AWS Solution Architect Associate SAA-C02: Part 6 - EC2.

Everything we learned to pass the Amazon Web Services (AWS) Solutions Architect Associate exam (SAA- C02). Study Guide, as well as downloadable PDF on https://www.blackchili.co.uk/training/aws-solution-architect-associate/. Probably about an hour to read, and making your own notes is recommended. MP3 of each chapter, as well as the full course also available!

EC2 — Elastic Compute (Virtual Machines)

EC2 — Elastic Compute Cloud. Allows the rapid scaling of server infrastructure up or down in minutes, reducing timescales and Capex. The EC2 hypervisor is built on Xen and Nitro

Pricing models — On demand, priced by the hour. Good for low cost and no up-front payment, no commitment. Also good for applications with short term, spiky or unpredictable workloads that cannot be interrupted. Good for initial app testing on AWS.

Reserved provides capacity reservation for 1 year or 3 years — the more you pay up front, the more you save. Good for steady state or predictable usage, apps that require reserved capacity, and users able to make upfront payments to reduce overall cost. Different types — standard reserved instances, up to 75% off depending on amount payed upfront. Convertible reserved instances allow types of instance to be changed. Scheduled reserved instances are good for boxing resources to specific timeframes.

Spot instances are where AWS has spare capacity; prices are dropped to encourage use. Instances are taken away when prices go beyond your bid price. Good for apps that have flexible start and end times, apps that need very low cost and users that have an urgent need for large amounts of compute capacity. If the instance is terminated by Amazon you will not be charged for a partial hour of usage. If you terminate the instance you will be charged for any hour in which the instance ran.

Dedicated hosts are physical EC2 servers dedicated for your use. Useful in environments that may not support multi-tenant virtualisation, licensing that does not support cloud deployments, and can be purchased on demand.

Instance types. F — FPGA, I — IOPS, G — Graphics, H — High disk throughput, T — Cheap and General purpose, D — Density, R — RAM, M — main choice for general purpose apps, C — Compute, P — Graphics (Pics), X — Extreme Memory, Z — Extreme CPU and memory, A — ARM, U — Bare metal FIGHTDRMCPXZAU. The numbers are the generation, and not important for the exam.

When provisioning an EC2 instance, selecting availability zone is somewhat random. ‘1a’ the first time you spin one up may differ to ‘1a’ the next time.

Monitoring by default every 5 minutes, more frequent monitoring requires that detailed monitoring be selected.

Configure security group creates a virtual firewall

It is now possible to encrypt root storage volumes.

Delete on termination is not selected by default on additional storage volumes. Root volumes are deleted on termination by default.

Termination protection is turned off by default, must be manually selected.

Security groups — any change on a security group takes effect immediately. The rules are stateful, so anything allowed in will also be allowed out. All outbound traffic is allowed by default.

Cannot block ports or source addresses with security groups, or create deny rules — have to use NACLs instead. All inbound traffic is blocked by default though. and security groups are used to allow specific services either globally or from specified addresses.

It is possible to add an EC2 instance to more than one security group, and any number of instances can be a member of a security group

EBS — elastic block store. A virtual block storage volume in the cloud. Each volume is automatically replicated within its availability zone to protect against component failure. 5 types — General purpose, provisioned IOPS, Throughput optimised HDD, Cold HDD, EBS Magnetic.

General Purpose (gp2) SSD is designed to balance price and performance. 16K IOPS per volume

Provisioned IOPS (io1) SSD is for when IOPS requirement exceeds 16K per volume in the above, 64K IOPS

Throughput optimised (st1) is for big data and data warehousing, frequent access and throughput intense 500 IOPS

Cold HDD (sc1) is for file servers, and is a low cost HDD option for less frequent access 260 IOPS

EBS Magnetic (standard) is a previous generation offering, but still available and for use cases where data is infrequently accessed 40–200 IOPS

EBS volumes will always be in the same availability zone as their related EC2 instance

EBS Volumes can be made larger on the fly, but can take time to take effect. OS changes may be required — a re-partitioning of the drive for all space to be usable.

The root volume can have type changed to provisioned IOPS or magnetic, and can be increased in size, but not decreased — all on the fly.

To move an EC2 instance or EBS volume to a different availability zone, take a snapshot, create an image from the snapshot using hardware assisted virtualisation. Launch the AMI (Amazon Machine Image) and change the subnet for a different availability zone. The AMI can also be copied to a different region. That image can then be used to deploy EC2 instances to new regions.

When an AMI is copied then launched the launch permissions, tags and bucket permissions are not inherited from the image. They must be manually applied.

Snapshots exist in S3 — point in time copies of volumes. If taking a snapshot of an EBS rot volume, it is best practice to stop the related EC2 instance before taking the snapshot, but you can take the snapshot whilst it is running.

Volumes must be detached before they can be deleted

By default, when an EC2 instance is terminated the root volume will be deleted but additional volumes will not.

EBS vs Instance Store. AMIs can be selected based on region, OS, 64x or 32x, launch permissions or storage of root device — instance store (ephemeral storage) or EBS backed volume. For EBS volumes, the root device is launched from and EBS volume created from an EBS snapshot. For instance, store the root device is launched from an AMI instance store volume from a template in S3.

If you build an EC2 instance from an instance store AMI and want to add additional instance store volumes, it can only be done during initial setup. On the instance is created only EBS volumes can be added.

Instance store backed instances can only be rebooted or terminated, they cannot be stopped. This also means you cannot stop and start to move hypervisor in the event of issues. Hypervisor failure means the loss of the system and all data.

ENI vs ENA vs EFA. ENI — elastic network interface, a virtual NIC. EN is enhanced networking (ENA is a subtype) — uses single root I/O virtualisation to provide high performance networking. EFA is Elastic Fabric Adapter, which is a network device you can attach to an EC2 instance to accelerate high performance computing (HPC) and machine learning applications.

Use ENI for additional non-production networks, for using network and security appliances in your VPC, for creating dual homed instances, or to create a low budget, high availability solution.

Enhanced networking is a method of device virtualisation for higher I/O performance and lower CPU compared to traditional network interfaces. Provides higher bandwidth and lower latency. No additional charge, though EC2 instance does have to support it.

ENA supports network speeds of up to 100Gbps, older instances may use Intel 82599 Virtual Function (VF) which is limited to 10Gbps. Chose ENA over VF

HPC applications and machine learning, always choose elastic fabric adapter. These bypass the OS (Linux only) for lower latency and improved performance.

Encrypted Root Device Volumes & Snapshots. Root volumes can now be encrypted on creation. To encrypt an unencrypted root volume, take a snapshot, copy the snapshot but choose to encrypt the copy, create an image from the encrypted snapshot hen use the image to launch a new EC2 instance. You cannot take an encrypted image and build it on a non-encrypted volume.

Volumes restored from encrypted snapshots are encrypted automatically, as are snapshots of encrypted volumes. Snapshots can be shared with other AWS accounts, or made public, but only if unencrypted.

CloudWatch is a monitoring service for AWS resources and apps running on AWS. It can monitor compute, autoscaling groups, elastic load balancers, Route53 health checks, storage and CDN, EBS volumes, storage gateways and CloudFront.

CloudWatch and EC2 — host level metrics can be monitored such as CPU, network, Disk, Status Check. CloudWatch will monitor EC2 every 5 minutes by default. Detailed logging can bring this down to 1 minute.

CloudWatch can use alarms to trigger notifications.

CloudTrail increases visibility of user and resource activity by recording AWS management console actions and API calls. Use CloudTrail to identify users and accounts called AWS, source IPs and time/date.

CloudWatch is all about performance, CloudTrail is all about auditing.

Detailed monitoring can be enabled during instance creation, or afterwards via the Action menu. Standard metrics are CPU, disk and network. Anything beyond standard display requires custom metric configuration.

Notification alarms can be set for specific metrics, RAM and CPU utilisation for example… emails sent when a specific threshold is reached for a defined period.

Dashboards can be created for monitoring metrics, either regionally or globally.

Logs can be sent to, aggregated and stored in CloudWatch. Events can be set up to give near real-time views of state changes

AWS Command Line (CLI) is global, and programmatic access is required for a user account to execute command line.

Command line commands are not in the exam, but basic commands are useful, so a review is recommended.

IAM Roles. Assign a role from EC2 actions menu, create a role with necessary permissions which will then permit use of the command line without the storage of credentials in the user home drive .AWS directory

Roles are easier to manage than access keys on multiple systems, as well as more secure. They can be assigned to an EC2 instance after creation and they are universal. They can be used in any region.

Bootstrap scripts can be used to pipe in command line bash scripts during start-up. Can be very powerful.

EC2 Instance Metadata — used to get information about an instance — curl https://169.254.169.254/latest/meta-data. Can also get bootstrap information from /user-data.

EFS — Elastic File system. A service for EC2 that creates a shareable volume that will automatically grow and shrink as data is added and removed, only pay for what you remove. EFS can be accessed by more than one EC2 instance.

On creation, an EFS volume is added to the default security group and default VPC. Stored across multiple availability zones within a region with read after write consistency.

EFS supports the NFS 4 protocol, and can support thousands of concurrent connections

FSx provides a fully managed native MS Windows file system to enable the move of windows based apps to AWS. It is built on Windows server. So essentially a Windows File Server. SMB based and supports AD users, ACLS, groups and security policies, as well as DFS namespaces and replication. Choose FSx for Windows system access and SMB.

EFS is a managed NAS file system for EC2 based on NFS, one of the first network file sharing protocols native to Unix and Linux. Choose EFS for Linux shared storage.

Amazon FSx for Lustre is as standard FSx but optimised for compute intensive workloads — high performance computing, Machine Learning, Media processing and electronic design automation. Can process massive datasets with hundreds of GBps throughput, millions of IOPS and sub-millisecond latency. FSx for Lustre can store direct in S3.

EC2 placement groups. Three types — clustered placement groups, spread placement groups and partitioned placement groups

Clustered placement groups are groups of instances within a single availability zone, ideal for apps that need low latency, high throughput, or both by keeping instances close together. Only certain instances can be launched into clustered placement groups.

Spread placement groups are groups of instances all placed on distinct hardware with separate networking and power in separate racks. Better for resilience. Can also be across multiple availability zones within a region. Use for individual critical EC2 instances. Has a limitation of a maximum of 7 instances per availability zone.

Partition placement groups are similar to the above, but you can have multiple EC2 instances in each partition within a placement group. Each partition is a separate rack with its own power and networking, so any hardware failure impact is limited to a partition. Good for multiple instances in each location — HDFS, HBase and Cassandra. Can also be across multiple availability zones within a region.

Names for placement groups must be unique within your AWS account.

Only compute optimized, GPU, Memory optimised, and storage optimised instances can be put in placement groups. AWS recommend the same EC2 instance types for use in clustered placement groups.

Placement groups cannot be merged.

An existing EC2 instance can be moved to a placement group provided it is in a stopped state. This can be done from the CLI or SDK, but not from the console currently.

Read the rest of the Series at Black Chili -https://www.blackchili.co.uk/training/aws-solution-architect-associate/.