?
You can block Spot Instances from terminating by using Spot block.
What is a Spot Fleet?
A Spot Fleet is a collection of Spot Instances and, optionally, On-Demand Instances.
Up to what percentage of cost can you save by using Spot instances?
Spot Instances save up to 90% of the cost of On-Demand Instances.
