AWS Certified Solutions Architect - Associate(EC2)

# AWS Certified Solutions Architect - Associate(EC2) ###### tags: `AWS` ## EC2 Amazon Elastic Compute Cloud(Amazon EC2) is a web service that provides resizable compute capacity in the cloud. (VM in cloud) #### Pricing Models - **On Demand** Allows you to pay a fixed rate by the hour with no commitment. - **Reserved** Provides you with a capacity reservation, and offer a significant discount on the hourly charge for an instance. Contract Terms are 1 Year or 3 Years Term. - **Spot** Enables you to bid whatever prive you want for instance capacity, providing for even greater savings if your applications ha flexible start and end times. - **Dedicated Hosts** Physical EC2 server dedicated for your use. Dedicated Hosts can help you reduce coasts by allowing you to use your existing server-bound software licenses. #### Mnemonic - F - FPGA - I - IOPS(InputOutputPerSecond) - G - Graphics - H - High Disk Throughput - T - Cheap general purpose (think T2 Micro) - D - Density (Storage) - R - RAM - M - Main choice for general purpose apps - C - Compute - P - Graphics(think Pics) - X - Extreme Memory - Z - Extreme Memory & CPU - A - Arm-based workloads - U - Bare Metal Dr.Mac pixie > Notes: If the spot instance is terminated by Amazon EC2, you will not be charged for a partial hour of usage. However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran. Tips: - Termination Protection is **turned off** by default, you must turn it on. - On an EBS-backed instance, the **default action is for the root EBS volume to be deleted** when the instance is terminated. - EBS Root Volumes of your DEFAULT AMI's **CAN** be encrypted. You can also a third party tool (such as bit locker etc) to encrypted the root volume, or this can be done when creating AMI's in the AWS console or using the API. - Additional volumes can be encrypted. #### Security groups - All inbound traffic is blocked by default. - All outboud traffic is allowed. - Changes to Security Groups take effect immediately. - You can have any number of EC2 instances within a security group. - You can have multiple security groups attached to EC2 Instances. - Security Groups are **STATEFUL** - If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. - You cannot block specific IP address using Security Groups, instead use Network Access Control Lists. - You can specify allow rules, but not deny rules. ### EBS Amazon Elastic Block Store provides persistent block storage volumes for use with Amazon EC2 instances in the AWS cloud. #### 5 Different Types - General Purpose(SSD) - Provisioned IOPS(SSD) - Throughput Optimised Hard Disk Drive - Cold Hard Disk Drive - Magnetic ![](https://i.imgur.com/mL65zos.png) ### EBS Volumes & Snapshots Tips: - Volume exist on EBS. Think of EBS as a virtual hard disk. - Snapshots exist on S3. Think of snapshots as a phtograph of the disk. - Snapshots are incremental - this means that only the blocks that have changed since your last snapshot are moved to S3. - If this is your first snapshot, it may take some time to create. - To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot. - However you can take a snap while the instance is running. - You can create AMI's from SnapShots. - You can change EBS volume sizes on the fly, including changing the size and storage type. - Volumes will ALWAYS be in the same availability zone as the EC2 insance. - To move an EC2 from one AZ to another, take a snapshot of it, create an AMI from the snapshot and then use AMI to launch the EC2 instance in a new AZ. - To move an EC2 volume from one region to another, take a snapshot of it, create an AMI from the snapshot and then copy the AMI from one region to the other. Then use the copied AMI to launch the new EC2 instance in the new region. #### EBS vs Instance store **AMI'S** CAN BE SELECTED： - Region - OS - Architecture - Launch Permissions - Storage for the Root Device - Instance Store(EPHEMERAL STORAGE) - EBS Backed Volumes #### Storage for the Root Device - **For EBS volumes**: The root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot. - **For Instance Store Volumes**: The root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3. Tips: - Instance Store Volumes are sometimes called Ephemeral Storage. - Instance store volumes cannot be stopped. If the underlying host fails, you will lose your data. - EBS backed instances can be stopped. You will not lose the data on this instance if it is stopped. - You can reboot both, you will not lose your data. - BY default, both ROOT volumes will be deleted on termination. However, with EBS volumes, you can tell AWS to keep the root device volume. #### ENI vs ENA vs EFA - **ENI**: Elastic Network Interface - essentially a virtual network card. - **EN**: Enhanced Networking. Uses single root I/O virtualization(SR-IOV) to provide high-performance networking capabilities on supported instance types. - **Elastic Network Adapter(ENA), which supports network speeds of up to 100Gbps for supported instnace types. - **Virtual Function(VF)**: which supports network speeds of up to 10Gbps, typically used on older instnaces. - **Elastic Fabric Adapter**: A network device that you can attach to your Amazon EC2 instance to accerlerate High Performance Computing (**HPC**) and **machine learning** application. It can use OS-bypass. Tips: ![](https://i.imgur.com/Gph27Qd.jpg) #### Encrypted Root Device - Snapshots of encrypted volumes are encrypted automatically. - Volumes restored from encrypted snapshots are encrypted automatically. - You can share snapshots. but only of they are unencrypted. - These snapshots can be shred with other AWS accounts or made public. - You can now encrypt root device volumes upon creation of the EC2 instance. **Procedure** - Create a Snapshot of the unencrypted root device volume - Create a copy of the Snapshot and select the encrypt option - Create an AMI from the encrypted Snapshot - Use that AMI to launch new encrypted instances #### Spot instances are not good for: - [x] Persistent workloads - [x] Critical jobs - [x] Databases **Workflow** ![](https://i.imgur.com/yGjphqW.png) **Spot Fleets** 1. Set up different launch pools. Define things like EC2 instance type, operating system, and AZ 2. You can have multiple pools, and the fleet will choose the best way to implement depending on the strategy you define. 3. Stop fleets will stop launcing instances once you reach your price threshold or capacity desire. **Strategies** - [x] capacityOptimized - [x] lowestPrice - [x] diversified - [x] InstancePoolsToUseCount Tips: - Spot Instances save up to 90% - Useful for any type of computing where you don't need persistent storage - You can block spot instances from terminating by using **Spot block** - A Spot Fleet is a collection of Spot Instances and, On-Demand Instances. #### EC2 Hibernate When hibernate EC2, OS is told to perform hibernation (suspend-to-disk). Hibernation saves the contents from RAM to your Amazon EBS root volume. **When we start our EC2 instance, the following happen:** - [x] OS boots up - [x] User data script is run (bootstrap scripts) - [x] Application start(can take some time) **When you start your instance out of hibernation:** - The **Amazon EBS** root volume is restored to its previous state - The **RAM** contents are reloaded - The processes that were previously running on the instance are resumed - Previously attached data volumes are **reattached and the instance retains its instance ID** ![](https://i.imgur.com/ORLz4hI.png) **With EC2 Hibernate, the instance boots much faster, OS does not need to reboot because RAM is preserved.** Usefull for: 1. Long-running processes 2. Services that take time to initialize Tips: - **EC2 Hibernate** preserves the in-memory RAM on persistent storage(EBS) - Much faster to boot up - Instance RAM must be less than **150GB** - Available for Windows, Amazon Linux 2 AMI, ubuntu - Instances can't be hibernated for more than **60days** - Available for **On-Demand instances** and **Reserved Instances** ## CloudWatch CloudWatch can monitor things like - Compute - EC2 Instances - Autoscaling Groups - Elastic Load Balancers - Route53 Health Checks - Storage & Content Delievery - EBS Volumes - Storage Gateways - CloudFront Host Level Metrics Consist of - CPU - Network - Disk - Status Check **Compare to AWS Cloud Trail** AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console **actions** and **API calls** **Summary** - CloudWatch - monitors performance - can monitor most of AWS applications - EC2 monitored events every 5minutes by default (~1minute) - can trigger with notifications - CloudTrail (CCTV) - monitors API calls in the AWS platform(auditing) What can I do with CloudWatch? - Dashboard - creates aswsome dashboards to see what is happening with your AWS environment. - Alarms - Allows you to set Alarms taht notify you when particular threshold are hit. - Events - CloudWatch Events helps you to respond to state changes in your AWS resources. - Logs - CloudWatch logs helps you to aggregate, monitor, and store logs. #### AWS CLI ```shell= # aws s3 ls // no credentials # aws configure # aws s3 mb s3://{bucket_name} ``` Tips: - You can interact with AWS from anywhere in the world just by using the CLI. - You will need to set up access in IAM. Tips: - Roles are more secure than storing your access key and secret access key on individual EC2 instances. - Roles are easier to manage. - Roles can be assigned to an EC2 instance after it is created using both the console & command line. - Roles are universal - can be used in any region. Tips: - Used to get info about an instance. ```shell= curl http://169.254.169.254/latest/user-data curl http://169.254.169.254/latest/meta-data ``` #### EFS Amazon Elastic File System is a file storage service for Amazon Elastic Compute Cloud instances. - Easy to use to share between tow instances - Provides a simple interface that allows you to create and configure FS. - Storage capacity is elastic. ```shell= sudo mount -t efs -o tls {fs-name}:/ /var/www/html ``` Tips: - Supprt the Network File System version4 (NFSv4) protocol - You only pay for the storage you use (no pre-provision required) - Can scale up to the petabytes - Can support thousands of concurrent NFS connections - Data is stored across multiple AZ's within a region - Read After Write Consistency #### Amazon FSx Amazon FSx for Windows File Servier provides a fully managed native Microsoft Windows File system. It is built on Windows server. - EFS - Distributed, high resilient storage for Linux and Linux-based application. - A managed NAS filer for EC2 instances based on Network File System(NFS) version4. - One of the first network file sharing protocols native to Unix and Linux. - Windows FSx - Centralized storage for Windows-based applications. - A managed Windows Server that runs Windows Server Message Block (SMB) - based file services. - Designed for Windows and Windows applications - Supports AD users, access control lists, groups and security policies, along with Distributed File System(DFS) namespaces and replication. - Amazon FSx for Lustre - High-speed, high-capacity distributed storage. HPC, financial modelling, Low latencies, high IOPS, high throughput - Fully managed file system that is optimized for compute-intensive workloads, such as HPC, ML, media data processing workflows, EDA. - It can process massive data sets. - Remember that FSx for Lustre can store data directly on S3. #### EC2 Placement Groups - Clustered Placement Group - A cluster placement Group is a grouping of instances within a single AZ. - Recommended for applications that need **low network latency**, **high network throughput**, or both. - Only certain instances can be launched into a Clustered Placement Group. - Spread Placement Group - **Individual Critical EC2 instances** - A spread placement group is a group of instances that are each placed on distinct underlying hardware. - Recommended for applications that have a small number of critical instances that should be kept seperate from each other.(INDIVIDUAL) ![](https://i.imgur.com/acPMHnu.png) - Partitioned - **Mulitiple EC2 instnaces HDFS, HBase, and Cassandra**. - EC2 divides each groups into logical segments called partitions. - EC2 ensures that each partition within a placement group has its own set of racks. (Each rack has its own network and power source) ![](https://i.imgur.com/jnBWusw.png) Tips: - A clustered placement group can't span multiple Available Zones, but spread placement and partitioned group can. - The name your specify for a placement group must be unique within your AWS account. - Only certain types of instnaces can be launched in a placement group.(Compute Optimized, Memory Optimized, Storage Optimized) - AWS recommend homogenous instances within clustered placement groups. - You can't merge placement groups - You can move move an existing instance into a placement group. Before you move the instance, the instance must be in stopped state. AND you can move or remove instance using the AWS CLI or SDK. #### HPC AWS Direct Connect is a cloud service solution that make it easy to establish a dedicated network connection from your premises to AWS. ![](https://i.imgur.com/uF7KrUO.png) **What are some ways we can get your data into AWS?** - Snowball - AWS DataSync - Direct Connect **Reduce network costs, increase bandwidth throughput, and provide a more consist network experience than internet-based connection** - EC2 instances that are GPU or CPU optimized. - Enhanced networking - EC2 fleets - Elastic Network Adapters - Placement groups - Elastic Fabric Adapters ENA supports network speeds up to 100Gbps VF interfave network speeds up to 10Gbps (Legacy) Note: In any scenerio question, **choose ENA over VF** ### EFA - An Elastic Fabric Adapter(EFA) is a network device you can attach to your Amazon EC2 instance to accelerate HPC and ML applications. - lower, more consistent latency and higher throughput than TCP traditionally. - EFA can use **OS-bypass**, Linux Only. **Instance-attached storage:** - **EBS:** Scale up to 64,000 IOPS with Provisioned IOPS(PIOPS) - **Instance Store:** Scale to millions of IOPS; low latency **Network storage:** - **Amazon S3:** Distributed object-based storage; not a file system - **Amazon EFS:** Scale IOPS based on total size, or use Provisioned IPOS - **Amazon FSx for Lustre:** HPC-optimized distributed file system; millions of IOPs, which is also backed by S3 #### How to achieve HPC on AWS? - AWS Batch - Batch computing jobs - Multi-node parallel jobs (single job spans multiple EC2 instances) - Schedule jobs - AWS ParallelCluster - Open-source - simple text file to model and provision all the resources needed - Automate creation of VPC, subnet, cluster type, and instance types through: - Data transfer - Snowball - AWS DataSync - Direct Connect - Compute and networking - EC2 instances that are GPU or CPU optimized - EC2 fleets - Placement groups - Enhanced networking single root I/O virtualization(SR-IOV) - ENA or VF interface - Elastic Fabric Adapters - Storage - **Instance-attached storage:** - **EBS:** Scale up to 64,000 IOPS with Provisioned IOPS(PIOPS) - **Instance Store:** Scale to millions of IOPS; low latency - **Network storage:** - **Amazon S3:** Distributed object-based storage; not a file system - **Amazon EFS:** Scale IOPS based on total size, or use Provisioned IPOS - **Amazon FSx for Lustre:** HPC-optimized distributed file system; millions of IOPs, which is also backed by S3 - Orchestration and automation - AWS batch - AWS ParallelCluster ### AWS WAF AWS WAF is a **web application firewall**(OSI 7) that lets you monitor the HTTP and HTTPS requests taht are forwared to amazon CloudFront, an Application Load Balancer or API Gateway. ALSO lets you control access to your content. #### Behaviors 1. Allow all requests except the ones you specify 2. Block all requests except the ones you specify 3. Count the requests that match the properties you specify #### conditions - IP address - Country - Headers - Strings in requests - Length of requests - SQL injection - CRSF #### How to block malicious IP addresses - AWS WAF - Network ACKs