Amazon Elastic Compute Cloud (EC2)

What is Elastic Compute Cloud (EC2)?

This is a virtual machine running on shared hardware in multi-tenancy fashion with a feature of the quick boot (in minutes), auto scaling in quick time tens, hundred even in thousands of instances.

This is also a business solution of "how to meet very fluctuating compute power demand what business needs for the very small time span. This is also a solution of new start up or established an organization to manage their investment in infrastructure in an optimized way, don't bother for upfront investment cost for infrastructure, Choose "pay as go" option and expand their business reach infrastructure perspective. This is also eliminating the hardware/infrastructure fulfillment attentions and investment, and allowing to focus on actual business solution development and deployment. This is also reducing the need to compute capacity forecasting as compute power can be scaled up or down in minutes, on scheduled time or dynamically to meet business computer needs. As Amazon first priority is security, so get free of cost security for EC2, Identity, and access management, network security. Amazon will be taking care security of Cloud and as a customer, you have to take care of security in the cloud - called shared security model.

Important points about EC2

  •  All EC2 (Virtual Machine) called as an Instance
  • Image copy of an instance configuration like OS, all required additional software and configurations called Amazon machine image (AMI). New instances will be launching by using of Amazon machine image (AMI) to have an exact similar instance.
  •  Preconfigured hardware configuration like CPUs and Memory, Storage and network capacity called Instance type
  • Instance type and AMI both together used to identify the particular instance
  • EC2 is securing login credential by using of Key-Pairs. AWS will store the public key and user will store the private key. (Instance with Linux OS), for Window, AWS will generate the administrator password in an encrypted format and user needs to decrypt and store to access the window instance using RDP.
  • An ec2 instance will have root volume which stores information for boot. Temporary storage volume is also associated with EC2 Instance to store all temporary data. If Instance terminated or stops, data store on instance storage will be deleted and will not be available once instance recreated or restarted. 
  • EC2 will have persistence storage volume which is EBS (Elastic block storage) mounted to particular Instance. EC2 can have multiple persistence EBS based volumes depends upon storage requirement
  • Each instance should be in an Availability Zone and Availability zone will be in one particular region. A region is a geographical location of physical systems called data centers. In on region there are two or more isolated data centers which are interconnected to provide failover support but will not be impacted due to one other availability zone failure
  • Access to EC2 instance is protected. To access EC2 instance, must configure protocol, ports, and source IP ranges by using of security group
  • Elastic IP address, an IPv4 address can be associated with Instance to communicate through the Internet
  • Virtual network created by raising the instance will be isolated to others account's network, called virtual private cloud

Basics of Amazon Elastic Compute Cloud (EC2)

AMI: Amazon machine image is a template to launch the instance. This template contains Operating systems, additional software, application or web server configuration. This means this is an image copy of systems that will use to create a clone, exact same. AMI can be generated by any instance and keep in the repository for future use. There are many AMIs available from Amazon, free to use however we can buy AMIs from Amazon market place, developed by Amazon partners or we can generate our own AMIs based on our application needs and decencies. AMIs has an ID called AMIs ID to uniquely identify particular Amazon Machine Image. We can launch many instances from one AMIs, no restriction

Instance: A virtual machine in AWS Cloud. This has been indemnified by instance type that essentially determines the hardware configuration that is used by Virtual Machine (Instance). Instance type offers CPU, Memory and network capabilities, what Instance can have after launch. AWS recommendation to select instance type, please choose appropriate instance type which is best suitable to the application which will be hosted on this. Based on application nature, you can choose to compute intensive, memory intensive or network intensive etc. instance type to launch appropriate VMs.

Once Instance is launched, it will be a traditional host like a physical computer, you can use like any traditional computers to install software, upload or download files, launch an application software etc. This means full control on an instance. If you have root privilege on, you can do sudo on Linux instance as well.

Storage of Instance

Root device volume which contains the image used to boot the instance. Root volumes can be either Instance Storage or EBS. If AMIs is backed by Instance Storage, on launch AMIs, root device volume of an instance is instance storage. And in another hand, if AMIs is backed by EBS, then root device volume, for instance, will be EBS if an instance is created by launching EBS backed AMIs.

An instance may have local storage "Instance Storage" which can be mapped during launch time with device mapping. This is a volatile storage means if an instance fails, stopped or terminated, the all store data will be lost. Therefore Instance storage is most suitable for temporary data. For important data, need to use replication process, replicate the data to many other instances to keep data safe. To store persistence data either S3 can be used or mount EBS volume to an instance. Please note, on termination of Instance, it also delete the data of EBS volume which is mounted on by default and to prevent this need to set volume's "deleteOnTermination" attribute to false

Important: EBS backed instances can be stop start, however, instance storage backed instance cannot be stop and start.

How can access the Instance

By Default AWS uses Identity and Access Management (IAM) web service to control the access to AWS resources, So Instance access is also protected by IAM service. We need to create IAM user and set his group and attached the appropriate policy in order to get access to EC2 Instance. When we create an IAM user, Amazon will generate access key and secret key. An access key is key-pair, have two parts, Public key, and Private Key. AWS will store the public key and user needs to store private key by downloading key. Linux instance must be launched with key pair otherwise instance will not be accessible. Please note, access key and a secret key will be generated for instance only once and if we lost the private key then there is no way to retrieve. We need to terminate that instance and recreate it with new access key and secret key.

We can choose existing key or new key option, the recommendation is to use existing key if we have else need to go for new one only. Also, need to select security group. A security group is a virtual farewell, need to be adjusted with your network security policy to allow inbound access request for instance. Better to select existing security group as we have the option to edit security group later if required.
If this is Linux Instance and launched with a key pair and appreciated security group, then we can access this Linux instance in many ways, connecting to Linux Instance from Windows using Putty or Connecting to Linux Instance Using SSH. To access the Linux instance we need to provide complete path of key file (.pem) when it prompted

In order to access window instance, then we need to decrypt the encrypted password which Amazon has provided for the administrative user and connect Window instance through RDP using user as administrator and password - which we have decrypted.

Instance Purchasing Options

  • On-Demand instances — most expensive, but no upfront investment and no term commitment. Pay by the hour. This can be option to increase compute power in pick hours task, that cannot wait, or short span scheduled task once a while kind of task
  • Reserved Instances — this is cheaper option compare the on-demand instance but required term commitment for one year or three years. Again pay by the hour with a significant discount based on upfront investment. This instance is available 24X7. The most suitable use case for the 24X7 running application.
  • Scheduled Instances — Purchase instances that are always available on the specified recurring schedule, for a one-year term
  • Spot instances — this is unused AWS instance available on Bid. It is run as long as they are available based on your bid price. If spot price is more than quoted bid price, then Amazon will terminate Spots instance automatically. AWS will not be charged you for partially unused hours if AWS terminate. If you terminate then have to pay for that hour as well. Most suitable for scale up compute power for task which will not have any business impact if not get completed on time, can be delayed due to processing with less capacity that required to complete
  • Dedicated hosts —AWS has the option to provide fully dedicated host to meet organization compliance needs and their security policy or any government regularities. you just need to pay for a physical host that will be fully dedicated running instances. The main benefit with this, meet the organization compliance policy and reduced the software license. 
  • Dedicated instances — This is an option to run your instance on single tenant hardware. And also available on pay by hour

Regions and Availability Zones

The instance will be launched in one of the availability zones in the chosen region. So let’s understand Region and availability zone first. EC2 Region in AWS terminology is a geographical area where underline hardware (data centers) have been deployed and maintained. AWS EC2 Region is fully isolated from other AWS region to achieve possibly greatest fault tolerance and stability. This isolation gives benefit in term of fault tolerance and stability, but it also imposes some limitation that Instance is just tied up with one region what has been chosen to launch. An instance cannot be launched from AMIs which is in other regions, must have to select AMIs in the same region in which Instance to be created. We cannot replicate the AWS resources to other regions automatically, need to follow the process like migration.

  • Communication between regions will be through public internet and you will be charged according to internet data transfer rate for both ingress and egress communication. As this communication through public internet, need to encrypt the data before sending so encryption process to be implemented to protect confidential data
  • All region will not have the same level of products support, may some services not available in particular region. Feature is launched in other regions will not be accessible to region where feature is not rolled out yet

Availability Zone -  This is an isolated area within a region where underlying hardware/infrastructure deployed and maintained. This achieves possibly greatest fault tolerance and stability of the region. Availability Zone is designed to support failover, if one availability zone down due to any reason, an application will get switched to other availability zones if application architecture is designed for high availability. During launching an instance, we can choose Availability zone where instance to be created. So use of two or more availability zone for application, much be considered during application architecture design and launching instances. Availability zone has a unique code to identify. Availability zone code is represented by a region code followed by a letter identifier; example "useast-1a". Please note the location of Availability zone cannot be identified account by account. If two account may have availability zone "useast-1a" but underlying hardware/infrastructure may be at two different separated location.

If one particular availability zone has a constraint to expand further, you may not be allowed to launch instance unless you have instance there. This totally depends upon free capacity, if there is less capacity remaining then restriction to be enforced and lifted out in case some adjusted to increase capacity or accounts move out from that particular availability zone to other.

Please note, selection for a region is always an account mandatory choice, however a selection of availability zone is an optional choice, if you have not select Availability zone, AWS will select availability zone for you randomly. Again there are many consideration what region account has to select, Country regulations, organization policy, Service or product availability etc. for example you may choose region near to your customer or meet the legal requirement.
  • Please note "An AWS GovCloud (US) account provides access to the AWS GovCloud (US) region only: reference - Amazon For more information, See AWS GovCloud (US) Region
  • There could be country specific regions, you may not be able to describe or access if you not meet conditional. For Example China (Beijing) region. This region must be used by organization, which is based in China 
An instance can be migrated between availability zones, you need to create an AMIs from availability zone where is it already running. Then by using of AMIs, launch the new instance in desired availability zone and update the configurations. We cannot migrate the instance to other regions in same ways as we migrate one availability zone to other. Please note- AMIs cannot be copied from one region to another region

Monitoring Amazon EC2

Resource/Instance monitoring is an important aspect of any IT solution to maintain the reliability, availability, and performance of Amazon Elastic Compute Cloud (Amazon EC2) instances. Given below are the list of tool that can be used to monitor the EC2 instance and report back to you in case any thing went wrong.
  • System Status Checks: these checks detect the loss of network connectivity, loss of power, physical host' software or hardware issues. These kinds of issue to be fixed by AWS, however, we can fix these issue as well by recreating the instances this means new instance
  • Instance Status Checks- This check detects the issue caused at OS level and needs your involvement to fix. For example, this will detect instance check fails, then there would need to restart the instance or change in OS configurations in order to fix the issue. There could be many possible causes for failure. For example failed system status check, misconfigured networking or setup configuration, out of memory (Exhausted), File system corruptions or any non-complaint with Kernel or OS
  • Amazon CloudWatch Alarms-This service is used to monitor the single metric over the time period, whenever customer's defined threshold met, will send a notification alarm via another service called SNS Simple Notification service to you to take appropriate preventing actions
  • Amazon CloudWatch Logs. AWS CloudWatch service is also used to enable auto scaling feature. You can configure auto scaling option based on threshold of your instance, if load grows to certain level, initiate auto scaling
  • Amazon CloudWatch Logs - this is useful to monitor, store, and access log files from AWS Resource like Amazon EC2 instances, AWS Cloud Trail, or other sources
  • Amazon EC2 Monitoring Scripts: A Perl script develops to monitor the memory, disk, and swap file uses etc.
  • AWS Management Pack for Microsoft System Center Operations Manager- This AWS Management pack is an extension to Microsoft System Center Operations Manager and working as a link between AWS Instance and Microsoft or Linux OS running inside. This uses a designated instance to run AWS APIs to remotely discover and collect information of AWS resource remotely

Instance lifecycle

There are many services which are very useful for launching a new EC2 instance
  • Bootstrapping- very powerful utility to provide the ability to script virtual hardware management in a manner that we can do some task through a script. This script is very useful to perform a certain task like applying patches and updates to the OS. Enrolling in a directory service or installing an application or copying a longer script or program from storage to be run the instance and or installing Chef or Puppet and assigning the role to a role so the configuration management software configures the instance. 
  • VM Import/Export: This service enables to replicate on-premises VM into AWS Cloud. Need to create AMIs of on-premises VM and then export to AWS Cloud, launch EC2 instance and update configuration. However, we cannot export instance which is launched within AWS
  • Instance Meta data - we can access the instance Meta data of running instance by using of APIs call - http://169.254.169.254/latest/meta-data.  This APIs will provide the instances Meta data which include a wide variety of attributes including associated Security group, Instance Id, Instance type, and referenced AMIs which is used to launch instances.
  • Tag management- this is key/value pairs that can be associated with any AWS resources. A tag is most useful to identify attributes of the instance like environment (dev, test, prod), billable department, application type and so on. This will help to classified the instance purpose and can be used to identify one department all instance for billing and uses analysis purpose
  • Modifying Instance - AWS also support to modify instances even after launch. This is great agility in the cloud to upgrade instance or downgrade instances based on uses pattern and work load. This eliminates the needs for capacity forecasting at beginning of set up/project. And like instances, Security group can be updated based on need and organization security policy
  • Termination Protection - we can terminate any instances any time based on needs. However, AWS provides termination protection to prevent any accidental Instance termination. To enable addition protection set termination protection to enable. An instance will not be terminated without setting the termination protection attribute value to disable.

Placement Group

A logical grouping of instances within a single availability zone connected through a very high-speed network (10G) which provide benefits like low latency and high network throughput (highest packet-per-second network). Please note, to create a placement group, you must need to select the instance type that can support Enhance networking

Recommendation is to use same instance type for all instance that need to be launched in a placement group, preferably using a single launch request for all required instances to avoid insufficient capacity error that may occur if we need new instances afterward or use different instance type
Placement group supports stop and restart as well; once  instance restarted it runs still in placement group

There are few limitation of placement group
  • Placement group must be in single availability zone. One than one Availablity zone is not supported
  • Name of placement group must be unique within AWS Account
  • Instance type must be selected which supports enhanced networking. Instance types- General purpose, Compute optimized, Memory optimized, Storage optimized, Accelerated computing
  • Existing placement groups can not be merged. need to terminate instances from one placement group  and recreate in another placement group
  • An existing instance cannot be moved into placement group, need to create AMIs of existing instance and launched into placement group.
  • Explicitly capacity reservation is not possible in placement group however reserved instance provide a capacity reservation for EC2 instance in the Availability Zone, that can be used by an instance in placement group, assigned in same availability zone
  • If members of placement group address each other by using their public IPv4 address, then network bandwidth will be dropped to 5 Gbps or less. A recommendation is to use private IPv4 or  IPv6 for addressing to each other to get maximum benefits in term of network bandwidth
  • There is max 5 Gbps speed limitation on network bandwidth for traffic from resources which are outside of placement group

Enhanced networking

AWS supports Enhanced networking free of cost to get benefits of SR-IOV to achieve higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. SR-IOV is a method of device virtualization which provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces

Elastic IP Addresses: 

  • An Elastic IP address just a public IPv4 address designed for dynamic cloud and enable EC2 instance to communicate with the internet like a public IPv4 address
  • An Elastic IP address is an independent entity in AWS world. you need to allocate first to account, then associate with EC2 instance.
  • An Elastic IP address is a reusable entity if associated instance failed/terminated same Elastic IP can be associated with other EC2 instance
  • One difference between Elastic IP and Public IPv4 is reusability, Public IPv4 address can not reuse
  • Once Elastic IP get associated with EC2 Instance, public IPv4 address, if associated with instance will get released and back to AWS IP pool as free IP
  • Even if an Elastic IP disassociated, this will not be released, still associated with an account. Need to release explicitly
  • Elastic IP address imposed small hourly charged to the account, so need to use Elastic IP efficiently. this is only true if the associated instance is not running state. AWS only charged unused associated Elastic IPs. AWS also charged for additional Elastic IPs associated with a running instance; one Elastic IP is free for running instance
  • An Elastic IP address is tightly coupled with region so this can be used in a specific region only
--------*---------
Happy Reading.........

Please share your feedback if my notes help any means to you for your AWS Certified Solution Architect certification - Associate Exam. Thanks for reading …

Please visit other pages for next topic....

Best Regards,
Aditya Prakash

Comments

Popular posts from this blog

Amazon API Gateway - Notes for CSAA examination