CS/클라우드컴퓨팅

Lec 04-2: Using Amazon EC2

호프 2023. 10. 15. 18:20

7 Steps to launching an EC2 Instance

1. Instance name and tags

Tag

  • Tag is a label that you can assign to an AWS resource
  • key - value(optional), Name of the instance is the default tag
  • tag limit per EC2 resource is 50 tags
  • can search resources by key or by value or by combination of keys and values

Benefits of Using Tags

  • Resource organization: search & filter by tag, create groups of resources
  • Cost management: AWS Cost Explorer
  • Automation: automation activity script
  • Access control: IAM - attribute-based-control, IAM policies

2. Choosing an Amazon Machine Image (AMI)

Amazone Machine Image(AMI)

  • Templates for the root volume of the instance contain: OS, application servers, applications
  • Can use the same AMI to launch multiple instances that should have the same configuration
  • After an instace is created, you cannot change the AMI

Where Do You Get an AMI?

  • Pre-built
  • AWS Marketplace: digital catalog
  • Create your own
  • Community AMIs: not vetted by AWS

Benefits of AMI

  • Repeatability: Instances from same AMI are exact replicas of one another
  • Reusability: AMI packages the full configuration and content of an EC2 instance
  • Recoverability: replacing failed machines
  • Marketplace Solutions: probably an AMI that you need exists on the marketplace
  • Backups: great way to back up a complete EC2 instance configuration

3. Instance type

Instance Types

  • Instance type determines:
    • Processing power(CPU), Memory(RAM), Disk space and disk type, Network performance

Instance Families -> details on Lec 03

  • Prefix
  • Suffix
  • Levels (size of the instance)

Scailing Instances Vertically

  • Instance type can be changed after the instance is launched -> Vertically scaling is possible.
  • Vertical scailing
    • Scale up or down for CPU
    • Swtich to any instance type in any instance family.

4. Key pair

Key pair

  • At instance launch, you can specify existing key pair, create a new key pair, or not to use a key pair
  • Key pair cannot be added to the instance after it is launched
  • Key pair consists of a public key that AWS stores and the private key file that user stores.

Connecting to Your Instance with Key pair

  • Windows AMIs: Remote Desktop Protocol (RDP)
  • Linux AMIs: Secure Shell(SSH), PuTTY - need to convert .em to .ppk using PuTTYgen
  • You should never expose your private key to public

5. Network settings

  • You can choose VPC, subnet, and security group and must decide whether you will enable or disable a public IP address for the instance

Regions

  • Region is assumed based on the region that you are working in on your AWS Management Console.

VPCs and Subnets

  • When start using Amazon VPC, you have a default VPC in each AWS Region
    • default VPC comes with a public subnet in each Availability Zone of the Region
    • therefore, you can immediately start launching EC2 into a default VPC
    • You can create more public subnets in your default VPC
  • You can create and customize additional VPCs in any Region

Public IP address

  • Used to communicate btw your instances and the Internet.
  • Default VPC - Default subnet
    • By default, auto-assign public IP setting is set to enabled when you launch an instance
  • Default VPC - Custom public subnet, Custom VPC - Custom subnet
    • By default, auto-assign public IP setting is set to disabled

Security Groups

  • Virtual firewall for you instances
  • Controls network access
  • Exists outside the instance's guest OS
  • Specifies allow rules but not deny rules
  • Can be modified at any time and updates affect in real time

Security Groups Rule Components

  • Type (ex. SSH, HTTP, HTTPS)
  • Protocol (ex. TCP, UDP, ICMP)
  • Port range: verify the ports that are allowed to pass traffic for each protocol type
  • Source: the traffic can reach your instance based on a range of IP addresses

Inbound Rules and Outbound Rules

  • Inbound Rule: control traffics coming into your instance
    • it has no inbound rules by default
  • Outbound Rule: control traffics going out from your instance
    • allows all outbound traffic by default
  • Stateful Attributes
    • For every inbound rule, an outboud response is allowed by vice versa
    • If there is only one inboud rule that allows HTTP protocol from a IP 0.0.0.0/0, then a response from the instance is automatically allowed. However, since no outbound rules are specified in the security group, the instance cannot initiate an outbound call.

Managing Security Groups

  • Security groups act at the instance level, not the subnet level.
  • Can attach more than one security group to an instance

6. Configure storage

Amazon Elastic Block Store(EBS)

    • EBS can be used to run a database, host applications, and handle storage operations

 

EBS Volume Types

    • General purpose (SSD-based)
    • Provisioned IOPS (SSD-based)
      • highest-performance SSD volumes for low-latency or high-throughput workloads
    • Throughput Optimized (HDD-based)
      • low-cost HDD volume, cannot be a boot(root) volume (= cannot install OS)
    • Cold (HDD-vased)
      • lowest cost HDD volume designed for less frequently accessed workloads, cannot be a boot volume.
Speed : SSD > HDD / Cost: SSD < HDD (low)

 

Amazon EBS Storage Configuration Options

  • Volume types
    • HDD-based type cannot be the root volume
    • Can add additional volumes (non-root volumes) to your instance and different type is okay.
  • Volume Size : the size of the volume is chosen in GB
  • Delete on termination
    • whether the volume should be automatically deleted when the instance is terminated
  • Encryption
    • Using AWS Key Management Service keys to encrypt volumes

Adding a File System - Amazon Elastic File System(EFS)

  • EFS is a file system that you can use to share files among multiple EC2 instances.
    • Can attach instances to the EFS as you launch your instance or afterwards
    • Can remove instaces from EFS without losing any files stored on EFS
  • Cannot act as a root volume - each instance must have its own root volume

Amazon EC2 Instance Store

  • Instance store provides temporary block-level storage for your instance
  • Storage is located on disks that are physically attached to the host computer
    • ideal for buffers, caches, scratch data, and other temporary content
  • Instance store cannot be a root volume
  • Limitations
    • You will lose all of your data when instance is stopped, hibernated, or terminated
    • After instance launching, you cannot add instance store volumes
    • AWS does not offer you the option to detach the volume
    • Instace store volumes are not configuratble (SSD or HDD, size, encryption)

7. Advanced details

IAM Role

  • IAM Role is an IAM identity that has specific permission policies
  • Roles can be used to give instances permissions to access other AWS services
    • Storing AWS credentials on EC2 instance to give it permission is highly insecure

Managing Roles

  • To attach a role to an instance, select a role from the instance profile to associate with the instance
    • An instance profile is a container for an IAM Role
  • Flexibility
    • Include the role when launching, Add a role after launching, Remove the role, Update a role's policy immediately.

User Data

  • When launching EC2 instance, you have the option of passing user data to the instance
  • User data scripts to customize the runtime environment of your instance
    • script runs the first time the instance starts by default
    • script can be configured to run every time the instance starts
  • Patch and update the instance AMI, Fetch and install software lisence keys, Istall additional software ..

Additional Advanced Setting options

  • Request Spot Instances
  • Shutdown behavior: Instance can be either terminated or stopped when OS-level shutdown is performed
  • Termination protection
  • Detailed monitoring
  • Tenancy

Configuration Considerations

Have no default setting

  • Key pair

Affect costs

  • AMI, Instance type, Configure storage, Advanced details, Regions

Cannot be modified after launching

  • AMI, Key pair, Region, Network settings: VPC, subnet, instance store

Can be modified after launching

  • Name and tags, Instance type, storage, Network settings: IP address, security groups, Advanced details: adding a role, user data scripts, EFS
저작자표시 (새창열림)