EC2
Elastic Cloud Compute
File system
There are 3 types of file systems that can be used with EC2:
Instance Store: Physically connected to the EC2 instance. They can't be re-used for other EC2 instances and if an EC2 instance is deleted the data on these is deleted as well.
Elastic Block Storage (EBS): Independent networked volumes. They can be re-used across EC2 instances. They live on even if the EC2 instance is terminated
Elastic File System (EFS): Scaleable, independent networked volumes. Compared to EBS these can be accessed by multiple EC2 instances at the same time (1-1000) from multiple AZs. They're similar to a network drive.
Launching AMIs
When launching an AMI you need to decide between instance volume backed AMIs and EBS backed AMIs. Instance backed AMIs cannot be stopped, only terminated or restarted. Whereas EBS backed AMIs can be stopped and the data is persisted on the EBS volume.
A stopped EC2 instance does not cost money, so by using EBS you can essentially free up the EC2 resources while keeping your data. Instance backed EC2 instances can only be freed up by terminating them, and you're losing the data on the instance volume in this case.
Instance volume backed | EBS volume backed |
---|---|
restart, terminate | restart, stop, terminate |
slower boot, data needs to be transferred from S3 | faster boot time, data is already on EBS |
Creating an EC2 instance
Switch to EC2 service
Launch instance
Choose image, e.g. Amazon Linux 2
Choose instance type
Select network
Select subnet
Next
Select EBS type (default 8GB SSD)
Add a tag to better recognise the instance
Create new security group
set name and description
for production we would want to restrict ssh access
Add rule to open port where application will be running on (e.g. 8080, 3000 etc.)
Custom TCP
Set desired port range
Source: anywhere
Launch
Create a new keypair to ssh into the instance.
Set name & download keyfile
Elastic IP
A public IP address that is independent of an EC2 instance. It can be assigned, unassigned and destroyed.
Assign an elastic IP
EC2 service dashboard -> Elastic IPs
Allocate Elastic IP address
Add tag
Allocate
Actions -> Associate Elastic IP Address
Instance: ec2 instance name
Private ip: select IP of instance
Associate
SSH into EC2 instance and install nodeJS
Prepare PEM file:
chmod 400 <path-to-pem-file>
SSH command:
ssh -i <pem-file> ec2-user@<public-ip>
Update packages:
sudo yum update
Install node
curl -sL https://rpm.nodesource.com/setup_16.x | sudo bash -
sudo yum install -y nodejs
Copy files to EC2 via SCP
scp -r -i <pem-file> <folder-to-copy> ec2-user@<public-ip>:/home/ec2-user
Scaling EC2 Infrastructure
There are two types of scaling
Vertical Scaling: The instance is "scaled up", e.g. more RAM, CPU or in the context of AWS simply a larger instance type.
Horizontal Scaling: You "scale out", this means adding additional instances to handle the workload.
Auto Scaling Group (ASG)
A launch template defines the instance configuration for the auto scaling group. E.g. what OS, instance type etc.
You also define the min, max and desired number of instances in the group.
The Auto Scaling Group performs health check on each instance by visiting an URL.
An auto scaling group exists in 1 or more availability zone of a single region.
ASGs work with on-demand and spot instances.
An ASG on its own is useless, it needs a Load Balancer to balance the incoming traffic between instances. The ASG communicates with the application load balancer to route traffic. E.g. in case a instance becomes unhealthy the ASG lets the load balancer know.
AWS Secrets Manager
The secrets manager in respect to auto scaling is needed so tokens, credentials etc. can be securely accessed by a freshly started instance. Secrets Manager can automatically rotate credentials.
Securing access to EC2 instances
Security Groups
SGs serve as a firewall for EC2 instances. They control inbound and outbound traffic at the instance level. EC2 instances can belong to multiple security groups.
VPCs have a default security group, but other than that you always have to explicitly associate an EC2 instance with a security group.
By default on a security group all outbound traffic is allowed.
Network ACLs
Network ACLs work at the subnet level within a VPC. A network ACL enables you to allow and deny traffic. Each VPC comes with a default ACL that allows all inbound and outbound traffic.
New custom ACL's deny all traffic until rules are added.
AWS VPN
With AWS VPN you can create an encrypted tunnel into you VPC. This can be used to connect a data center or individual client machines to the VPC.
There are two versions of AWS VPN:
Site-to-site VPN
A fixed VPN connection between a data center and the VPC. Differs from Direct Connect because this traffic goes over the internet (encrypted) whereas Direct Connect traffic goes over the AWS global infrastructure and not the public internet.
Client VPN
Connecting with a client computer to the VPC.
Protecting the infrastructure from attacks
AWS Shield
Shield is a managed DDoS protection service for apps on AWS. It enables on-going threat detection and mitigation.
It has 2 service levels (standard and advanced).
AWS Macie
Utilises machine learning to analyse the data in S3. It can detect personal information and intellectual property data stored in S3.
It continually watches and categorises data. And provides dashboards that show how the data is being stored and accessed.
It can also provide alerts if the detects anything unusual about data access.
Amazon Inspector
Inspector enables scanning of EC2 instances for security vulnerabilities.
Inspector charges per instance, per assessment run.
There are 2 types of rules packages:
Network reachability assessment
What is available to the internet from our servers
Host assessment
Checks servers for critical vulnerabilities to make sure everything has been patched.
Last updated