AWS Certification Notes (Chapter 2: EBS and EFS)
NOTES:
Availablity Zone = Different Data Centers broken out by Region (AZ for short and they always end with a LETTER, Regions end with a NUMBER)
IAM = Identity Management / Users and Roles at a Global Level
IAM Foundation = For Company Integration like Active Directory (SAML)
EC2 = Virtual Machine (default is Linux with a Firewalled / Dynamic / Public IP, if you need a Static IP create an "Elastic IP")
SSH into an EC2 = ssh -i {path.pem} ec2-user@{ip}
Security Groups = Control traffic rules to the EC2 (Firewall)
Time outs = Security Group configuration issue / Connect Refused = Application issue
Security Groups can reference other Security Groups, multiple instances, etc. (They are locked down to a Region)
Practice: Install Apache on an EC2
- SSH into the EC2 (Linux) with user "root"
- sudo yum update
- sudo yum install -y httpd.x86_64
- sudo systemctl start httpd.service
- sudo systemctl enable httpd.service (restart the service on reboot)
- Open Port 80 via Security Group
- echo "Hello World from MatrixTools-EC2-01 - $(hostname -f)" > /var/www/html/index.html
Practice: Let's Automate That!
- EC2 User Data can run scripts at first boot (bootstrapping)
- EC2 - Launch Instance - Amazon Linux 2 AMI
- Configure Instance Details - Advanced Details - User data
- Paste in the "script" from above
- It must start with the following line, preceeding any script:
- #!/bin/bash
EC2 Instances - Launch Types
-
On-Demand
- Pay for what you use
- Highest cost but no upfront payment
- No long-term commitment
- Recommendation: for auto-scaling or short-term and un-interrupted workloads, wehre you can't predict how the application will behave
-
Reserved
- Up to 75% discount compared to On-demand
- Pay upfront for what you use with long-term commitment
- Reservation period can be 1 or 3 years
- Reserve a specific instance type
- Recommendation: for steady state usage applications (think database)
-
Convertible Reserved
- Up to 54% discount compared to On-demand
- Can change the EC2 instance type
-
Scheduled Reserved
- Only launch within time window you reserve
-
Spot
- Best Discount: up to 90% compared to On-demand
- You bid a price and get the instance as long as its under the price
- Price varies based on offer and demand
- Spot instances are reclaimed with a 2 minute notification warning when the spot price goes above your bid
- Recommendation: for batch jobs, Big Data analysis, or workloads that are resilient to failures. NOT for critical jobs or databases
-
Dedicated Hosts
- Physical dedicated EC2 server / Full control and visibility
- You bid a price and get the instance as long as its under the price
- Allocated for your account for a 3-year period reservation
- More expensive
- Recommendation: for complicated licensing / regulatory or compliance needs (must keep software and data on separate machine)
-
Dedicated Instances
- Instances running on hardware that's dedicate to you
- May share hardware with other instances in same account
- No control over placement
EC2 Instances Types
- R = applications that need a lot of RAM
- C = applications that need a lot of CPU (databases)
- M = applications that need balance (middle / medium)
- I = applications that need good local I/O (databases)
- G = applications that need good GPU (video rendering / machine learning)
- T2/T3 = Burstable Instances ("burst credits")
- T2/T3 Unlimited = Unlimited Bursts
EC2 AMIs (custom base images)
- Pre-installed packages, settings, etc
- AMI Storage lives on S3 (inexpensive, just remove old ones)
- Public and sharable ones in the marketplace
- Just right click on your service instance - Image - Create Image
- Images - AMIs - right click - Launch (AMIs are region specific / cannot use same ID across regions)
- FAQ: You can copy and share AMIs and make them public by changing the permissions. If you cannot copy an AMI a lot of times you can still Launch an instance of it and create your own AMI from that instance (billingProduct code issues)
EC2 Placement Group Strategies
- Cluster - a low-latency group in a single Availability Zone (high performance / high risk)
- Spread - across hardware and AZ (critical applications / low risk / limit 7 instances)
- Partition - across partitions (hardware within a single AZ / compromise)
EC2 for Solution Architects
- Billed by the second, t2.micro is free tier
- Lock down port 22 except for needed SSH (chmod 0400)
- Timeout issues - Security groups issues
- Security Groups can reference other Security Groups
ELB (Load Balancer for EC2)
- Classic / Application / Network
- Built-in Health Check
- Use the static hostname NOT the underlying IP
- Cannot scale instantaneously - contact AWS for a "warm-up"
- 4xx errors are client, 5xx are application, 503 means no capacity or no targets
- If LB cannot connect to application, check security groups
-
Application (Layer 7)
- Load balancing to multiple machines (target groups)
- Load balancing to multiple applications on same machine (containers)
- Load balancing based on route in URL
- Load balancing based on hostname in URL
- Port Mapping feature to redirect to a Dynamic Port
- Stickiness can be enabled at the target group level by cookies
- Supports HTTP, HTTPS, and Websockets
- The application servers don't see the IP of the client directly, but it is placed in a header (X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto)
-
Network (Layer 4)
- Load balancing for TCP
- High performance ~ millions of requests per seconds
- Support for static IP or elastic IP (1 per AZ)
- Less latency ~ 100 ms (vs 400 ms for ALB)
- Use if Extreme Performance is required
- Can see the client IP directly
- Public facing = must attach Elastic IP – can help whitelist by clients
More Load Balancer Notes
- App LB provide a Static DNS name
- Network Load Balancers expose a public static IP (and can work witih TCP)
- Use STICKINESS if Session Data is important (client gets same instance via cookie)
- 0.0.0.0/0 means allow anyone from anywhere
- Can also use a (LB) security group, so that traffic has to come from load balancer
Auto Scaling
- Cooldown = period between each scale action
- ASG = Auto Scaling Group
- Default Termination Policy = AZ with most instances and then oldest config
- ASG are free and also have auto-restart to KEEP running X number of instances!
- Scale based on CloudWatch alarms (Custom Metrics with PutMetric API)
- Automatically Register new instances to a load balancer
- SNI = to specify SSL hostname they reach
- ACM = AWS Certificate Manager (X.509 SSL/TLS server certificate)
Chapter 1: Servers and Load Balancers
Permanent Link
If this article helped you, or you have any thoughts on how to do this better, please click the Like button and/or leave a comment below.