EC2 Basics
Instance types -
- T2 - Burstable Performance Instances
- M3 - Nice Balance
- C4 - Compute Optimized
- R2 - Memory Optimized
- G2 - GPU Optimized
- I2 - Storage Optimized
- EBS Optimized
EC2 instance sizes also decide the network throughput capacity limitations. Like a Micro instance cannot have same network throughput as a Medium instance.
Instance Storages -
- Instance-store volume (ephemeral data) : Data would be erased if instance is stopped. But if instance is rebooted then the data is retained.
- EBS backed volumes : Network attached storage. Remain persistant to life of instance. 1 instance can have multiple EBS volumes. 1 EBS volume can be attached to only 1 instance.
EBS have IOPS (input/output operations). IOP is 256KB or smaller. So a 512KB operation would count as 2 IOPS.
We can provision upto 20,000 IOPS on a EBS instance.
EBS types -
- General Purpose SSD : Commonly used as "root" volume.
- Used on smaller instances.
- 3 IOPS/GiB (burstable performance) - credits can be accrued in this case when the IOPS is not utilized.
- Volume size of 1 GiB to 16 TiB
- Provisioned IOPS : Used for Mission critical applications.
- Large DB workloads.
- Volume size of 4GiB to 16TiB
- Can provision upto 20000 IOPS
- Magnetic :
- Low Storage cost
- Used in cases where performance is not important/ Data infrequently accessed
- Volume size of 1GiB to 1024 GiB
Prewarming of volumes - Sometimes we get already used volumes. AWS runs through erasing protocol when provisioning such volumes for us. That decreases the IOPS performance. At such times we can run some commands like Linux DD which will touch each block on the storage and pre warm it thereby giving us an improved performance.
EB2 Snapshots - Snapshots are incremental in nature. They store only changes since the most recent snapshot thus reducing costs and only paying for the incremental storages. Even if original snapshot is deleted, we have the newer snapshots with us. So all the data is there.
Snapshots are stored on S3 buckets. But we cannot go and directly list them.
Snapshots taken on EBS volumes will degrade the performance for that time.
Remember : When an EC2 instance in stopped, we are not paying for that instance. We are paying only for storage.
EC2 bootstrapping : Writing Bash scripts which will be executed during the instance provisioning.
This script is also called "User-Data/Cloud-init" and can be accessed from within the instance by going to http://169.254.169.254/latest/meta-data or http://169.254.169.254/latest/user-data
EC2-classic instances are not part of VPCs. They are assigned a public IP address and cname. Also receives private IP address but isnt part of VPC. Also the private IP is lost once the EC2-Classic instance is rebooted.
Security Groups are used as firewalls for EC2 instances. An instance can belong to multiple security groups. Security Groups can reference themselves as "source" traffic in firewall rules.
Action Item - Go and read the EC2 service limits on AWS console ! Its Important !!!
We can have 40 total instances out of which 20 is the max running instance limit.
EC2-VPC Elastic IPs has limit of 5 IPs per VPC.
Rules per VPC SG - 50
VPCs per env - 5
Security Groups per VPC - 100
The longer we purchase a reserved instance the lesser we pay per hour.
While creating EC2 instance, you can open SSH port with appropriate source in order to log into it :)
Note : Private IP addresses are persistance when EC2 instances are shutdown. But Public IP addresses are not persistent. They are lost once an instance is shut down.
There are two types of subnets in a VPC - Private and public.
An instance in the private/public subnet needs a public IP address and an Internet gateway attached to the subnet in order to connect to the internet.
Elastic IP addresses are always convenient because if any instance becomes unhealthy or unresponsive or needs to be removed them we can always detach the Elastic IP address and attach it to any other instance. For example you can have two NAT instances and can use one Elastic IP address which can act as a failover to second NAT instance.
Each Security Group can have up to 50 rules.
We can assign 5 Security Groups per EC2 neteork interface
An instance can belong to multiple Security Groups.
Remember all Security Groups' rules have an DENY by default. We cannot create deny rules.
Remember responses to outbound/inbound are stateful i.e. If inbound traffic at port 80 is open then outbound traffic over port 80 will be allowed even if port 80 is not open for outbound.
One can change SG (Security Group) of an instance but isnt same for EC2-Classic.
The "default" SG has all ports open. Instance which are part of default SG can communicate with each other in the default SG. i.e. there is an inbound rule which allows all traffic from the "default" source.
Bastion Host - A system identified as a critical strong point which can be used as a gateway to connect to other instances. One can ssh into private resources without using a VPN. A Bastion host may have additional security/additional software installed for further security tightening.
We can have 40 total instances out of which 20 is the max running instance limit.
EC2-VPC Elastic IPs has limit of 5 IPs per VPC.
Rules per VPC SG - 50
VPCs per env - 5
Security Groups per VPC - 100
The longer we purchase a reserved instance the lesser we pay per hour.
While creating EC2 instance, you can open SSH port with appropriate source in order to log into it :)
Note : Private IP addresses are persistance when EC2 instances are shutdown. But Public IP addresses are not persistent. They are lost once an instance is shut down.
An instance in the private/public subnet needs a public IP address and an Internet gateway attached to the subnet in order to connect to the internet.
Elastic IP addresses are always convenient because if any instance becomes unhealthy or unresponsive or needs to be removed them we can always detach the Elastic IP address and attach it to any other instance. For example you can have two NAT instances and can use one Elastic IP address which can act as a failover to second NAT instance.
Security Groups
We can have upto 500 security groups per VPC.Each Security Group can have up to 50 rules.
We can assign 5 Security Groups per EC2 neteork interface
An instance can belong to multiple Security Groups.
Remember all Security Groups' rules have an DENY by default. We cannot create deny rules.
Remember responses to outbound/inbound are stateful i.e. If inbound traffic at port 80 is open then outbound traffic over port 80 will be allowed even if port 80 is not open for outbound.
One can change SG (Security Group) of an instance but isnt same for EC2-Classic.
The "default" SG has all ports open. Instance which are part of default SG can communicate with each other in the default SG. i.e. there is an inbound rule which allows all traffic from the "default" source.
Bastion Host - A system identified as a critical strong point which can be used as a gateway to connect to other instances. One can ssh into private resources without using a VPN. A Bastion host may have additional security/additional software installed for further security tightening.
Monitoring on EC2
Types of Status Checks :
- System Status Check - Loss of Network connectivity, loss of system power, physical host problems. Solution - Stopping and starting an instance will start it on different physical hardware device.
- Instance Status Checks - Corrupted file system, failed system status checks, Exhausted memory. Generally reboot or rebuilding the AMI solves the issue.
CloudWatch Alarms : By default CloudWatch will automatically monitor metrics that can be monitored on the host level. If we wanna look at memory utilization we have to use a perl script provided by amazon
- Basic level monitoring - Data is available automatically in 5 minute periods at no charge.
- Detailed level monitoring - Data is available in 1 minute periods.
OS level metrics that require a third party script to be installed,
- Memory utilization, memory used, memory available.
- Disk swap utilization.
- Disk space utilization, disk space used, disk space available.
You can also monitor CPU credits related to T2 micro instances which can acquire credits for underutilized CPU utilization.
EC2 Placement Groups
Placement groups - Cluster of instances within same availability zones. Have low latency 10 Gbps connection between them. Used for instances which require extremely low latency. Physically close they are placed.
If instance in placement group is stopped, AWS is gonna try to place it physically as close as possible to the placement group. Sometimes it can happen that later instances added will result in insufficient capacity error which can be resolved by stopping and starting all instances again.
Troubleshooting - Instances not originally placed into a placement group cannot be moved into placement group. Placement groups cannot be merged together. Placement groups cannot span multiple AZs. Placement groups name must be unique within your own AWS account. Placement groups can be connected. instances must have 10 gigabit network speeds in order to take advantage of placement groups.
Serving traffic to private web servers
An ELB should have at least 2 subnets.
Connection draining in ELB - Before a LB de-registers an unhealthy instance , it will wait for a certain amount of time before draining current connections.
No comments:
Post a Comment