DNS

EC2 Zero to Hero

 

EC2 TheHungryFatCoder

EC2 or Elastic Compute Cloud, is Amazons primary webservice that provides reliable compute capacity on the cloud. Compute means the amount of computation power required by your workload.

You could acquire compute by launching virtual servers, and these are called Instance. When you launch an instance, you could use the compute as you wish. The best thing is that you only pay per hour, so as soon you stop your instance from running, you’ll no longer will be paying.

The 2 concepts that are key to launching an instance on AWS: These dimensions of the instances are controlled by the instance type and the AMI.

  1. The amount of virtual hardware dedicated to the instance.
  2. The software loaded on the instance.

What is an instance type –

It’s the virtual hardware supporting an Amazon EC2 instance. There are many such instance types and it has the following dimensions:

  • Virtual CPU (vCPU)
  • Memory
  • Storage (size and type)
  • Network performance

Instance Type’s are grouped into families and based on the ratio of the above dimensions.

The m4 family provides a balance on compute, memory and network resources. Amazon provides some good options for Instance Type’s within a family and they scale up linearly. Have a look at the AWS documentation to find out more.

When you consider a Family, Amazon has tilted the ratios so it can accommodate different types of work-loads.

Family Optimized for Purpose
c4 Compute optimized For workloads that require processing
r3 Memory optimized For memory intensive workloads
i2 Storage optimized For workloads that requires high amounts of SSD storage
g2 GPU based instance For graphics and general-purpose GPU compute workloads.

 

Note: C3,C4,d2,I2,M4,R3 families provide enhanced networking capabilities. Check the AWS documentation for an updated list.

With changing customer demands, AWS introduces new processing families. When choosing an Instance Type, consider the networking performance as well. AWS publishes a relative measure of networking performance as low, moderate or high. However, in some instance types it specifies the network performance of 10Gbps. A general observation is that the network performance increases within a family of the Instance Type.

For customers that require greater performance in their business use cases, AWS provides many instance types that support enhanced-networking.

What is enhanced-networking in an Instance Type

It reduces the impact of virtualization on network performance by enabling a capability called Single root I/O virtualization (SR-IOV). As a result, this increases packets per second (PPS), lower latency and less jitter.

Enabling enhanced networking on an instance involves ensuring the correct drivers are installed and modifying the instance attributes. Enhanced networking is available for instances that runs in an Amazon VPC.

Amazon Machine Image (AMI)

It defines the initial software that will be run on the instance when it is launched. All AMIs are x86, and comes in either Windows or Linux.

  • OS and configuration
  • The initial state of the patches
  • Application or system software

AMIs are provided by 4 sources

  1. Published by AWS –
    • This includes multiple distributions of Linux OS, like Ubuntu/ Redhat/Amazons own distribution, Or Windows OS like, Windows 2008/Windows 2012.
    • These AMIs will result in the default OS settings (Similar to installing an OS from ISO image)
    • Like in any OS installation you should apply all appropriate patches upon launch.
  2. AWS marketplace –
    • AWS partners have provided AMI with their software’s made available on it.
    • Helps customers, find, buy, and start using immediately.
    • Provides 2 benefits:
      • Customers do not need to install software’s.
      • License agreement is appropriate for the cloud.
    • Charged per hour, and an additional per-hour charge for software installed. No additional charges for Open Source AWS Marketplace packages.
  3. General form existing instance –
    • An AMI created from an existing EC2 instance. A customer, may configure the instance based on his corporate standards, considering security, etc.
    • This AMI can then be generated in the form of a generated from the configured instance and made use to launch all other instances guaranteeing No-Non-Conforming instances created in the company.
  4. Updated virtual servers –
    • Using the AWS VM Import/Export service, customers can create images from various virtualization formats. Like raw, VHD, VMDK and OVA.
    • Customers are responsible to remain compliant with the licensing terms of OS vendor.

There are several ways where you could access your instance securely. Ex: CLI, AWS management console, SDKs etc.

There are few ways an instance can be addressed over the web:

  1. Public Domain Name System (DNS) –
    • When you launch an instance AWS will create a DNS name for that instance and it could be used to access the instance.
    • The customer has no control over naming the DNS name, AWS takes care of it.
    • Only persist while the instance is running and can’t be transferred to another instance.
  2. Public IP –
    • When you launch an instance AWS will give it a public IP address.
    • IP addresses cannot be specified, and it’s assigned from a set of addresses reserved by AWS.
    • Only persist while the instance is running and can’t be transferred to another instance.
  3. Elastic IP –
    • It is a unique IP that you reserve and assign to a running EC2 instance.
    • You can transfer the IP address to another instance without coupling clients to an instance.

In addition to the above, private IP addresses and Elastic Network Interface (ENI) can be used to address instances that are available in Amazon VPC.

There’s always a first time

Amazon EC2 uses Public-key-cryptography to encrypt and decrypt login information. Public-key-cryptography uses the public-key to encrypt and private-key to decrypt. These 2 keys together are called a key-pair. A key-pair can be created in the AWS Management Console, CLI or API or else the customer can upload their own key-pairs.

For Linux instances, AWS stores the public key securely (~/.ssh/authorized_keys), and the customer is responsible to store the private key. The private-key can be used to securely access an instance for the first time.

For Windows instances, EC2 will generate a password for the local admin account and encrypt it with the public-key. Initial access is gained by decrypting the password with the private-key in the console or through the API. Using RDP the decrypted password can be used to login.

You could also change your local administrator password and it is considered to be a best practice.

Virtual Firewall Protection or Security-Groups

AWS has virtual firewalls and it is used to control traffic that goes in and out of your instances. And they are called Security-Groups. These Security-Groups allows you to control traffic using the following attributes:

  1. Port – The port number
  2. Protocol – The communication standard for traffic
  3. Source/destination – source or destination for traffic rules. Can be defined in 2 ways:
    • CIDR – x.x.x.x/x style that defines a particular range of IP address
    • Security group – includes any instance that is associated with the Security-Group. Helps prevent coupling Security-Group rules with Ip addresses.

Comparison between Security-Groups associated with VPC and EC2-Classic.

EC2-Classic SG Control outgoing instance traffic.
VPC SG Controls both outgoing and incoming instance traffic.

 

Every Instance is associated with at least one Security-Group. This means you could associate an instance with more Security-Groups.

A Security-Groups  is default deny. This means it does not allow any traffic that is not explicitly allowed by a Security-Groups rule.

A rule can be defined using the 3 attributes listed above: port, protocol and source/destination.

When there’s more than 1 Security-Group associated, then the Security-Groups will be aggregated. For example if Instance A allows SSH traffic at xx.xx.xx.xx/16 and also HTTP traffic from all 0.0.0.0/0 then the instance will allow both SSH and HTTP traffic.

Security-Groups Are stateful. This means if you specify a rule for outgoing request, it will allow to retrieve its response without having to define a rule for it.

Security-Groups are applied at instance level, so unlike traditional on-premises firewalls a hacker could breach a single perimeter to get access to all the instances in your Security-Group. However, since Security-Groups are applied at instance level, the hacker will have to penetrate instances individually.

 

Stay tuned for Part 2 of Amazon EC2. 

If you happen to be on Instagram please follow @thehungryfatcoder.

If you happen to like my blog, please subscribe and let your friends know about it.