Elastic Compute Cloud (EC2) Basics Flashcards
Virtualization 101
Virtualization is the process of running one or more operating systems in a piece of physical hardware.
Before virtualization, the architecture looks something like this:
A Server with a collection of physical resources, CPU & MEM, Network card and Devices. On top of this, runs an O.S, that O.S runs with a special level of access to the hardware, called “Priviledge Mode” (a small part of the O.S = Kernel)
-The kernel is the only part of the O.S, capable of interacting with the hardware.
-The O.S can allow other software to run, such as Applications, but these run on “User Mode” or “Unpriviledge Mode”. (They cannot directly interact with the hardware, they’ll have to go through the O.S) They’ll need to make a “System Call”.
Virtualization Architecture
Each O.S is separate, each runs it’s own Applications. But the CPU can only have one thing running as “Priviledge Mode”, a priviledge process RAM, has direct access to the hardware, and all of these O.S, if they’re running in their own modified state, they expect to be running on their own, on “Priviledge State”.
-Trying to run three or more different O.S, in this way, will cause system crashes.
Virtualization was created as a solution to this problem, allowing multiple different priviledge applications to run, on the same hardware. Initially virtualization, was really inefficient, because the hardware wans’t aware of it.
Methods of Performing Virtualization
-Emulated Virtualization (Software Virtualization)
This method hosts O.S running on the hardware, and it included different capabilities known as a “Hypervisor”. The software ran on “Priviledge Mode”, it had full access to hardware on the host server. Around the multiple other O.S, we’ll now refered it to “Guest O.S”, were wrapped in a container of sorts, called “Virtual Machines”.
Each VM, was an unmodified O.S, such as Windows or Linux, with a virtual allocation of resources, such as CPU, Memory, and a local disk space. VM’s also had devices mapped into them, such as Network cards, Graphics card, and other local devices, such as Storage. The Guest O.S, believed these to be real, just like physical devices, but they weren’t real, just Emulated hardware by the Hipervisor.
Since the Guest O.S, believes that they are running on real hardware, so they still attempt to make “Priviledge Calls”, they try to take control of the CPU, try to directly read/write, what they think of memory and disk, which are NOT real.
The Hypervisor, it performs a process called “Binary Translation”, any priviledge operation, are intercepted and translated on the fly in software, by the Hypervisor.
- Para-Virtualization
With Para-Virtualization, the Guest O.S, is still running in same VM container, with virtual resources allocated to them, but instead of the slow “Binary Translation”, another approach is used. Para-Virtualization only works on a small subset of O.S, O.S which can be modified.
Because with Para-Virtualization, there are areas of the Guest O.S, which attempt to make priviledge calls, and these are modified, they are modified to make them -usicalls-, but instead of directly calling on the hardware, they call to the Hypervisor, called “HyperCalls”.
So areas of the O.S, which would traditionally make “Priviledge Calls” directly to the hardware, are modified, so the source code of the O.S is changed, to call the Hypervisor rather than the Hardware. (This makes the Hardware aware)
-Hardware Assisted Virtualization
With this, the hardware itself become “Virtualization Aware”, the CPU contains specific instructions and capabilities, so the Hypervisor can directly control and configure, the support. So the CPU itself is aware of performing virtualization.
When Guest O.S attempt to run any priviledge instructions, they are trapped by the CPU, which knows to expect them from these Guest O.S’s, so the system as a whole, doesn’t hault. They are re-directed by the hardware, to the Hypervisor, and he handles how these are executed.
–Easier to obtain better performance
–I/O operations can impact performance (Since there’s only 1 network card)
- Single Root I/O Virtualization (SR-IOV)
SR-IOV allows a device, such as a network adapter, to separate access to its resources among various PCIe hardware functions.
SR-IOV enables network traffic to bypass the software switch layer of the Hyper-V virtualization stack. Because the VF is assigned to a child partition, the network traffic flows directly between the VF and child partition.
–As a result, the I/O overhead in the software emulation layer is diminished and achieves network performance that is nearly the same performance as in nonvirtualized environments.
–In EC2, this is “Enhanced Networking”.
EC2 Architecture and Resilience
-EC2 Instances are virtual machines (OS+Resources)
-EC2 Instances run on EC2 Hosts, and these are physical service hardware, which AWS manages.
-These are Shared Hosts or Dedicated Hosts
–Shared Hosts = Are hosts which are shared with different AWS customers, so you don’t get any ownership of the hardware, and pay for the individual instances on how long you run them for and what resources you have allocated. (Every customer is isolated from each other)
–Dedicated Hosts = You are paying for the entire hosts, not the instance which run on it, it’s dedicated to your account and you don’t have to share it with other customers.
-Hosts = 1 AZ - AZ Fails, Hosts Fails, Instances Fail. (AZ Resilient Service)
-Local storage = Instance Store (also AZ Resilient)
-Remote storage = EBS (also AZ Resilient)
-If you restart the instance, they stay on the same hosts.
They don’t stay if:
-The hosts fails or taken down for maintenance.
-If the instance is stopped and then started.
If any of these, happen, the instance will be relocated to another hosts in the same AZ.
-You cannot connect an instance with a volume in another AZ.
What’s EC2 good for?
-Traditional OS+Application Compute
-Long-Running Compute
-Server style applications…
-Perfect for services/apps that need burst or steady-state load.
-Monolithic application stacks (Database/Middleware..)
-Migrated application workloads or Disaster Recovery
EC2 Instances Types
When you choose an EC2 Instance type, you are doing so, to influence different things.
-Raw CPU, Memory, Local Storage Capacity & Type
-Resource Ratios - Some type of instances give you of one, than the other.
-The amount of Storage and Data Network Bandwidth.
-System Architecture / Vendor - Intel/AMD ….
-Additional Features and Capabilities - GPUs, FPGAs..
EC2 Categories
-General Purpose - Default - Diverse workloads, equal resource ratio.
-Compute Optimized - Media Processing, HPC, Scientific Modelling, Gaming, Machine Learning.
-Memory Optimized - Processing large in-memory datasets, some database workloads.
-Accelerated Computing - Hardware GPU, flied programmable gate arrays (FPGAs).
-Storage Optimized - Sequential and Random IO - scale-out transactional databases, data warehousing, Elasticsearch, analytics workloads.
Decoding EC2 Types
R5dn.8xlarge > Instance Type
R = Instance Family
5 = Instance Generation
dn = Additional Capabilities (This may vary)
8xlarge = Instance Size
Storage Key Terms
-Direct (local) attached Storage - Storage on the EC2 Host (Instance Store)
–Generally super fast
–If the hardware/disk fails, the storage can be lost
–If an EC2 Instance moves between hosts, the storage can be lost
-Network attached Storage - Volumes delivered over the network (EBS)
–In on-premises environments, this uses protocols such as ISCSI, or fiber channel. (In AWS - EBS)
–Highly resilient
–Separate from the instance hardware, so the storage can survive issues, which impact the EC2 hosts.
-Ephemeral Storage - Temporary Storage (Instance Store )
–You can’t rely on to be persistent
-Persistent Storage - Permanent Storage - lives on past the lifetime of the instance (EBS)
Three main categories of storage available within AWS
-Block Storage - Volume presented to the OS as a collection of blocks… no structure provided. MOUNTABLE, BOOTABLE.
–If you want a storage to boot from.
–If you want to utilize high performance storage inside an O.S
-File Storage - Presented as a file share.. has structure. MOUNTABLE, NOT BOOTABLE.
-If you want to share a file system, across multiple different servers or clients, or have them accessed by different services.
-Object Storage - collection of objects, flat structure. NOT MOUNTABLE, NOT BOOTABLE.
–Scalable, it can be accessed by thousands or millions of perople simultaneously
–If you want large access to read and write object data at scale. (Webscale application)
Storage Performance
IO Size x IOPS = Throughput
-IO (Block) Size = Is the size of the blocks of data that you’re writing to disk, expressed in kilobytes or megabytes (K/MB)
-Input/Output Operations per Second (IOPS) = Measures the number of IO operations the storage system can support in a second.
-Throughput = Is the rate of data a storage system can store on a particular piece of storage (MB/s)
If you want to maximize your throughput, you need to use the right block size and then maximize the IOPS, if either of these three are limited, it can impact the other two.
Elastic Block Store (EBS)
-Is a service which provides Block Storage - raw disk allocations (volume) - Can be encrypted using KMS
-EC2 instances see block device and create file system on this device (ext3/4, xfs)
-Storage is provisioned in ONE AZ (Resilient in that AZ)
-You create a volume and generally attach it, to ONE EC2 instance (or other service) over a storage network.
-Can be detached and reattached, EBS volumes are not linked to the instance lifecycle of one instance, they are persistent.
-Snapshot (backup) into S3 - Create volume from snapshot (migrate between AZs)
-EBS can provision volumes based on different physical storage types, different sizes, different performance profiles.
-Billed based on GB-month. (and in some cases performance)
-EBS replocates within an AZ - Failure of an AZ means failure of a volume.
-Snapshots copied across regions provide global resilience.
EBS Volume Types - General Purpose SSD - GP2
-Great for Boot volumes, low-latency interactive apps, dev & test.
-Volumes can be as small as 1GB, or as large as 16TB.
-When they are created, the volume is created with an IO Credit. (An IO Credit is 16KB IOPS assume 16KB - 1 IOPS is 1 IO in 1 second.)
-IO “Credit” Bucket - Capacity 5,4 million IO Credits - Fills of rate of Baseline Performance.
-Bucket Fills with min 100 IO Credits per second - Regardless of volume size.
-Beyond the 100 minimum the bucket fills with 3 IO credits per second, per GB of volume size (Baseline Performance)
Means that a 100GB Volume, gets 300 IO Credits per second, refilling the bucket. (Depends on the volume)
-By default, GP2 can burst up to 3,000 IOPS by depleting the bucket.
-All volumes get an initial 5,4 million IO credits, 30 minutes @ 3,000 IOPS - Great for boots and initial workloads.
If you are consuming more IO credits, than the rate that your bucket is refilling, then you are depleting the bucket.
-Volumes larger than 1,000GB (1TB) - Baseline is above burst. Credit system isn’t used & you always achieve Baseline. (Up to maximum for GP2 of 16,000 IO credits per second (Baseline Performance))
EBS Volume Types - General Purpose SSD - GP3
-Useful for: Virtual desktops, medium sized single instance databases such as MSSQL Server and Oracle DB, low-latency interactive apps, dev & test, boot volumes.
-Removes the credit bucket architecture of GP2.
-Every GP3 volume, regardless of size, starts with a STANDARD 3,000 IOPS & it can transfer 125 MiB/s.
-Volumes can be as small as 1GB, or as large as 16TB.
-GP3 is CHEAPER (~20%) Base price.
-If you need more performance, you can pay extra for up to 16,000 IOPS or 1,000 MiB/s.
-4x Faster Max throughput vs GP2 - 1,000 MiB/s vs 250 MiB/s.
EBS Volume Types - Provisioned IOPS SSD (io1/2)
-High performance, latency sensitive workloads, I/O-intensive NoSQL & relational databases.
-Designed for consistent low latency & jitter. **
-When you need smaller volumes and super high performance.
-With io1/2/BlockExpress IOPS can be adjusted Independently of size of the volume.
-Up to 64,000 IOPS per volume (4x GP2/3)
-Up to 256,000 IOPS per volume (Block Express)
-Up to 1,000 MB/s throughtput
-Up to 4,000 MB/s throughtput (Block Express)
-Volumes sizes:
–4GB-16TB io1/2
–4GB-64TB BlockExpress
-Performance ratio:
–io1 50IOPS/GB (MAX)
–io2 500IOPS/GB (MAX)
–BlockExpress 1000IOPS/GB (MAX)
-Per Instance Performance:
–Influenced by the type of volume, Type of instance, and Size of the instance.
–This maximums are more than a single EBS volume can provide, so you’re going to need multiple volumes.
–io1 - 260,000 IOPS & 7,500MB/s
–io2 - 160,000 IOPS & 4,750MB/s
–Block Express - 260,000 IOPS & 7,500MB/s
EBS Volume Types - HDD-Based
There’s 2 types of EBS HDD-based:
-Throughput Optimized (st1)
–Designed when cost is a concern, but you need frequent access to storage throughput intensive workloads (Big data, data warehouses, log processing)
–Cheaper than the SSD volumes.
–Designed for data, which is sequentially accessed, since it’s HDD-based, it’s not great at random access, more designed for data that needs to be written or read, in a fairly sequential way.
–Range from 125GB to 16TB.
–Max of 500 IOPS (1MB IO) - means MAX 500 MB/s.
–40MB/s per TB Base.
–250MB/s per TB Burst.
-Cold HDD (sc1)
–Designed for infrequent workloads, is geared towards maximum economy, when you just want to store lots of data and don’t care about performance.
–Cheaper than st1
–Max of 250 IOPS (1MB IO) - means MAX 250 MB/s.
–12MB/s per TB Base.
–80MB/s per TB Burst.
–Range from 125GB to 16TB.
–Lowest cost HDD volume designed for less frequently accessed workloads.
–Colder data/archives requiring fewer scans per day.
Instance Store
-Provide Block Storage Devices.
-Physically connected to one EC2 Host.
-Instances on that host can access them.
-Highest storage performance in AWS.
-Included in instance price.
-ATTACHED ONLY AT LAUNCH NOT AFTER.
-Each instance can have a collection of volumes, which are backed by physical devices on the EC2 host.
-If an EC2 instance moves between hosts, they can’t access the old instance store, since they are given a new one. (Stopped/Started - UnderMaintenance - If you change instance type - hardware failure)
You can achieve more higher levels of performance throughput, and more IOPS, using Instance Store volumes, than using EBS.
-If you use a D3 Instance = 4.6 GB/s throughput.
-f you use a I3 Instance = 16 GB/s of sequential throughput
-More IOPS and Throughput vs EBS ***
EXAM POWERUP - Instance Store
-Local on EC2 Host.
-Add at launch ONLY.
-Lost on instance move, resize or hardware failure.
-Highest storage performance in AWS.
-You pay for it anyway - included in instance price.
-TEMPORARY.
Choosing between Instance Store & EBS
-Persistence - EBS
-Resilience - EBS (AZ)
-Storage isolated from instance lifecycle - EBS
-Resilience w/ App In-built Replication - It depends
-High performance needs - It depends
-Super high performance needs - Instance Store
-Cost - Instance Store (It’s often included)
-Cheap = ST1 or SC1
-Throughput or streaming - ST1
-Boot - NOT ST1 or SC1
-GP2/3 - up to 16,000 IOPS
-IO1/2 - up to 64,000 IOPS (*256,000)
-You can take lots of individual EBS volumes, and you can create a RAID volume set, up to 260,000 IOPS (io1/2-BE/GP2/3) (Combined performance of those EBS volumes) (Maximum possible IOPS per instance)
-More than 260,000 IOPS - INSTANCE STORE
Snapshots, Restore & Fast Snapshot Restore (FSR)
-They are an efficient way to backup EBS volumes to S3. (Protect the data from AZ failures or Local storage failure)
-Snapshots are incremental volume copies to S3. (They become region resilient in S3)
-The first is a FULL COPY of all “data” on the volume.
-Future snaps are incremental.
-Volumes can be created (restored) from snapshots.
-Snapshots can be copied to another region.
Volume Performance
-New EBS volume = full performance immediately.
-Snaps restore lazily - fetched gradually.
-Requested blocks are fetched immediately.
-Force a read of all data immediately…
-Fast Snapshot Restore (FSR) - Inmediate restore. (It costs extra)
-.. up to 50 snaps per region - You pick the Snap & AZ.
Snapshots Consumption and Billing
-Gigabyte-month.
-Used data NOT allocated data. (Only snapshots)
-Incremental.
EBS Encryption
-By default, no encryption is applied.
-Provides at rest encryption for volumes and for snapshots.
When you create an encrypted EBS volume, EBS uses KMS and a KMS Key, which can either be: EBS Default AWS Managed Key (aws/ebs) or it can a Custom Managed KMS Key (that you create and manage)
That key is used by EBS, when an encrypted volume is created. This key is used to generate an encrypted, Data Encryption Key (DEK), this occurs when the “GenerateDataKey WithoutPlainText” API call. This is stored with the volume on the raw storage, and it can only be decrypted using the KMS key that created the DEK. (Assuming it has permissions)
When the volume it’s first used, either mounted on an EC2 instance by you or when an instance is launched, then EBS asks KMS, to decrypt the DEK, that’s used just for this one volume. That key is loaded into the memory of the EC2 Host, which will be using it.
-The key is only ever held, in this decrypted form in memory in the EC2 Hosts, when it’s using the volume.
So the key is by the Host, to encrypt and decrypt data , between an instance and the EBS volume, especifically, the raw storage that the EBS volume, is stored on.
-Means that data stored onto the raw storage, used by the volume, is Ciphertext. (Encrypted at rest)
-Data only exist in an unencrypted form, inside the memory of the EC2 Host.
-When the EC2 instance moves from this EC2 Host to another, the decrypted key, is DISCARDED. Leaving only the encrypted version at the disk, for that instance to use the volume again, the encrypted DEK, needs to be decrypted again and loaded into another EC2 Host.
-If a Snapshot is made, of an encrypted volume, means the Snapshot is also encrypted. (Using the same DEK)
EXAM POWER UP - EBS Encryption
-Accounts can be set to encrypt by default - using the default KMS key
-Otherwise choose a KMS key to use.
-Each volume uses 1 UNIQUE DEK.
-Snapshots & future volumes use the same DEK.
-Can’t change a volume to NOT be encrypted.
-OS isn’t aware of the encryption - no performance loss
-It doesn’t cost anything.
EC2 Network & DNS Architecture
-Every EC2 instance has a at least one, Elastic Network Interface (ENI) - Primary ENI
–You can attach more ENIs, it can be in different subnets but within same AZ.
ENIs, have:
-a MAC Address (Hardware address of the interface)
-a Primery IPv4 Private IP (from the range of the subnet) > 10.16.0.10 > ip-10-16-0-10.ec2.internal
-It can have 0 or more secondary IPs > 3.89.7.136 > ec2-3-89-7-136.compute-1.amazonaws.com
–Public DNS = private IP in VPC - Public IP = everywhere else
-It can have 0 or 1 Public IPv4 Address
-1 elastic IP per private IPv4 addresss
Elastic IP addresses are different from normal Public IP addresses, where it’s one per interface. With Elastic IP addresses, you can have one Public elastic address per Private IP address on this interface.
If an EC2 instance has a non-elastic IPv4 address, and you assign an Elastic IP to the Primary ENI, it will REMOVE the Public IPv4. ** (You can’t get that address back)
-You can have 0 or more IPv6 addresses per interface (By default, publicly routable)
-You can have Security Groups (applied to ENIs not EC2’s)
-You can enable/disable “Source/Destination Check” - If traffic is on the interface, it’s going to be discarded, if it’s not from one of the IP addresses on the interfaces source, or destinated to one of the IP addresses on the interfaces destination. (It’s discarded if it doesn’t match one of those conditions)
EXAM POWER UP - EC2 Network & DNS Architecture
-Secondary ENI + MAC = Licensing
-Multiple interfaces, can be used for multi-homed (subnets) systems - So an instance with ENI in 2 different subnets (Management & Data)
-Different Security Groups - multiple interfaces.
-OS - NEVER SEES THE PUBLIC IPv4 ADDRESS.
-IPv4 Public IPs are Dynamic - Stop & Start = Change (Restarting is fine) (to avoid this use Elastic IP)
-Public DNS = private IP in VPC - Public IP = everywhere else.
Amazon Machine Images (AMI)
AMIs are the images of EC2. They’re one way that you can create a template of an instance configuration, and then use that template to create many instances from that configuration.
-AMIs can be used to launch an EC2 instance
-AWS or Community provided
-Also launch instances from Marketplace (can include commercial software)
-Regional
-Each AMI has a unique ID - e.g. ami-0a887e401f7654935 (AMIs can only be used in the Region that’s in)
-AMIs control permissions (Public, Your Account, Specific Accounts)- By default, only your account can use it - You can set your AMI to be Public, or you can add specific AWS accounts onto that AMI
-You can create an AMI from an EC2 instance you want to template, and viceversa
