Amazon EC2 Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 55: Line 55:
==<span id='Instance_Metadata'></span>Instance Metadata and User Data==
==<span id='Instance_Metadata'></span>Instance Metadata and User Data==
{{External|[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Instance Metadata and User Data]}}
{{External|[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Instance Metadata and User Data]}}
===Instance Metadata Operations===
* [[Amazon_EC2_Operations#Use_Temporary_Credentials_Made_Available_via_Instance_Metadata|Use Temporary Credentials Made Available via Instance Metadata]]


==Temporary Security Credentials for EC2 Instances==
==Temporary Security Credentials for EC2 Instances==

Revision as of 03:44, 22 November 2019

Internal

Overview

There are two Amazon Elastic Compute Cloud (EC2) platforms: EC2-VPC and EC2-Classic. EC2-VPC is aimed at launching AWS resources into a virtual private cloud (VPC). Also see Determining Whether You Are Using the EC2-VPC or EC2-Classic Platform.

Security Concepts

AMI (Amazon Machine Image)

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

An Amazon machine image is a template that contains a software configuration (operating system, application server, application).

To browse through available AMIs go to the EC2 console -> Left Navigation Pane -> AMIs.

AMIs can be chosen based on region, operating system, architecture (32-bit or 64-bit), launch permissions and storage for root device.

AMI ID

AMI Name

Must be unique within account and region.

AMI Storage for Root Device

An AMI can be either backed by Amazon EBS or backed by instance state. Backed by Amazon EBS mens that the root device for the instance launched from the AMI is an Amazon EBS volume, created from an Amazon EBS snapshot. Backed by instance state means that the root device is an instance store volume created from a template stored in Amazon S3. For more details: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#storage-for-the-root-device

AMI Operations

Instance

From an AMI, you can launch an instance, which is a copy of the AMI running as a virtual server on a host computer in Amazon's data center. You can launch multiple instances from an AMI. An instance can be accessed using its public DNS name or public IP address. The DNS name follows the following pattern: ec2-<public_ip>.<region_code>.compute.amazonaws.com. An instance keeps running until it is explicitly stopped or until they fail. You can start from an existing AMI, log onto the instance, customize it with additional settings and software, and then save this customized image as a new AMI.

Instance Type

Each instance type offers different compute, memory, and storage capabilities and are grouped in instance families based on these capabilities. An example of instance type is t2.micro.

External Documentation:

EC2 Service IAM Role

AWS Service Role for an EC2 Instance

Instance Profile

Instance Profile

Instance Metadata and User Data

Instance Metadata and User Data

Instance Metadata Operations

Temporary Security Credentials for EC2 Instances

Retrieving Security Credentials from Instance Metadata

EC2 instance applications using an instance profile retrieve their temporary security credentials from the instance metadata.

Credentials and related values are available from iam/security-credentials/<role-name> category. The temporary security credentials that are available on the instance are automatically rotated before they expire so that a valid set is always available. The application just needs to make sure that it gets a new set of credentials from the instance metadata before the current ones expire.

Networking

EC2 NetworkInterface

An instance specifies its networking by declaring a list of network interfaces. An example of how to specify networking as a CloudFormation resource is available here:

Creating an EC2 Instance with CloudFormation

Subnet

AWS VPC Concepts - Subnet

Elastic IP and EC2 Instances

  • An EC2 instance cannot be reached over ssh, even if it has an Elastic IP (public) address configured on it, if the subnet has no internet gateway associated with it (no 0.0.0.0/0 route to an internet gateway)

Security Groups

It seems that a security group must be associated with the instance, even if it allows 0.0.0.0/0. In the case no security group was deployed, the instance could not have been accessed - maybe it was a different type of transient failure, but it seems that it's a good idea to stand up a security group anyway.

Auto-Scaling

Auto-Scaling Concepts

Load Balancing

Load Balancing Concepts

Key Pair

Amazon EC2 Key Pairs

An EC2 instance needs the name of a pre-existing key pair to secure ssh access to itself. A key pair is region-based.

Key Pair Operations

It does. not seem to be a way to created key pairs with CloudFormation.