EC2.pdf

COMPUTE AMAZON EC2 AMAZON EC2 FEATURES Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. With Amazon EC2 you launch virtual server instances on the AWS cloud. Each virtual server is known as an “instance”. You use preconfigured templates for your instances known as Amazon Machine Images (AMIs). Each AMI includes the information needed to launch your EC2 instance (including the operating system and any included software packages). Amazon EC2 currently supports a variety of operating systems including: • • • • • • • • • • • • Amazon Linux Ubuntu Windows Server MacOS Red Hat Enterprise Linux SUSE Linux Enterprise Server Fedora Debian CentOS Gentoo Linux Oracle Linux FreeBSD EC2 compute units (ECUs) provide the relative measure of the integer processing power of an Amazon EC2 instance. With EC2 you have full control at the operating system layer (root/admin access). Key pairs are used to securely connect to EC2 instances: • • • A key pair consists of a public key that AWS stores, and a private key file that you store. For Windows AMIs, the private key file is required to obtain the password used to log into your instance. For Linux AMIs, the private key file allows you to securely SSH (secure shell) into your instance. Metadata and User Data: • • • • • • User data is data that is supplied by the user at instance launch in the form of a script. Instance metadata is data about your instance that you can use to configure or manage the running instance. User data is limited to 16KB. User data and metadata are not encrypted. Instance metadata is available at http://169.254.169.254/latest/meta-data/ (the trailing “/” is required). Instance user data is available at: http://169.254.169.254/latest/user-data. © 2023 Digital Cloud Training 12 • • • The IP address 169.254.169.254 is a link-local address and is valid only from the instance. On Linux you can use the curl command to view metadata and user data, e.g. “curl http://169.254.169.254/latest/meta-data/”. The Instance Metadata Query tool allows you to query the instance metadata without having to type out the full URI or category names. EC2 INSTANCE TYPES Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications. Each instance type includes one or more instance sizes, allowing you to scale your resources to the requirements of your target workload. Category Families Purpose/Design General Purpose Mac, T4g, T3, T3a, T2, M6g, M6i, M5, M5a, M5n, M5zn, M5, A1 General Purpose Instances provide a balance on compute, memory, and networking resources, and can be used for a variety of diverse workloads. Compute Optimized C6g, C6gn, C6i, C5, C5a, C5n, C4 Compute optimized are ideal for compute bound applications that benefit from high performance processors. Memory Optimized R6g, R5, R5a, R5b, R5n, R4, X2gd, X1e, X1, High Memory, z1d Memory optimized instances are designed to deliver fast performance for workloads that process large data sets in memory. Accelerated Computing P4, P3, P2, DL1, Inf1, G5, G4dn, G4ad, G3, F1, VT1 Accelerated Computing instances use hardware accelerators, or co-processors to perform functions such as floating-point number calculations, graphics processing, or data pattern matching. Storage Optimized I3, I3en, D2, D4, D3en, H1 This instance family provides Non-Volatile Memory Express (NVMe) SSD-Backed instance storage optimized for low latency, very high random I/O performance, high sequential read throughput and high IOPS at a low cost. LAUNCHING EC2 INSTANCES Choose an Amazon Machine Image (AMI). Choose whether to auto-assign a public IP – default is to use the subnet setting. Can add an instance to a placement group (more about this below). Instances can be assigned to IAM roles which configures them with credentials to access AWS resources. © 2023 Digital Cloud Training 13 Termination protection can be enabled and prevents you from terminating an instance. Basic monitoring is enabled by default (5-minute periods), detailed monitoring can be enabled (1minute periods, chargeable). Can define shared or dedicated tenancy. T2 unlimited allows applications to burst past CPU performance baselines as required (chargeable). Can add a script to run on startup (user data). Can join to a directory (Windows instances only). There is an option to enable an Elastic GPU (Windows instances only). Storage options include adding additional volumes and choosing the volume type. Use Amazon Elastic File System (EFS) for mounting a shared filesystem to multiple EC2 instances. Non-root volumes can be encrypted. Root volumes can be encrypted at launch. There is an option to create tags (or can be done later). You can select an existing security group or create a new one. You must create or use an existing key pair – this is required if you want to access your instances via SSH. However, you can also attach the ‘AmazonEC2RoleforSSM’ IAM role to your EC2 instance to allow connection to your instance via Systems Manager (Session Manager). AMAZON MACHINE IMAGES An Amazon Machine Image (AMI) provides the information required to launch an instance. An AMI includes the following: • • • A template for the root volume for the instance (for example, an operating system, an application server, and applications). Launch permissions that control which AWS accounts can use the AMI to launch instances. A block device mapping that specifies the volumes to attach to the instance when it’s launched. AMIs are regional. You can only launch an AMI from the region in which it is stored. However, you can copy AMIs to other regions using the console, command line, or the API. Volumes attached to the instance are either EBS or Instance store: • • Amazon Elastic Block Store (EBS) provides persistent storage. EBS snapshots, which reside on Amazon S3, are used to create the volume. Instance store volumes are ephemeral (non-persistent). That means data is lost if the instance is shut down. A template stored on Amazon S3 is used to create the volume. BILLING AND PROVISIONING There are several options for how you consume and pay for Amazon EC2 instances. On demand • • • • Pay for hours used with no commitment. Low cost and flexibility with no upfront cost. Ideal for auto scaling groups and unpredictable workloads. Good for dev/test. © 2023 Digital Cloud Training 14 Spot • • • • • • Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. You can use Spot Instances for various stateless, fault-tolerant, or flexible applications such as big data, containerized workloads, CI/CD, web servers, high-performance computing (HPC), and other test & development workloads. You can request Spot Instances by using the Spot management console, CLI, API or the same interface that is used for launching On-Demand instances by indicating the option to use Spot. You can also select a Launch Template or a pre-configured or custom Amazon Machine Image (AMI), configure security and network access to your Spot instance, choose from multiple instance types and locations, use static IP endpoints, and attach persistent block storage to your Spot instances. New pricing model: The Spot price is determined by long term trends in supply and demand for EC2 spare capacity. o o o • • • • You don’t have to bid for Spot Instances in the new pricing model, and you just pay the Spot price that’s in effect for the current hour for the instances that you launch. Spot Instances receive a two-minute interruption notice when these instances are about to be reclaimed by EC2, because EC2 needs the capacity back. Instances are not interrupted because of higher competing bids. To reduce the impact of interruptions and optimize Spot Instances, diversify, and run your application across multiple capacity pools. Each instance family, each instance size, in each Availability Zone, in every Region is a separate Spot pool. You can use the RequestSpotFleet API operation to launch thousands of Spot Instances and diversify resources automatically. To further reduce the impact of interruptions, you can also set up Spot Instances and Spot Fleets to respond to an interruption notice by stopping or hibernating rather than terminating instances when capacity is no longer available. Reserved • • • • • • • • • • Purchase (or agree to purchase) usage of EC2 instances in advance for significant discounts over On-Demand pricing. Provides a capacity reservation when used in a specific AZ. AWS Billing automatically applies discounted rates when you launch an instance that matches your purchased RI. Capacity is reserved for a term of 1 or 3 years. EC2 has three RI types: Standard, Convertible, and Scheduled. Standard = commitment of 1 or 3 years, charged whether it’s on or off. Scheduled = reserved for specific periods of time, accrue charges hourly, billed in monthly increments over the term (1 year). Scheduled RIs match your capacity reservation to a predictable recurring schedule. For the differences between standard and convertible RIs, see the table below. RIs are used for steady state workloads and predictable usage. © 2023 Digital Cloud Training 15 • • • • • • • • • • • • Ideal for applications that need reserved capacity. Upfront payments can reduce the hourly rate. Can switch AZ within the same region. Can change the instance size within the same instance type. Instance type modifications are supported for Linux only. Cannot change the instance size of Windows RIs. Billed whether running or not. Can sell reservations on the AWS marketplace. Can be used in Auto Scaling Groups. Can be used in Placement Groups. Can be shared across multiple accounts within Consolidated Billing. If you don’t need your RI’s, you can try to sell them on the Reserved Instance Marketplace. Standard Convertible Terms 1 year, 3 year 1 year, 3 year Average discount off On-Demand price 40% - 60% 31% - 54% Change AZ, instance size, networking type Yes via Yes via ModifyReservedInstance ExchangeReservedInstance API or console API or console Change instance family, OS, tenancy, payment options No Yes Benefit from price reductions No Yes RI Attributes: • • • • Instance type – designates CPU, memory, networking capability. Platform – Linux, SUSE Linux, RHEL, Microsoft Windows, Microsoft SQL Server. Tenancy – Default (shared) tenancy, or Dedicated tenancy. Availability Zone (optional) – if AZ is selected, RI is reserved, and discount applies to that AZ (Zonal RI). If no AZ is specified, no reservation is created but the discount is applied to any instance in the family in any AZ in the region (Regional RI). Comparing Amazon EC2 Pricing Models The following table provides a brief comparison of On-demand, Reserved and Spot pricing models: On-Demand Reserved Spot No upfront fee Options: No upfront, partial upfront or all upfront No upfront fee © 2023 Digital Cloud Training 16 Charged by hour or second Charged by hour or second Charged by hour or second No commitment 1-year or 3-year commitment No commitment Ideal for short term needs or unpredictable workloads Ideal for steady-state workloads and predictable usage Ideal for cost-sensitive, compute intensive use cases that can withstand interruption You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic spot limit per region (by default). Dedicated hosts • • • • • • • • • • Physical servers dedicated just for your use. You then have control over which instances are deployed on that host. Available as On-Demand or with Dedicated Host Reservation. Useful if you have server-bound software licenses that use metrics like per-core, persocket, or per-VM. Each dedicated host can only run one EC2 instance size and type. Good for regulatory compliance or licensing requirements. Predictable performance. Complete isolation. Most expensive option. Billing is per host. Dedicated instances • • • • • • • Virtualized instances on hardware just for you. Also uses physically dedicated EC2 servers. Does not provide the additional visibility and controls of dedicated hosts (e.g. how instances are placed on a server). Billing is per instance. May share hardware with other non-dedicated instances in the same account. Available as On-Demand, Reserved Instances, and Spot Instances. Cost additional $2 per hour per region. The following table describes some of the differences between dedicates instances and dedicated hosts: Characteristic Dedicated Instances Dedicated Hosts Enables the use of dedicated physical servers X X © 2023 Digital Cloud Training 17 Per instance billing (subject to a $2 per region fee) X Per host billing X Visibility of sockets, cores, host ID X Affinity between a host and instance X Targeted instance placement X Automatic instance placement X X Add capacity using an allocation request X Partial instance-hours consumed are billed based on instance usage. Instances are billed when they’re in a running state – need to stop or terminate to avoid paying. Charging by the hour or second (by the second with Linux instances only). Data between instances in different regions is charged (in and out). Regional Data Transfer rates apply if at least one of the following is true, but are only charged once for a given instance even if both are true: • • The other instance is in a different Availability Zone, regardless of which type of address is used. Public or Elastic IP addresses are used, regardless of which Availability Zone the other instance is in. NETWORKING Networking Limits (per region or as specified): Name Default Limit EC2-Classic Elastic IPs 5 EC2-VPC Elastic IPs 5 VPCs 5 Subnets per VPC 200 Security groups per VPC 500 Rules per VPC security group 50 VPC security groups per elastic network interface 5 © 2023 Digital Cloud Training 18 Network interfaces 350 Network ACLs per VPC 200 Rules per network ACL 20 Route tables per VPC 200 Entries per route table 50 Active VPC peering connections 50 Outstanding VPC peering connection requests 25 Expiry time for an unaccepted VPC peering connection 168 IP ADDRESSES There are three types of IP address that can be assigned to an Amazon EC2 instance: • • • Public – public address that is assigned automatically to instances in public subnets and reassigned if instance is stopped/started. Private – private address assigned automatically to all instances. Elastic IP – public address that is static. Public IPv4 addresses are lost when the instance is stopped but private addresses (IPv4 and IPv6) are retained. Public IPv4 addresses are retained if you restart the instance. Elastic IPs are retained when the instance is stopped. Elastic IP addresses are static public IP addresses that can be remapped (moved) between instances. All accounts are limited to 5 elastic IPs per region by default; however this is a soft limit which can be raised by a service limit increase to AWS Support. AWS charges for elastic IP’s when they’re not being used. An Elastic IP address is for use in a specific region only. You can assign custom tags to your Elastic IP addresses to categorize them. By default, EC2 instances come with a private IP assigned to the primary network interface (eth0). Public IP addresses are assigned for instances in public subnets (VPC). DNS records for elastic IP’s can be configured by filling out a form. Secondary IP addresses can be useful for hosting multiple websites on a server or redirecting traffic to a standby EC2 instance for HA. You can choose whether secondary IP addresses can be reassigned. You can associate a single private IPv4 address with a single Elastic IP address and vice versa. When reassigned the IPv4 to Elastic IP association is maintained. When a secondary private address is unassigned from an interface, the associated Elastic IP address is disassociated. © 2023 Digital Cloud Training 19 You can assign or remove IP addresses from EC2 instances while they are running or stopped. When you stop and start and EC2 instance, it will generally be moved to different underlying hardware. Exam tip: You can stop and start an EC2 instance to move it to a different physical host if EC2 status checks are failing or there is planned maintenance on the current physical host. You can modify the following attributes of an instance only when it is stopped: • • • • Instance type. User data. Kernel. RAM disk. All IP addresses (IPv4 and IPv6) remain attached to the network interface when detached or reassigned to another instance. You can attach a network interface to an instance in a different subnet if it’s within the same AZ. You can bring part or all your publicly routable IPv4 or IPv6 address range from your on-premises network to AWS. This is called BYOIP. You continue to own the address range, but AWS advertises it on the internet by default. After you bring the address range to AWS, it appears in your AWS account as an address pool. BYOIP is not available in all Regions and for all resources. The following table compares the different types of IP address available in Amazon EC2: Name Description Public IP address Lost when the instance is stopped Used in Public Subnets No charge Associated with a private IP address on the instance Cannot be moved between instances Private IP address Retained when the instance is stopped Used in Public and Private Subnets Elastic IP address Static Public IP address You are charged if not used Associated with a private IP address on the instance Can be moved between instances and Elastic Network Adapters Elastic Network Interfaces An elastic network interface (referred to as a network interface) is a logical networking component in a VPC that represents a virtual network card. © 2023 Digital Cloud Training 20 A network interface can include the following attributes: • • • • • • • • • A primary private IPv4 address from the IPv4 address range of your VPC. One or more secondary private IPv4 addresses from the IPv4 address range of your VPC. One Elastic IP address (IPv4) per private IPv4 address. One public IPv4 address. One or more IPv6 addresses. One or more security groups. A MAC address. A source/destination check flag. A description. You can create and configure network interfaces in your account and attach them to instances in your VPC. You cannot increase the network bandwidth of an instance by teaming multiple ENIs. eth0 is the primary network interface and cannot be moved or detached. By default, eth0 is the only Elastic Network Interface (ENI) created with an EC2 instance when launched. You can add additional interfaces to EC2 instances (number dependent on instances family/type). An ENI is bound to an AZ, and you can specify which subnet/AZ you want the ENI to be added in. You can specify which IP address within the subnet to configure or leave it to be auto assigned. You can only add one extra ENI when launching but more can be attached later. Attaching ENIs: • • • ENIs can be “hot attached” to running instances. ENIs can be “warm-attached” when the instance is stopped. ENIs can be “cold-attached” when the instance is launched. If you add a second interface AWS will not assign a public IP address to eth0 (you would need to add an Elastic IP). Default interfaces are terminated with instance termination. Manually added interfaces are not terminated by default. You can change the termination behavior. Enhanced Networking – Elastic Network Adapter (ENA) Enhanced networking provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies. Enhanced networking is enabled using an Elastic Network Adapter (ENA). If your packets-per-second rate appears to have reached its ceiling, you should consider moving to enhanced networking because you have likely reached the upper thresholds of the VIF driver. AWS currently supports enhanced networking capabilities using SR-IOV. SR-IOV provides direct access to network adapters, provides higher performance (packets-persecond) and lower latency. Must launch an HVM AMI with the appropriate drivers. Only available for certain instance types. © 2023 Digital Cloud Training 21 Only supported in an Amazon VPC. Elastic Fabric Adapter (EFA) An Elastic Fabric Adapter is an AWS Elastic Network Adapter (ENA) with added capabilities. An EFA can still handle IP traffic, but also supports an important access model commonly called OS bypass. This model allows the application (most commonly through some user-space middleware) access the network interface without having to get the operating system involved with each message. Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables customers to run applications requiring high levels of inter-node communications at scale on AWS. Its custom-built operating system (OS) bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling these applications. Common use cases for EFAs include: • • High Performance Computing (HPC) applications using the Message Passing Interface (MPI). Machine Learning (ML) applications using NVIDIA Collective Communications Library (NCCL). With EFA you get the application performance of on-premises HPC clusters with the on-demand elasticity and flexibility of the AWS cloud. EFA is available as an optional EC2 networking feature that you can enable on any supported EC2 instance at no additional cost. ENI VS ENA VS EFA When to use ENI: • • This is the basic adapter type for when you don’t have any high-performance requirements. Can use with all instance types. When to use ENA: • • Good for use cases that require higher bandwidth and lower inter-instance latency. Supported for limited instance types (HVM only). When to use EFA: • • • • High Performance Computing. MPI and ML use cases. Tightly coupled applications. Can use with all instance types. PLACEMENT GROUPS Placement groups are a logical grouping of instances in one of the following configurations. Cluster – clusters instances into a low-latency group in a single AZ: • • A cluster placement group is a logical grouping of instances within a single Availability Zone. Cluster placement groups are recommended for applications that benefit from low © 2023 Digital Cloud Training 22 network latency, high network throughput, or both, and if most of the network traffic is between the instances in the group. Spread – spreads instances across underlying hardware (can span AZs): • • A spread placement group is a group of instances that are each placed on distinct underlying hardware. Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other. Partition — divides each group into logical segments called partitions: • • • Amazon EC2 ensures that each partition within a placement group has its own set of racks. Each rack has its own network and power source. No two partitions within a placement group share the same racks, allowing you to isolate the impact of hardware failure within your application. Partition placement groups can be used to deploy large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct racks. The table below describes some key differences between clustered and spread placement groups: Clustered Spread Partition What Instances are placed into a low-latency group within a single AZ Instances are spread across underlying hardware Instances are grouped into logical segments called partitions which use distinct hardware When Need low network Reduce the risk of latency and/or high simultaneous network throughput instance failure if underlying hardware fails Need control and visibility into instance placement Pros Get the most out of enhanced networking Instances Can span multiple AZs Reduces likelihood of correlated failures for large workloads. Cons Finite capacity: recommend launching all you might need up front Maximum of 7 instances running per group, per AZ Partition placement groups are not supported for Dedicated Hosts Launching instances in a spread placement group reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware. Recommended for applications that benefit from low latency and high bandwidth. Recommended to use an instance type that supports enhanced networking. © 2023 Digital Cloud Training 23 Instances within a placement group can communicate with each other using private or public IP addresses. Best performance is achieved when using private IP addresses. Using public IP addresses the performance is limited to 5Gbps or less. Low-latency 10 Gbps or 25 Gbps network. Recommended to keep instance types homogenous within a placement group. Can use reserved instances at an instance level but cannot reserve capacity for the placement group. The name you specify for a placement group must be unique within your AWS account for the Region. You can’t merge placement groups. An instance can be launched in one placement group at a time; it cannot span multiple placement groups. On-Demand Capacity Reservation and zonal Reserved Instances provide a capacity reservation for EC2 instances in a specific Availability Zone. The capacity reservation can be used by instances in a placement group. However, it is not possible to explicitly reserve capacity for a placement group. Instances with a tenancy of host cannot be launched in placement groups. IAM ROLES IAM roles are more secure than storing access keys and secret access keys on EC2 instances IAM roles can be used to allow EC2 to interact with several different services like S3, DynamoDB etc. IAM roles are easier to manage and more secure than access keys. You can attach an IAM role to an instance at launch time or at any time after by using the AWS CLI, SDK, or the EC2 console. IAM roles can be attached, modified, or replaced at any time. Only one IAM role can be attached to an EC2 instance at a time. IAM roles are universal and can be used in any region. BASTION/JUMP HOSTS You can configure EC2 instances as bastion hosts (aka jump boxes) to access your VPC instances for management. Can use the SSH or RDP protocols to connect to your bastion host. Need to configure a security group with the relevant permissions. Can use auto-assigned public IPs or Elastic IPs. Can use security groups to restrict the IP addresses/CIDRs that can access the bastion host. Use auto-scaling groups for HA (set to 1 instance to just replace if it fails). Best practice is to deploy Linux bastion hosts in two AZs, use auto-scaling and Elastic IP addresses. You can also use AWS Systems Manager Session Manager instead of using bastion hosts © 2023 Digital Cloud Training 24 MONITORING EC2 EC2 status checks are performed every minute, and each returns a pass or a fail status. If all checks pass, the overall status of the instance is OK. If one or more checks fail, the overall status is impaired. System status checks detect (StatusCheckFailed_System) problems with your instance that require AWS involvement to repair. The following are examples of problems that can cause system status checks to fail: • • • • Loss of network connectivity. Loss of system power. Software issues on the physical host. Hardware issues on the physical host that impact network reachability. Instance status checks (StatusCheckFailed_Instance) detect problems that require your involvement to repair. The following are examples of problems that can cause instance status checks to fail: • • • • • Failed system status checks.. Incorrect networking or startup configuration. Exhausted memory. Corrupted file system. Incompatible kernel. Status checks are built into Amazon EC2, so they cannot be disabled or deleted. You can, however, create or delete alarms that are triggered based on the result of the status checks. You can create Amazon CloudWatch alarms that monitor Amazon EC2 instances and automatically perform an action if the status check fails. Actions can include: • • • • Recover the instance (only supported on specific instance types and can be used only with StatusCheckFailed_System). Stop the instance (only applicable to EBS-backed volumes). Terminate the instance (cannot terminate if termination protection is enabled). Reboot the instance. It is a best practice to use EC2 to reboot an instance rather than restarting through the OS. CloudWatch Monitoring frequency: • • Standard monitoring = 5 mins. Detailed monitoring = 1 min (chargeable). Unified CloudWatch Agent The unified CloudWatch agent enables you to do the following: • Collect more system-level metrics from Amazon EC2 instances across operating systems. The metrics can include in-guest metrics, in addition to the metrics for EC2 instances. The additional metrics that can be collected are listed in Metrics Collected by the CloudWatch Agent. © 2023 Digital Cloud Training 25 • • • Collect system-level metrics from on-premises servers. These can include servers in a hybrid environment as well as servers not managed by AWS. Retrieve custom metrics from your applications or services using the StatsD and collectd protocols. StatsD is supported on both Linux servers and servers running Windows Server. collectd is supported only on Linux servers. Collect logs from Amazon EC2 instances and on-premises servers, running either Linux or Windows Server. You can download and install the CloudWatch agent manually using the command line, or you can integrate it with SSM. LOGGING AND AUDITING Amazon EC2 and Amazon EBS are integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon EC2 and Amazon EBS. CloudTrail captures all API calls for Amazon EC2 and Amazon EBS as events, including calls from the console and from code calls to the APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon EC2 and Amazon EBS. A trail enables you to store records indefinitely. If you don’t configure a trail, you can still view the most recent events in the CloudTrail console by viewing Event history (past 90 days only). Using the information collected by CloudTrail, you can determine the request that was made to Amazon EC2 and Amazon EBS, the IP address from which the request was made, who made the request, when it was made, and additional details. TAGS You can assign metadata to your AWS resources in the form of tags. A tag is a label that you assign to an AWS resource. Tags are just arbitrary name/value pairs that you can assign to virtually all AWS assets to serve as metadata. Tags can help you manage, identify, organize, search for, and filter resources. Each tag consists of a key and an optional value, both of which you define. Tagging strategies can be used for cost allocation, security, automation, and many other uses. For example, you can use a tag in an IAM policy to implement access control. Enforcing standardized tagging can be done via AWS Config rules or custom scripts. For example, EC2 instances not properly tagged are stopped or terminated daily. Most resources can have up to 50 tags. RESOURCE GROUPS Resource groups are mappings of AWS assets defined by tags. Create custom consoles to consolidate metrics, alarms and config details around given tags. HIGH AVAILABILITY APPROACHES FOR COMPUTE Up to date AMIs are critical for rapid fail-over. AMIs can be copied to other regions for safety or DR staging. © 2023 Digital Cloud Training 26 Horizontally scalable architectures are preferred because risk can be spread across multiple smaller machines versus one large machine. Reserved instances are the only way to guarantee that resources will be available when needed. Auto Scaling and Elastic Load Balancing work together to provide automated recovery by maintaining minimum instances. Amazon Route 53 health checks also provide “self-healing” redirection of traffic. MIGRATION VM Import Export VM Import/Export is a tool for migrating VMware, Microsoft, XEN VMs to the Cloud. Can also be used to convert EC2 instances to VMware, Microsoft, or XEN VMs. Supported for: • • • • Windows and Linux. VMware ESX VMDKs and (OVA images for export only). Citrix XEN VHD. Microsoft Hyper-V VHD. Can only be used via the API or CLI (not the console). Stop the VM before generating VMDK or VHD images. AWS has a VM connector plugin for vCenter: • • • Allows migration of VMs to S3. Then converts into a EC2 AMI. Progress can be tracked in vCenter. AWS Server Migration Service (SMS) AWS Server Migration Service (SMS) is an agent-less service which makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations. Automates migration of on-premises VMware vSphere or Microsoft Hyper-V/SCVMM virtual machines to AWS. Replicates VMs to AWS, syncing volumes and creating periodic AMIs. Minimizes cutover downtime by syncing VMs incrementally. Supports Windows and Linux VMs only (just like AWS). The Server Migration Connector is downloaded as a virtual appliance into your on-premises vSphere or Hyper-V environments. Amazon EC2 instances can be managed through AWS Systems Manager. You can also use AWS OpsWorks to manage your instances using Chef and Puppet. AWS Config can be used to record configuration items about Amazon EC2 instances and track changes. © 2023 Digital Cloud Training 27 AMAZON EBS AMAZON EBS FEATURES EBS is the Amazon Elastic Block Store. EBS volumes are network attached storage that can be attached to EC2 instances. EBS volume data persists independently of the life of the instance. EBS volumes do not need to be attached to an instance. You can attach multiple EBS volumes to an instance. You can attach an EBS volume to multiple instances with specific constraints. For most use cases where you need a shared volume across EC2 instances use Amazon EFS. EBS volume data is replicated across multiple servers in an AZ. EBS volumes must be in the same AZ as the instances they are attached to. EBS is designed for an annual failure rate of 0.1%-0.2% & an SLA of 99.95%. Termination protection is turned off by default and must be manually enabled (keeps the volume/data when the instance is terminated). Root EBS volumes are deleted on termination by default. Extra non-boot volumes are not deleted on termination by default. The behavior can be changed by altering the “DeleteOnTermination” attribute. You can now create AMIs with encrypted root/boot volumes as well as data volumes (you can also use separate CMKs per volume). Volume sizes and types can be upgraded without downtime (except for magnetic standard). Elastic Volumes allow you to increase volume size, adjust performance, or change the volume type while the volume is in use. To migrate volumes between AZ’s create a snapshot then create a volume in another AZ from the snapshot (possible to change size and type). Auto-enable IO setting prevents the stopping of IO to a disk when AWS detects inconsistencies. The root device is created under /dev/sda1 or /dev/xvda. Magnetic EBS is for workloads that need throughput rather than IOPS. Throughput optimized EBS volumes cannot be a boot volume. Each instance that you launch has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mapping to specify additional EBS volumes or instance store volumes to attach to an instance when it’s launched. You can also attach additional EBS volumes to a running instance. You cannot decrease an EBS volume size. When changing volumes the new volume must be at least the size of the current volume’s snapshot. Images can be made public but not if they’re encrypted. AMIs can be shared with other accounts. © 2023 Digital Cloud Training 28 You can have up to 5,000 EBS volumes by default. You can have up to 10,000 snapshots by default. INSTANCE STORE An instance store provides temporary (non-persistent) block-level storage for your instance. This is different to EBS which provides persistent storage but is also a block storage service that can be a root or additional volume. Instance store storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. You can specify instance store volumes for an instance only when you launch it. You can’t detach an instance store volume from one instance and attach it to a different instance. The instance type determines the size of the instance store available, and the type of hardware used for the instance store volumes. Instance store volumes are included as part of the instance’s usage cost. Some instance types use NVMe or SATA-based solid-state drives (SSD) to deliver high random I/O performance. This is a good option when you need storage with very low latency, but you don’t need the data to persist when the instance terminates, or you can take advantage of fault-tolerant architectures. EXAM TIP: Instance stores offer very high performance and low latency. If you can afford to lose an instance, i.e. you are replicating your data, these can be a good solution for high performance/low latency requirements. Look out for questions that mention distributed or replicated databases that need high I/O. Also, remember that the cost of instance stores is included in the instance charges so it can also be more cost-effective than EBS Provisioned IOPS. EBS VS INSTANCE STORE EBS-backed means the root volume is an EBS volume and storage is persistent. Instance store-backed means the root volume is an instance store volume and storage is not persistent. On an EBS-backed instance, the default action is for the root EBS volume to be deleted upon termination. Instance store volumes are sometimes called Ephemeral storage (non-persistent). Instance store backed instances cannot be stopped. If the underlying host fails the data will be lost. Instance store volume root devices are created from AMI templates stored on S3. EBS backed instances can be stopped. You will not lose the data on this instance if it is stopped (persistent). EBS volumes can be detached and reattached to other EC2 instances. EBS volume root devices are launched from AMI’s that are backed by EBS snapshots. Instance store volumes cannot be detached/reattached. When rebooting the instances for both types data will not be lost. By default, both root volumes will be deleted on termination unless you configured otherwise. © 2023 Digital Cloud Training 29 EBS VOLUME TYPES SSD, General Purpose – gp2/gp3: • • • Volume size from 1 GiB to 16 TiB. Up to 16,000 IOPS per volume. Performance: o o • • • 3 IOPS/GiB for gp2. Up to 500 IOPS/GiB for gp3. Can be a boot volume. EBS multi-attach not supported. Use cases: o o Low-latency interactive apps. Development and test environments. SSD, Provisioned IOPS – io1/io2: • • • • More than 16,000 IOPS. Up to 64,000 IOPS per volume (Nitro instances). Up to 32,000 IOPS per volume for other instance types. Performance: o o • • • Up to 50 IOPS/GiB for io1. Up to 500 IOPS/Gib for io2. Can be a boot volume. EBS multi-attach is supported. Use cases: o o Workloads that require sustained IOPS performance or more than 16,000 IOPS. I/O-intensive database workloads. HDD, Throughput Optimized – (st1): • • • • Frequently accessed, throughput intensive workloads with large datasets and large I/O sizes, such as MapReduce, Kafka, log processing, data warehouse, and ETL workloads. Throughput measured in MiB/s and includes the ability to burst up to 250 MiB/s per TB, with a baseline throughput of 40 MB/s per TB and a maximum throughput of 500 MiB/s per volume. Cannot be a boot volume. EBS multi-attach not supported. HDD, Cold – (sc1): • • • • • Lowest cost storage – cannot be a boot volume. Less frequently accessed workloads with large, cold datasets. These volumes can burst up to 80 MiB/s per TiB, with a baseline throughput of 12 MiB/s. Cannot be a boot volume. EBS multi-attach not supported. EBS optimized instances: • • • • Dedicated capacity for Amazon EBS I/O. EBS-optimized instances are designed for use with all EBS volume types. Max bandwidth: 400 Mbps – 12000 Mbps. IOPS: 3000 – 65000. © 2023 Digital Cloud Training 30 • • • • • GP-SSD within 10% of baseline and burst performance 99.9% of the time. PIOPS within 10% of baseline and burst performance 99.9% of the time. Additional hourly fee. Available for select instance types. Some instance types have EBS-optimized enabled by default. The following EBS volumes appear most often on the AWS exams: Volume Type EBS Provisioned IOPS SSD (io1/io2) EBS General Purpose SSD (gp2/gp3) Throughput Optimized HDD (st1) Cold HDD (sc1) Short Description Highest performance SSD volume designed for latency-sensitive transactional workloads General Purpose SSD volume that balances price performance for a wide variety of transactional workloads Low-cost HDD volume, designed for frequently accessed. Throughput intensive workloads Lowest cost HDD volume designed for less frequently accessed workloads Use Cases I/O-intensive NoSQL and relational databases Boot volumes, low-latency interactive apps, dev & test Big-data, data warehouses, log processing Colder data requiring fewer scans per day Volume Size 4 GiB - 16 TiB 1 GiB - 16 TiB 125 GB – 16 TiB 125 GB – 16 TiB Max IOPS** / Volume 64,000 16,000 500 250 Max Throughput *** Volume 1,000 MiB/s 250 MiB/s (gp2) 500 MiB/s 250 MiB/s 1000 MiB/s (gp3) Can be boot volume? Yes Yes No No EBS Multi-attach Supported Not Supported Not Supported Not Supported © 2023 Digital Cloud Training 31 AMAZON EBS SNAPSHOTS Snapshots capture a point-in-time state of an instance. Cost-effective and easy backup strategy. Share data sets with other users or accounts. Can be used to migrate a system to a new AZ or region. Can be used to convert an unencrypted volume to an encrypted volume. Snapshots are stored on Amazon S3. Does not provide granular backup (not a replacement for backup software). If you make periodic snapshots of a volume, the snapshots are incremental, which means that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot to restore the volume. Snapshots can only be accessed through the EC2 APIs. EBS volumes are AZ specific, but snapshots are region specific. Volumes can be created from EBS snapshots that are the same size or larger. Snapshots can be taken of non-root EBS volumes while running. To take a consistent snapshot, writes must be stopped (paused) until the snapshot is complete. if this is not possible the volume needs to be detached; or if it’s an EBS root volume the instance must be stopped. To lower storage costs on S3 a full snapshot and subsequent incremental updates can be created. You are charged for data traffic to S3 and storage costs on S3. You are billed only for the changed blocks. Deleting a snapshot removes only the data not needed by any other snapshot. You can resize volumes through restoring snapshots with different sizes (configured when taking the snapshot). Snapshots can be copied between regions (and be encrypted). Images are then created from the snapshot in the other region which creates an AMI that can be used to boot an instance. You can create volumes from snapshots and choose the availability zone within the region. ENCRYPTION You can encrypt both the boot and data volumes of an EC2 instance. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: • • • • Data at rest inside the volume. All data moving between the volume and the instance. All snapshots created from the volume. All volumes created from those snapshots. Encryption is supported by all EBS volume types. Expect the same IOPS performance on encrypted volumes as on unencrypted volumes. All instance families support encryption. © 2023 Digital Cloud Training 32 Amazon EBS encryption is available on the instance types listed below: • • • • • General purpose: A1, M3, M4, M5, M5a, M5ad, M5d, T2, T3, and T3a. Compute optimized: C3, C4, C5, C5d, and C5n. Memory optimized: cr1.8xlarge, R3, R4, R5, R5a, R5ad, R5d, u-6tb1.metal, u-9tb1.metal, u12tb1.metal, X1, X1e, and z1d. Storage optimized: D2, h1.2xlarge, h1.4xlarge, I2, and I3. Accelerated computing: F1, G2, G3, G4, P2, and P3. EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK. Your data key never appears on disk in plaintext. . The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots. Snapshots of encrypted volumes are encrypted automatically. EBS volumes restored from encrypted snapshots are encrypted automatically. EBS volumes created from encrypted snapshots are also encrypted. You can share snapshots, but if they’re encrypted it must be with a custom CMK key. You can check the encryption status of your EBS volumes with AWS Config. There is no direct way to change the encryption state of a volume. Either create an encrypted volume and copy data to it or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot. To encrypt a volume or snapshot you need an encryption key, these are customer managed keys (CMK), and they are managed by the AWS Key Management Service (KMS). A default CMK key is generated for the first encrypted volumes. Subsequent encrypted volumes will use their own unique key (AES 256 bit). The CMK used to encrypt a volume is used by any snapshots and volumes created from snapshots. You cannot share encrypted volumes created using a default CMK key. You cannot change the CMK key that is used to encrypt a volume. You must create a copy of the snapshot and change encryption keys as part of the copy. This is required to be able to share the encrypted volume. By default only the account owner can create volumes from snapshots. You can share unencrypted snapshots with the AWS community by making them public. You can also share unencrypted snapshots with other AWS accounts by making them private and selecting the accounts to share them with. You cannot make encrypted snapshots public. You can share encrypted snapshots with other AWS accounts using a non-default CMK key and configuring cross-account permissions to give the account access to the key, mark as private and configure the account to share with. The receiving account must copy the snapshot before they can then create volumes from the snapshot. It is recommended that the receiving account re-encrypt the shared and encrypted snapshot using their own CMK key. © 2023 Digital Cloud Training 33 The following information applies to snapshots: • • • • • • • • • • • • Snapshots are created asynchronously and are incremental. You can copy unencrypted snapshots (optionally encrypt). You can copy an encrypted snapshot (optionally re-encrypt with a different key). Snapshot copies receive a new unique ID. You can copy within or between regions. You cannot move snapshots, only copy them. You cannot take a copy of a snapshot when it is in a “pending” state, it must be “complete”. S3 Server Side Encryption (SSE) protects data in transit while copying. User defined tags are not copied. You can have up to 5 snapshot copy requests running in a single destination per account. You can copy Import/Export service, AWS Marketplace, and AWS Storage Gateway snapshots. If you try to copy an encrypted snapshot without having access to the encryption keys it will fail silently (cross-account permissions are required). Copying snapshots may be required for: • • • • • Creating services in other regions. DR – the ability to restore from snapshot in another region. Migration to another region. Applying encryption. Data retention. To take application-consistent snapshots of RAID arrays: • • • • • Stop the application from writing to disk. Flush all caches to the disk. Freeze the filesystem. Unmount the RAID array. Shut down the associated EC2 instance. AMIS An Amazon Machine Image (AMI) is a special type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud (“EC2”). An AMI includes the following: • • • A template for the root volume for the instance (for example, an operating system, an application server, and applications). Launch permissions that control which AWS accounts can use the AMI to launch instances. A block device mapping that specifies the volumes to attach to the instance when it’s launched. AMIs are either instance store-backed or EBS-backed. Instance store-backed: • • • • • Launch an EC2 instance from an AWS instance store-backed AMI. Update the root volume as required. Create the AMI which will upload to a user specified S3 bucket (user bucket). Register the AMI with EC2 (creates another EC2 controlled S3 image). To make changes update the source then deregister and reregister. © 2023 Digital Cloud Training 34 • • • Upon launch the image is copied to the EC2 host. Deregister an image when the AMI is not needed anymore (does not affect existing instances created from the AMI). Instance store-backed volumes can only be created at launch time. EBS-backed: • • • • • Must stop the instance to create a consistent image and then create the AMI. AWS registers the AMIs automatically. During creation AWS creates snapshots of all attached volumes – there is no need to specify a bucket, but you will be charged for storage on S3. You cannot delete the snapshot of the root volume if the AMI is registered (deregister and delete). You can now create AMIs with encrypted root/boot volumes as well as data volumes (can also use separate CMKs per volume). Copying AMIs: • • • You can copy an Amazon Machine Image (AMI) within or across an AWS region using the AWS Management Console, the AWS Command Line Interface or SDKs, or the Amazon EC2 API, all of which support the CopyImage action. You can copy both Amazon EBS-backed AMIs and instance store-backed AMIs. You can copy encrypted AMIs and AMIs with encrypted snapshots. DEPLOYMENT AND PROVISIONING Termination protection is turned off by default and must be manually enabled (keeps the volume/data when the instance is terminated). Root EBS volumes are deleted on termination by default. Extra non-boot volumes are not deleted on termination by default. The behavior can be changed by altering the “DeleteOnTermination” attribute. Volume sizes and types can be upgraded without downtime (except for magnetic standard). Elastic Volumes allow you to increase volume size, adjust performance, or change the volume type while the volume is in use. To migrate volumes between AZ’s create a snapshot then create a volume in another AZ from the snapshot (possible to change size and type). EBS COPYING, SHARING AND ENCRYPTION METHODS The following diagram aims to articulate the various possible options for copying EBS volumes, sharing AMIs and snapshots and applying encryption: © 2023 Digital Cloud Training 35 RAID RAID can be used to increase IOPS. RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy. RAID 1 = 1 mirroring – creates 2 copies of the data but does not increase performance, only redundancy. RAID 10 = 10 combination of RAID 1 and 2 resulting in increased performance and redundancy (at the cost of additional disks). You can configure multiple striped gp2 or standard volumes (typically RAID 0). You can configure multiple striped PIOPS volumes (typically RAID 0). RAID is configured through the guest OS. EBS optimized EC2 instances are another way of increasing performance. Ensure the EC2 instance can handle the bandwidth required for the increased performance. Use EBS optimized instances or instances with a 10 Gbps network interface. Not recommended to use RAID for root/boot volumes. MONITORING AND REPORTING Amazon Elastic Block Store (Amazon EBS) sends data points to CloudWatch for several metrics. A few specific metrics to understand for the exam: • DiskReadBytes / DiskWriteBytes: o o • Relates to Instance Store volumes NOT to EBS. Included in the AWS/EC2 namespace. VolumeReadBytes / VolumeWriteBytes: o Relates to the EBS volume. © 2023 Digital Cloud Training 36 o Included in the AWS/EBS namespace. There are two types of Amazon CloudWatch monitoring available for Amazon EBS volumes: • • Basic – Data is available automatically in 5-minute periods at no charge. This includes data for the root device volumes for EBS-backed instances. Detailed – Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch. Amazon EBS General Purpose SSD (gp2), Throughput Optimized HDD (st1) , Cold HDD (sc1), and Magnetic (standard) volumes automatically send five-minute metrics to CloudWatch. Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch. Data is only reported to CloudWatch when the volume is attached to an instance. Volume status checks enable you to better understand, track, and manage potential inconsistencies in the data on an Amazon EBS volume. Volume Status I/O Enabled Status I/O performance status (only available for Provisioned IOPS volumes) ok Enabled (I/O Enabled or I/O AutoEnabled) Normal (Volume performance is expected) warning Enabled (I/O Enabled or I/O AutoEnabled) Degraded (Volume performance is below expectations) Disabled (Volume is offline and pending recovery or is waiting for the user to enable I/O). Severely Degraded (Volume performance is well below expectations) Enabled (I/O Enabled or I/O AutoEnabled) Stalled (Volume performance is severely impacted) Disabled (Volume is offline and pending recovery, or is waiting for the user to enable I/O) Not Available (Unable to determine I/O performance because I/O is disabled) Enabled (I/O Enabled or I/O AutoEnabled) Insufficient Data impaired insufficientdata Insufficient Data LOGGING AND AUDITING Amazon EC2 and Amazon EBS are integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon EC2 and Amazon EBS. CloudTrail captures all API calls for Amazon EC2 and Amazon EBS as events, including calls from the © 2023 Digital Cloud Training 37 console and from code calls to the APIs. AMAZON DATA LIFECYCLE MANAGER (DLM) Automates the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs. • • • • • Protect valuable data by enforcing a regular backup schedule. Create standardized AMIs that can be refreshed at regular intervals. Retain backups as required by auditors or internal compliance. Reduce storage costs by deleting outdated backups. Create disaster recovery backup policies that back up data to isolated accounts. EBS LIMITS (PER REGION) Name Default Limit Provisioned IOPS 300,000 Provisioned IOPS (SSD) volume storage (TiB) 300 General Purpose (SSD) volume storage (TiB) 300 Magnetic volume storage (TiB) 300 Max Cold HDD (sc1) Storage in (TiB) 300 Max Throughput Optimized HDD (st1) Storage (TiB) 300 AWS ELB AWS ELB FEATURES Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. Network traffic can be distributed across a single or multiple Availability Zones (AZs) within an AWS Region. There are four types of Elastic Load Balancer (ELB) on AWS: • • • • Classic Load Balancer (CLB) – this is the oldest of the three and provides basic load balancing at both layer 4 and layer 7. Application Load Balancer (ALB) – layer 7 load balancer that routes connections based on the content of the request. Network Load Balancer (NLB) – layer 4 load balancer that routes connections based on IP protocol data. Gateway Load Balancer (GLB) – layer 3/4 load balancer used in front of virtual appliances such as firewalls and IDS/IPS systems. © 2023 Digital Cloud Training 38 Note: The CLB is not covered in detail on this page as it is on old generation load balancer and is no longer featured on most AWS exams. The following table provides a comparison of some of the key features relevant to AWS exams: Feature Application Load Balancer Network Load Balancer Classic Load Balancer Gateway Load Balancer OSI Layer Layer 7 Layer 4 Layer 4/7 Layer 3 Gateway + Layer 4 Load Balancing Target Type IP, Instance, Lambda IP, Instance, ALB N/A IP, Instance Protocols HTTP, HTTPS TCP TCP, SSL, HTTP, HTTPS IP WebSockets ✔ ✔ IP addresses as a target ✔ ✔ HTTP header-based routing ✔ HTTP/2/gRPC ✔ Configurable idle connection timeout ✔ Cross-zone load balancing ✔ ✔ ✔ SSL Offloading ✔ ✔ ✔ Server Name Indication (SNI) ✔ ✔ ✔ Sticky sessions ✔ ✔ ✔ Static / Elastic IP © 2023 Digital Cloud Training ✔ ✔ ✔ 39 ✔ ✔

Document Details

Tags

Related

Full Transcript