AWS EC2 Dedicated Host vs Dedicated Instances

February 7, 2023 ~ jayendrapatil

EC2 Dedicated Host vs Dedicated Instances

Each instance launched into a VPC has a tenancy attribute.
- default
  - is the default option
  - instances run on shared hardware.
  - all instances launched would be shared, unless you explicitly specify a different tenancy during the instance launch.
- dedicated
  - instance runs on single-tenant hardware.
  - all instances launched would be dedicated
  - can’t be changed to default after creation
- host
  - instance runs on a Dedicated Host, which is an isolated server with configurations that you can control.
default tenancy can’t be changed to dedicatedor hostand vice versa. Changes reflect the next time when the instance starts.
dedicatedtenancy can be changed to hostand vice versa only for the stopped instance after launch.
Dedicated Hosts and Dedicated Instances can both be used to launch EC2 instances onto physical servers that are dedicated for your use.
There are no performance, security, or physical differences between Dedicated Instances and instances on Dedicated Hosts.

Dedicated Host vs Dedicated Instances

Dedicated Hosts

EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use.
provides Affinity that allows you to specify which Dedicated Host an instance will run on after it has been stopped and restarted.
Dedicated Hosts provide visibility and the option to control how you place your instances on a specific, physical server. This enables you to deploy instances using configurations that help address corporate compliance and regulatory requirements.
Dedicated Hosts allow using existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server.
Dedicated Host is also integrated with AWS License Manager, a service that helps you manage your software licenses, including Microsoft Windows Server and Microsoft SQL Server licenses.
RDS instances are not supported.
Dedicated Hosts cannot be launched in placement groups

Dedicated Instances

Dedicated Instances are EC2 instances that run in a VPC on hardware that’s dedicated to a single customer
Dedicated Instances are physically isolated at the host hardware level from the instances that aren’t Dedicated Instances and from instances that belong to other AWS accounts.
Dedicated Instances can be launched using
- Create the VPC with the instance tenancy set to dedicated, all instances launched into this VPC are Dedicated Instances even if you mark the tenancy as shared.
- Create the VPC with the instance tenancy set to default, and specify dedicated tenancy for any instances that should be Dedicated Instances when launched.

AWS Certification Exam Practice Questions

A company wants its instances to run on single-tenant hardware with dedicated hardware for compliance reasons. Which value should they have to set the instance’s tenancy attribute to?
1. Dedicated
2. Isolated
3. Default
4. Reserved
A company is performing migration from on-premises to AWS cloud. They have a compliance requirement for application hosting on physical servers to be able to use existing server-bound software licenses. Which AWS EC2 purchase type would help fulfill the requirement?
1. Spot instances
2. Reserved instances
3. On-demand instances
4. Dedicated Hosts

References

EC2_Dedicated_Hosts_vs_Dedicated_Instances

AWS EC2 Troubleshooting

February 4, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 20 Comments

AWS EC2 Troubleshooting

An Instance Immediately Terminates

EBS volume limit was reached. Its a soft limit and can be increased by submitting a support request
EBS snapshot is corrupt.
Root EBS volume is encrypted and you do not have permission to access the KMS key for decryption.
Instance store-backed AMI used to launch the instance is missing a required part
Resolution
- Delete unused volumes
- Ensure proper permissions to access the AWS keys.

EC2 Instance Connectivity Issues

Error connecting to your instance: Connection timed out
- Route table, for the subnet, does not have a route that sends all traffic destined outside the VPC to the Internet gateway for the VPC.
- Security group does not allow inbound traffic from the public IP address on the proper port
- ACL does not allow inbound traffic from and outbound traffic to the public IP address on the proper port
- Private key used to connect does not match with key that corresponds to the key pair selected for the instance during the launch
- Appropriate user name for the AMI is not used for e.g. user name for Amazon Linux AMI is ec2-user, Ubuntu AMI is ubuntu, RHEL5 AMI & SUSE Linux can be either root or ec2-user, Fedora AMI can be fedora or ec2-user
- If connecting from a corporate network, the internal firewall does not
  allow inbound and outbound traffic on port 22 (for Linux instances) or port 3389 (for Windows instances).
- Instance does not have the same public IP address, which changes during restarts. Associate an Elastic IP address with the instance
- CPU load on the instance is high; the server may be overloaded.
User key not recognized by the server
- private key file used to connect has not been converted to the format as required by the server
Host key not found, Permission denied (publickey), or Authentication failed, permission denied
- appropriate user name for the AMI is not used for connecting
- proper private key file for the instance is not used
Unprotected Private Key File
- private key file is not protected from read and write operations from any other users.
Server refused our key or No supported authentication methods available
- appropriate user name for the AMI is not used for connecting

Failed Status Checks

System Status Check – Checks Physical Hosts
- Lost Network connectivity
- Loss of System power
- Software issues on the physical host
- Hardware issues on the physical host
- Resolution
  - Amazon EBS-backed AMI instance – stop and restart the instance
  - Instance-store backed AMI – terminate the instance and launch a replacement.
Instance Status Check – Checks Instance or VM
- Possible reasons
  - Misconfigured networking or startup configuration
  - Exhausted memory
  - Corrupted file system
  - Failed Amazon EBS volume or Physical drive
  - Incompatible kernel
- Resolution
  - Rebooting of the Instance or making modifications in your Operating system, volumes

Instance Capacity Issues

InsufficientInstanceCapacity
- AWS does not currently have enough available capacity to service the request.
- There is a limit to the number of instances of instance type that can be launched within a region.
- Issue is mainly from the AWS side and it can be resolved by
  - reducing the request for the number of instances
  - changing the instance type
  - submitting a request without specifying the Availability Zone.
InstanceLimitExceeded
- Concurrent running instance limit, default is 20, has been reached in a region.
- Request an instance limit increase on a per-region basis

AWS Certification Exam Practice Questions

A user has launched an EC2 instance. The instance got terminated as soon as it was launched. Which of the below mentioned options is not a possible reason for this?
1. The user account has reached the maximum EC2 instance limit (Refer link)
2. The snapshot is corrupt
3. The AMI is missing. It is the required part
4. The user account has reached the maximum volume limit
If you’re unable to connect via SSH to your EC2 instance, which of the following should you check and possibly correct to restore connectivity?
1. Adjust Security Group to permit egress traffic over TCP port 443 from your IP.
2. Configure the IAM role to permit changes to security group settings.
3. Modify the instance security group to allow ingress of ICMP packets from your IP.
4. Adjust the instance’s Security Group to permit ingress traffic over port 22 from your IP
5. Apply the most recently released Operating System security patches.
You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: “Network error: Connection timed out” or “Error connecting to [instance], reason: -> Connection timed out: connect,” You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers
1. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.
2. Verify that your IAM user policy has permission to launch Amazon EC2 instances. (there is not need for a IAM user and just need ssh keys)
3. Verify that you are connecting with the appropriate user name for your AMI. (Although it gives different error seems the only other logical choice)
4. Verify that the Amazon EC2 Instance was launched with the proper IAM role. (role assigned to EC2 is irrelevant for ssh and only controls what AWS resources EC2 can access to)
5. Verify that your federation trust to AWS has been established (federation is for authenticating the user)
A user has launched an EBS backed EC2 instance in the us-east-1a region. The user stopped the instance and started it back after 20 days. AWS throws up an ‘Insufficient Instance Capacity’ error. What can be the possible reason for this?
1. AWS does not have sufficient capacity in that availability zone
2. AWS zone mapping is changed for that user account
3. There is some issue with the host capacity on which the instance is launched
4. The user account has reached the maximum EC2 instance limit
A user is trying to connect to a running EC2 instance using SSH. However, the user gets an Unprotected Private Key File error. Which of the below mentioned options can be a possible reason for rejection?
1. The private key file has the wrong file permission
2. The ppk file used for SSH is read only
3. The public key file has the wrong permission
4. The user has provided the wrong user name for the OS login
A user has launched an EC2 instance. However, due to some reason the instance was terminated. If the user wants to find out the reason for termination, where can he find the details?
1. It is not possible to find the details after the instance is terminated
2. The user can get information from the AWS console, by checking the Instance description under the State transition reason label
3. The user can get information from the AWS console, by checking the Instance description under the Instance Status Change reason label
4. The user can get information from the AWS console, by checking the Instance description under the Instance Termination reason label
You have a Linux EC2 web server instance running inside a VPC. The instance is in a public subnet and has an EIP associated with it so you can connect to it over the Internet via HTTP or SSH. The instance was also fully accessible when you last logged in via SSH and was also serving web requests on port 80. Now you are not able to SSH into the host nor does it respond to web requests on port 80, that were working fine last time you checked. You have double-checked that all networking configuration parameters (security groups route tables, IGW, EIP. NACLs etc.) are properly configured and you haven’t made any changes to those anyway since you were last able to reach the Instance). You look at the EC2 console and notice that system status check shows “impaired.” Which should be your next step in troubleshooting and attempting to get the instance back to a healthy state so that you can log in again?
1. Stop and start the instance so that it will be able to be redeployed on a healthy host system that most likely will fix the “impaired” system status (for system status check impaired status you need Stop Start for EBS and terminate and relaunch for Instance store)
2. Reboot your instance so that the operating system will have a chance to boot in a clean healthy state that most likely will fix the ‘impaired” system status
3. Add another dynamic private IP address to me instance and try to connect via that new path, since the networking stack of the OS may be locked up causing the “impaired” system status.
4. Add another Elastic Network Interface to the instance and try to connect via that new path since the networking stack of the OS may be locked up causing the “impaired” system status
5. un-map and then re-map the EIP to the instance, since the IGW/NAT gateway may not be working properly, causing the “impaired” system status
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a connection time out error. Which of the below mentioned options is not a possible reason for rejection?
1. The access key to connect to the instance is wrong (access key is different from ssh private key)
2. The security group is not configured properly
3. The private key used to launch the instance is not correct
4. The instance CPU is heavily loaded
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection?
1. The user has provided the wrong user name for the OS login
2. The instance CPU is heavily loaded
3. The security group is not configured properly
4. The access key to connect to the instance is wrong (access key is different from ssh private key)

AWS EC2 – Placement Groups

February 3, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 16 Comments

EC2 Placement Groups

EC2 Placement groups determine how the instances are placed on the underlying hardware.
AWS now provides three types of placement groups
- Cluster – clusters instances into a low-latency group in a single AZ
- Partition – spreads instances across logical partitions, ensuring that instances in one partition do not share underlying hardware with instances in other partitions
- Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures

Cluster Placement Groups

is a logical grouping of instances within a single Availability Zone
don’t span across Availability Zones
can span peered VPCs in the same Region
impacts High Availability as susceptible to hardware failures for the application
recommended for
- applications that benefit from low network latency, high network throughput, or both.
- when the majority of the network traffic is between the instances in the group.
To provide the lowest latency, and the highest packet-per-second network performance for the placement group, choose an instance type that supports enhanced networking
recommended to launch all group instances with the same instance type at the same time to ensure enough capacity
instances can be added later, but there are chances of encountering an insufficient capacity error
for moving an instance into the placement group,
- create an AMI from the existing instance,
- and then launch a new instance from the AMI into a placement group.
an instance still runs in the same placement group if stopped and started within the placement group.
in case of a capacity error, stop and start all of the instances in the placement group, and try the launch again. Restarting the instances may migrate them to hardware that has capacity for all requested instances
is only available within a single AZ either in the same VPC or peered VPCs
is more of a hint to AWS that the instances need to be launched physically close to each together
enables applications to participate in a low-latency, 10 Gbps network.

Partition Placement Groups

is a group of instances spread across partitions i.e. group of instances spread across racks.
Partitions are logical groupings of instances, where contained instances do not share the same underlying hardware across different partitions.
EC2 divides each group into logical segments called partitions.
EC2 ensures that each partition within a placement group has its own set of racks. Each rack has its own network and power source.
No two partitions within a placement group share the same racks, allowing isolating the impact of a hardware failure within the application.
reduces the likelihood of correlated hardware failures for the application.
can have partitions in multiple Availability Zones in the same region
can have a maximum of seven partitions per Availability Zone
number of instances that can be launched into a partition placement group is limited only by the limits of the account.
can be used to spread deployment of large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct hardware.
offer visibility into the partitions and the instances to partitions mapping can be seen. This information can be shared with topology-aware applications, such as HDFS, HBase, and Cassandra. These applications use this information to make intelligent data replication decisions for increasing data availability and durability.

Spread Placement Groups

is a group of instances that are each placed on distinct underlying hardware i.e. each instance on a distinct rack with each rack having its own network and power source.
recommended for applications that have a small number of critical instances that should be kept separate from each other.
reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.
provide access to distinct hardware, and are therefore suitable for mixing instance types or launching instances over time.
can span multiple Availability Zones in the same region.
can have a maximum of seven running instances per AZ per group
maximum number of instances = 1 instance per rack * 7 racks * No. of AZs for e.g. in a Region with three AZs, a total of 21 instances in the group (seven per zone) can be launched
If the start or launch of an instance in a spread placement group fails cause of insufficient unique hardware to fulfil the request, the request can be tried later as EC2 makes more distinct hardware available over time

Placement Group Rules and Limitations

Ensure unique Placement group name within AWS account for the region.
Placement groups cannot be merged.
Instances cannot span multiple placement groups.
Instances with Dedicated Hosts cannot be launched in placement groups.
Instances with a tenancy of host cannot be launched in placement groups.
Cluster Placement groups
- can’t span multiple Availability Zones.
- supported by specific instance types which support 10 Gigabyte network
- maximum network throughput speed of traffic between two instances in a cluster placement group is limited by the slower of the two instances, so choose the instance type properly.
- can use up to 10 Gbps for single-flow traffic.
- Traffic to and from S3 buckets within the same region over the public IP address space or through a VPC endpoint can use all available instance aggregate bandwidth.
- recommended using the same instance type i.e. homogenous instance types. Although multiple instance types can be launched into a cluster placement group. However, this reduces the likelihood that the required capacity will be available for your launch to succeed.
- Network traffic to the internet and over an AWS Direct Connect connection to on-premises resources is limited to 5 Gbps.
Partition placement groups
- supports a maximum of seven partitions per Availability Zone
- Dedicated Instances can have a maximum of two partitions
- are not supported for Dedicated Hosts
- ~~are currently only available through the API or AWS CLI.~~
Spread placement groups
- supports a maximum of seven running instances per Availability Zone for e.g., in a region that has three AZs, then a total of 21 running instances in the group (seven per zone).
- are not supported for Dedicated Instances or Dedicated Hosts.

AWS Certification Exam Practice Questions

What is a cluster placement group?
- A collection of Auto Scaling groups in the same Region
- Feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections
- A collection of Elastic Load Balancers in the same Region or Availability Zone
- A collection of authorized Cloud Front edge locations for a distribution
In order to optimize performance for a compute cluster that requires low inter-node latency, which feature in the following list should you use?
- AWS Direct Connect
- Cluster Placement Groups
- VPC private subnets
- EC2 Dedicated Instances
- Multiple Availability Zones
What is required to achieve gigabit network throughput on EC2? You already selected cluster-compute, 10GB instances with enhanced networking, and your workload is already network-bound, but you are not seeing 10 gigabit speeds.
1. Enable biplex networking on your servers, so packets are non-blocking in both directions and there’s no switching overhead.
2. Ensure the instances are in different VPCs so you don’t saturate the Internet Gateway on any one VPC.
3. Select PIOPS for your drives and mount several, so you can provision sufficient disk throughput
4. Use a Cluster placement group for your instances so the instances are physically near each other in the same Availability Zone. (You are not guaranteed 10 gigabit performance, except within a placement group. Using placement groups enables applications to participate in a low-latency, 10 Gbps network)
You need the absolute highest possible network performance for a cluster computing application. You already selected homogeneous instance types supporting 10 gigabit enhanced networking, made sure that your workload was network bound, and put the instances in a placement group. What is the last optimization you can make?
1. Use 9001 MTU instead of 1500 for Jumbo Frames, to raise packet body to packet overhead ratios. (For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible, and they are recommended in this case)
2. Segregate the instances into different peered VPCs while keeping them all in a placement group, so each one has its own Internet Gateway.
3. Bake an AMI for the instances and relaunch, so the instances are fresh in the placement group and do not have noisy neighbors
4. Turn off SYN/ACK on your TCP stack or begin using UDP for higher throughput.

References

EC2_User_Guide – Placement_Groups

AWS EC2 Storage

January 31, 2023 ~ Last updated on : February 7, 2023 ~ jayendrapatil ~ 6 Comments

EC2 Storage Overview

EC2 storage provides flexible, cost-effective, and easy-to-use storage options with a unique combination of performance and durability
While EBS and Instance store are Block level, Amazon S3 is an Object level storage

EC2 Storage Options - EBS, S3 & Instance Store

Storage Types

Elastic Block Store – EBS

Elastic Block Store – EBS provides highly available, reliable, durable, block-level storage volumes that can be attached to an EC2 instance.
persists independently from the running life of an instance.
behaves like a raw, unformatted, external block device that can be attached to a single EC2 instance at a time.
is recommended for data that requires frequent and granular updates e.g. running a database or filesystem.
is Zonal and can be attached to any instance within the same Availability Zone and can be used like any other physical hard drive.
is particularly well-suited for use as the primary storage for file systems, databases, or any applications that require fine granular updates and access to raw, unformatted, block-level storage.

Instance Store Storage

Instance store provides temporary or Ephemeral block-level storage
is located on the disks that are physically attached to the host computer.
consists of one or more instance store volumes exposed as block devices.
The size of an instance store varies by instance type.
Virtual devices for instance store volumes that are ephemeral[0-23], starting the first one as ephemeral0 and so on.
While an instance store is dedicated to a particular instance, the disk subsystem is shared among instances on a host computer.
is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.
delivers very high random I/O performance and is a good option for storage with very low latency requirements, but you don’t need the data to persist when the instance terminates or you can take advantage of fault-tolerant architectures.

Amazon EBS vs Instance Store

More detailed @ Comparison of EBS vs Instance Store

Simple Storage Service – S3

More details @ AWS S3

Elastic File Store – EFS

Elastic File Store – EFS provides a simple, fully managed, easy-to-set-up, scalable, serverless, and cost-optimized file storage
can automatically scale from gigabytes to petabytes of data without needing to provision storage.
provides managed NFS (network file system) that can be mounted on and accessed by multiple EC2 in multiple AZs simultaneously.
offers highly durable, highly scalable, and highly available.
- stores data redundantly across multiple AZs in the same region
- grows and shrinks automatically as files are added and removed, so there is no need to manage storage procurement or provisioning.
supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol.
provides file system access semantics, such as strong data consistency and file locking.
is compatible with all Linux-based AMIs for EC2, POSIX file system (~Linux) that has a standard file API.
is a shared POSIX system for Linux systems and does not work for Windows.
offers the ability to encrypt data at rest using KMS and in transit.
can be accessed from on-premises using an AWS Direct Connect or AWS VPN connection between the on-premises datacenter and VPC.
can be accessed concurrently from servers in the on-premises data center as well as EC2 instances in the VPC.

Block Device Mapping

A block device is a storage device that moves data in sequences of bytes or bits (blocks) and supports random access and generally use buffered I/O for e.g. hard disks, CD-ROM etc
Block devices can be physically attached to a computer (like an instance store volume) or can be accessed remotely as if it was attached (like an EBS volume)
Block device mapping defines the block devices to be attached to an instance, which can either be done while creation of an AMI or when an instance is launched
Block device must be mounted on the instance, after being attached to the instance, to be able to be accessed
When a block device is detached from an instance, it is unmounted by the operating system and you can no longer access the storage device.
Additional Instance store volumes can be attached only when the instance is launched while EBS volumes can be attached to a running instance.
Viewing the block device mapping for an instance only shows the EBS volumes and not the instance store volumes. Instance metadata can be used to query the complete block device mapping.

Public Data Sets

Amazon Web Services provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications.
Amazon stores the data sets at no charge to the community and, as with all AWS services, you pay only for the compute and storage you use for your own applications.

AWS Certification Exam Practice Questions

When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes.
1. Depends on the instance type
2. FALSE
3. Depends on whether you use API call
4. TRUE

Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. What is the monthly charge for using the public data sets?
1. A 1 time charge of 10$ for all the datasets.
2. 1$ per dataset per month
3. 10$ per month for all the datasets
4. There is no charge for using the public data sets

How many types of block devices does Amazon EC2 support?
1. 2
2. 4
3. 3
4. 1

References

Amazon EC2 User Guide – Storage

AWS EC2 EBS Monitoring

January 31, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 2 Comments

EBS Monitoring

AWS support EBS monitoring by automatically providing data, such as CloudWatch metrics and volume status checks to help monitor EBS volumes

CloudWatch Monitoring

CloudWatch metrics are statistical data that you can use to view, analyze, and set alarms on the operational behaviour of the EBS volumes
CloudWatch provides the below by default
- Basic – Data, in 5-minute periods at no charge, which includes data from the root devices volumes for EBS backed instances
- Detailed – Provisioned IOPS (SSD) volumes send one-minute metrics
EBS Metrics
- VolumeReadBytes & VolumeWriteBytes
  - Provides information on the I/O operations in a specified period of time, in bytes
- VolumeReadOps & VolumeWriteOps
  - Total number (count) of I/O operations in a specified period of time
- VolumeTotalReadTime & VolumeTotalWriteTime
  - Total number of seconds spent by all operations that were completed in a specified period of time
- VolumeIdleTime
  - Total number of seconds, in a specific period, when the volume was idle (no read and write operations)
- VolumeQueueLength
  - Number of read and write operations, in a specific period, waiting to be completed
- VolumeThroughputPercentage (Provisioned IOPS (SSD) volumes only)
  - Percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned
- VolumeConsumedReadWriteOps (Provisioned IOPS (SSD) volumes only)
  - Total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time

Volume Status Checks Monitoring

EC2 EBS Volume Status Check Monitoring

Volume status checks are automated tests that run every 5 minutes and return a pass or fail status.
Volume check status
- Ok – all the status checks passed
- Impaired – if the status checks failed
- Insufficient-Data – checks are still in progress
- Warning – the I/O performance of the volume is below expectations
When EBS determines the volume’s data is potentially inconsistent, it disables the I/O to the EBS volume from the attached EC2 instance to prevent any data corruption. This leads to the status check to fail and the volume status being impaired. Amazon waits for the I/O to be enabled, giving you an opportunity to perform consistency checks.
If the auto disabling of I/O is not needed, it can be overridden by enabling the Auto-Enabled IO flag, which would make the EBS volume auto-available immediately after the impaired status.
Events would be fired for notification whenever the I/O for an EBS volume is disabled
I/O performance status checks, applicable only for PIOPS (SSD) volumes, compare actual volume performance with the expected volume performance and alert if performing below expectations. Status check is performed every 1 min, however, is collected by CloudWatch every 5 mins.
While initializing Provisioned IOPS (SSD) volumes that were restored from snapshots, the performance of the volume may drop below 50 percent of its expected level, which causes the volume to display a warning state in the I/O Performance status check. This is expected and can be ignored.

EC2 EBS Volume Status

Volume Events Monitoring

EBS generates events for volume status checks
Each event includes a start time that indicates the time at which the event occurred and a duration that indicates how long I/O for the volume was disabled
Events description can be Awaiting Action (to enable I/O), IO enabled, IO Auto-Enabled, or whether the status check resulted in Normal, Degraded, Severely Degraded, or stalled status

AWS Certification Exam Practice Questions

A user has configured CloudWatch monitoring on an EBS backed EC2 instance. If the user has not attached any additional device, which of the below mentioned metrics will always show a 0 value?
1. DiskReadBytes
2. NetworkIn
3. NetworkOut
4. CPUUtilization
What does it mean if you have zero IOPS and a non-empty I/O queue for all EBS volumes attached to a running EC2 instance?
1. The I/O queue is buffer flushing.
2. Your EBS disk head(s) is/are seeking magnetic stripes.
3. The EBS volume is unavailable. (EBS volumes are unavailable when all of the attached volumes perform zero read write IO, with pending IO in the queue Refer link)
4. You need to re-mount the EBS volume in the OS.
While performing the volume status checks, if the status is insufficient-data, what does it mean?
1. checks may still be in progress on the volume
2. check has passed
3. check has failed

References

EC2 User Guide – Monitoring Volume Status

AWS EC2 Instance Metadata & Userdata

January 31, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 4 Comments

EC2 Instance Metadata & Userdata

Instance metadata and user data can be used for Self Configuration allowing EC2 instances answer the question Who am I? What should I do?
Instance metadata and user data can be accessed from within the instance itself
Data is not protected by authentication or cryptographic methods. Anyone who can access the instance can view its metadata and should not be used to any store sensitive data, such as passwords, as user data.
Both the metadata and user data are available from the IP address 169.254.169.254 and have the latest as well as previous versions available
Metadata and User data can be retrieved using simple curl or GET command and these requests are not billed

Instance Metadata

Instance metadata is data about the instance and allows you to get answers to the Who am I?
is divided into two categories
- Instance metadata
  - includes metadata about the instance such as instance id, AMI id, hostname, IP address, role, etc
  - Can be accessed from http://169.254.169.254/latest/meta-data/
- Dynamic data
  - is generated when the instances are launched such as instance identity documents, instance monitoring, etc
  - Can be accessed from http://169.254.169.254/latest/dynamic/
can be used for managing and configuring running instances
allows access to user data that specified when launching the instance

Instance Metadata Access Methods

Instance metadata can be accessed from a running instance using one of the following methods:
- Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
- Instance Metadata Service Version 1 (IMDSv1) – a request/response method
By default, either IMDSv1 or IMDSv2, or both can be used.
Instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request.
Instance metadata service can be configured on each instance so that local code or users must use IMDSv2. When IMDSv2 is enforced, IMDSv1 no longer works.

IMDSv2

IMDSv2 uses session-oriented requests.
With session-oriented requests, a session token that defines the session duration is created, which can be a minimum of one second and a maximum of six hours.
During the specified duration, the same session token can be used for subsequent requests.
After the specified duration expires, a new session token to use for future requests must be created.

User Data

User data can be used for bootstrapping (launching commands when the machine starts) EC2 instance and helps answer the What should I do?
is supplied when launching a EC2 instance and executed at boot time
can be in the form of parameters or user defined script executed when the instance is launched for e.g. perform software patch updates, load and update the application from an S3 bucket etc
can be used to build more generic AMIs, which can then be configured at launch time dynamically
can be retrieved from http://169.254.169.254/latest/user-data
By default, user data scripts and cloud-init directives run only during the first boot cycle when an EC2 instance is launched.
If you stop an instance, modify the user data, and start the instance, the new user data is not executed automatically.
However, user data script and cloud-init directives can be configured with a mime multi-part file. A mime multi-part file allows the script to override how frequently user data is executed in the cloud-init package.
is treated as opaque data and returned as is.
is limited to 16 KB. This limit applies to the data in raw form, not base64-encoded form.
must be base64-encoded before being submitted to the API. EC2 command line tools perform the base64 encoding. The data is decoded before being presented to the instance.

Cloud-Init & EC2Config

Cloud-Init and EC2Config provides the ability to parse the user-data script on the instance and run the instructions
Cloud-Init
- Amazon Linux AMI supports Cloud-Init, which is an open source application built by Canonical.
- is installed on Amazon Linux, Ubuntu and RHEL AMIs
- enables using the EC2 UserData parameter to specify actions to run on the instance at boot time
- User data is executed on first boot using Cloud-Init, if the user data begins with #!
EC2Config
- EC2Config is installed on Windows Server AMIs
- User data is executed on first boot using Cloud-Init (technically EC2Config parses the instructions) if the user data begins with <script> or <powershell>
- EC2Config service is started when the instance is booted. It performs tasks during initial instance startup (once) and each time you stop and start the instance.
- It can also perform tasks on demand. Some of these tasks are enabled automatically, while others must be enabled manually.
- uses settings files to control its operation
- service runs Sysprep, a Microsoft tool that enables creation of customized Windows AMI that can be reused.
- When EC2Config calls Sysprep, it uses the settings files in EC2ConfigService\Settings to determine which operations to perform.

AWS Certification Exam Practice Questions

How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
1. Query the local instance metadata
2. Query the appropriate Amazon CloudWatch metric.
3. Query the local instance userdata.
4. Use ipconfig or ifconfig command.
The base URI for all requests for instance metadata is ___________
1. http://254.169.169.254/latest/
2. http://169.169.254.254/latest/
3. http://127.0.0.1/latest/
4. http://169.254.169.254/latest/
Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?
1. Instance user data
2. Resource tags
3. Instance metadata
4. Amazon Machine Image
You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this?
1. User data
2. EC2Config service
3. IAM roles
4. AWS Config
By default, when an EBS volume is attached to a Windows instance, it may show up as any drive letter on the instance. You can change the settings of the _____ Service to set the drive letters of the EBS volumes per your specifications.
1. EBSConfig Service
2. AMIConfig Service
3. EC2Config Service
4. Ec2-AMIConfig Service
How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
1. Query the appropriate Amazon CloudWatch metric.
2. Use ipconfig or ifconfig command.
3. Query the local instance userdata.
4. Query the local instance metadata.

References

AWS Documentation – EC2_Instance_Metadata_Userdata

AWS EC2 Network Features

January 30, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 24 Comments

EC2 Network Features

EC2 Network covers a lot of features for low latency access, High Performance Computing, Enhanced Networking, etc.

EC2 and VPC

All the EC2 instance types can be launched in a VPC
Instance types C4, M4 & T2 are available in VPC only and cannot be launched in EC2-Classic
Launching an EC2 instance within a VPC provides the following benefits
- Assign static private IP addresses to instances that persist across starts and stops
- Assign multiple IP addresses to the instances
- Define network interfaces, and attach one or more network interfaces to the instances
- Change security group membership for the instances while they’re running
- Control the outbound traffic from the instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering)
- Add an additional layer of access control to the instances in the form of network access control lists (ACL)
- Run the instances on single-tenant dedicated hardware

EC2 Instance IP Addressing

Private IP address & Internal DNS Hostnames
- Private IP address is the IP address that’s not reachable over the internet and can be resolved only within the network
- When an instance is launched, the default network interface eth0 is assigned a private IP address and an internal DNS hostname, which resolves to the private IP address and can be used for communication between the instances in the same network only
- Private IP address and DNS hostname cannot be resolved outside the network that the instance is in.
- Private IP address behaviour
  - remains associated with the instance when it is stopped or rebooted
  - is disassociated only when the instance is terminated
- An instance when launched can be assigned a private IP address or EC2 will automatically assign an IP address to the instance within the address range of the subnet
- Additional private IP addresses, known as secondary private IP addresses can also be assigned. Unlike primary private IP addresses, secondary private IP addresses can be reassigned from one instance to another.
Public IP address and External DNS hostnames
- A public IP address is reachable from the Internet
- Each instance assigned a public IP address is also given an External DNS hostname.
- External DNS hostname resolves to the public IP address outside the network and to the private IP address within the network.
- Public IP address is associated with the primary Private IP address through NAT
- Within a VPC, an instance may or may not be assigned a public IP address depending upon the subnet Assign Public IP attribute
- Public IP address assigned to the pool is from the public IP address pool and is assigned to the instance, and not to the AWS account. It cannot be reused once disassociated and is released back to the pool
- Public IP address behaviour
  - cannot be manually associated or disassociated with an instance
  - is released when an instance is stopped or terminated.
  - a new public IP address is assigned when a stopped instance is started
  - is released when an instance is assigned an Elastic IP address
  - is not assigned if there is more than one network interface attached to the instance
Multiple Private IP addresses
- In EC2-VPC, multiple private IP addresses can be specified to the instances.
- This can be useful in the following cases
  - Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address.
  - Operate network appliances, such as firewalls or load balancers, that have multiple private IP addresses for each network interface.
  - Redirect internal traffic to a standby instance in case the instance fails, by reassigning the secondary private IP address to the standby instance.
- Multiple IP addresses work with Network Interfaces
  - Secondary IP address can be assigned to any network interface, which can be attached or detached from an instance
  - Secondary IP address must be assigned from the CIDR block range of the subnet for the network interface
  - Security groups apply to network interfaces and not to IP addresses
  - Secondary private IP addresses can be assigned and unassigned to ENIs attached to running or stopped instances.
  - Secondary private IP addresses that are assigned to a network interface can be reassigned to another one if you explicitly allow it.
  - Primary private IP addresses, secondary private IP addresses, and any associated Elastic IP addresses remain with the network interface when it is detached from an instance or attached to another instance.
  - Although the primary network interface cannot be moved from an instance, the secondary private IP address of the primary network interface can be reassigned to another network interface.

Elastic IP Addresses

An Elastic IP address is a static IP address designed for dynamic cloud computing.
An elastic IP address can help mask the failure of an instance or software by rapidly remapping the address to another instance in the account.
The elastic IP address is associated with the AWS account and it remains associated with the account until released explicitly
An elastic IP address is NOT associated with a particular instance
When an instance is launched in the default VPC, it is assigned 2 IP addresses, a private and a public IP address, which are mapped to the private IP address through NAT
An instance launched in a non-default VPC is assigned only a private IP address unless a public address is specifically requested or the subnet public IP attribute is enabled
When an Elastic IP address is assigned to an instance, the public IP address is disassociated with the instance
For an instance, without a public IP address, to communicate to the internet it must be assigned an Elastic IP address
When the Elastic IP address is dissociated the public IP address is assigned back to the instance. However, if a secondary network interface is attached to the instance, the public IP address is not automatically assigned
Elastic IP addresses are not charged when associated with a running instance
Amazon imposes a small hourly fee for an unused Elastic IP address to ensure efficient use of Elastic IP addresses. So charges would be applied, if it is not associated or associated with an instance in a stopped state or associated with an unattached network interface.
All AWS accounts are limited to 5 EIPs (soft limit) because public (IPv4) Internet addresses are a scarce public resource

Elastic Network Interfaces (ENI)

Elastic Network Interfaces (ENIs) are virtual network interfaces that can be attached to the instances running in a VPC only
ENI consists of the following
- A primary private IP address.
- One or more secondary private IP addresses
- One Elastic IP address per private IP address.
- One public IP address, which can be auto-assigned to the elastic network interface for eth0 when an instance is launched, but only when an elastic network interface for eth0 is created instead of using an existing network interface
- One or more security groups
- A MAC address
- A source/destination check flag
- A description
ENI can be created without being attached to an instance
ENI can be attached to an instance, detached from that instance and attached to another instance. Attributes of an ENI like elastic IP address, private IP address follow the ENI and when moved from one instance to another instance & all traffic to the ENI will be routed to the new instance.
An instance in VPC always has a default primary ENI attached (eth0) with a private IP address assigned from the VPC range and cannot be detached
Additional ENI (eth1-ethn) can be attached to the instance and the number varies depending upon the instance type
Most important difference between eth0 and eth1 is that eth0 cannot be dynamically attached or detached from a running instance.
Primary ENIs (eth0) is created automatically when an EC2 instance is launched and are also deleted automatically when the instance is terminated unless the administrator has changed a property of the ENI to keep it alive afterwards.
Multiple elastic network interfaces are useful for use cases:
- Create a management network
  - Primary ENI eth0 handles backend with more restrictive control
  - Secondary ENI eth1 handles the public facing traffic
- Licensing authentication
  - Fixed MAC address associated with a license authentication
- Use network and security appliances in your VPC
  - configure a third-party network and security appliances (load balancers, NAT, proxy) with the secondary ENI
- Create dual-homed instances with workloads/roles on distinct subnets.
- Create a low-budget, high-availability solution
  - If one of the instances serving a particular function fails, its elastic network interface can be attached to a replacement or hot standby instance pre-configured for the same role in order to rapidly recover the service
  - As the interface maintains its private IP, EIP, and MAC address, network traffic will begin flowing to the standby instance as soon as it is attached to the replacement instance
ENI Best Practices
- ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
- Primary (eth0) interface can’t be detached
- Secondary (ethN) ENI can be detached when the instance is running or stopped.
- ENI in one subnet can be attached to an instance in another subnet, but the same AZ and same VPC
When launching an instance from the CLI or API, both the primary (eth0) and additional elastic network interfaces can be specified
Launching an Amazon Linux or Microsoft Windows Server instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.
A warm or hot attach of an additional ENI may require bringing up the second interface manually, configure the private IP address, and modify the route table accordingly.
Instances running Amazon Linux or Microsoft Windows Server automatically recognize the warm or hot attach and configure themselves.
Attaching another ENI to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance.

Placement Groups

EC2 Placement groups determine how the instances are placed on the underlying hardware.
AWS now provides three types of placement groups
- Cluster – clusters instances into a low-latency group in a single AZ
- Partition – spreads instances across logical partitions, ensuring that instances in one partition do not share underlying hardware with instances in other partitions
- Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures

Network Maximum Transmission Unit – MTU

MTU of a network connection is the size, in bytes, of the largest permissible packet that can be transferred over the connection.
The larger the MTU of the connection the more the data can be transferred in a single packet
Largest ethernet packet size supported over most of the internet is 1500 MTU
Jumbo Frames
- Jumbo frames are Ethernet frames that allow more than 1500 bytes of data by increasing the payload size per packet and thus increasing the percentage of the packet that is not packet overhead.
- Fewer packets are needed to send the same amount of usable data
- Jumbo frames should be used with caution for Internet-bound traffic or any traffic that leaves a VPC.
- Packets are fragmented by intermediate systems, which slows down this traffic.
Maximum supported MTU for an instance depends on its instance type
All EC2 instance types support 1500 MTU, and many current instance sizes support 9001 MTU or Jumbo frames
Traffic is limited to a maximum MTU of 1500 in the following cases:
- Traffic outside of a given AWS Region for EC2-Classic
- Traffic outside of a single VPC
- Traffic over an inter-region VPC peering connection
- Traffic over VPN connections
- Traffic over an internet gateway
For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible, and they are recommended in this case.

Enhanced Networking

Enhanced networking results in higher bandwidth, higher packet per second (PPS) performance, lower latency, consistency, scalability, and lower jitter.
EC2 provides enhanced networking capabilities using single root I/O virtualization (SR-IOV) only on supported instance types
- SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization
It can be enabled for other OS distributions by installing the module with the correct attributes configured

Elastic Fabric Adapter – EFA

An Elastic Fabric Adapter (EFA) is a network device that can be attached to the EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.
EFA helps achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by AWS.
EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems.
EFA enhances the performance of inter-instance communication which is critical for scaling HPC and machine learning applications.
EFA is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.
EFAs provide all of the same traditional IP networking features as ENAs, and they also support OS-bypass capabilities. OS-bypass enables HPC and machine learning applications to bypass the operating system kernel and to communicate directly with the EFA device.

AWS Certification Exam Practice Questions

A user is launching an EC2 instance in the US East region. Which of the below mentioned options is recommended by AWS with respect to the selection of the availability zone?
1. Always select the US-East-1-a zone for HA
2. Do not select the AZ; instead let AWS select the AZ
3. The user can never select the availability zone while launching an instance
4. Always select the AZ while launching an instance
You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers
1. Amazon EC2 placement groups (would not work for multiple AZs. Defaults to Cluster)
2. Enhanced networking (provides network performance, lowest latency)
3. Amazon PV AMI (Needs HVM)
4. Amazon HVM AMI
5. Amazon Linux (Can work on other flavors of Unix as well)
6. Amazon VPC (Enhanced networking works only in VPC)
Regarding the attaching of ENI to an instance, what does ‘warm attach’ refer to?
1. Attaching an ENI to an instance when it is stopped
2. Attaching an ENI to an instance when it is running
3. Attaching an ENI to an instance during the launch process
Can I detach the primary (eth0) network interface when the instance is running or stopped?
1. Yes, You can.
2. You cannot
3. Depends on the state of the interface at the time
By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates?
1. Remain as is
2. Terminate
3. Hibernate
4. Pause
Select the incorrect statement
1. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated
2. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped.
3. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped
4. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime
To ensure failover capabilities, consider using a _____ for incoming traffic on a network interface”.
1. primary public IP
2. secondary private IP
3. secondary public IP
4. add on secondary IP
Which statements are true about Elastic Network Interface (ENI)? (Choose 2 answers)
1. You can attach an ENI in one AZ to an instance in another AZ
2. You can change the security group membership of an ENI
3. You can attach an instance to tow different subnets within a VPC by using two ENIs
4. You can attach an ENI in one VPC to an instance in another VPC
A user is planning to host a web server as well as an app server on a single EC2 instance, which is a part of the public subnet of a VPC. How can the user setup to have two separate public IPs and separate security groups for both the application as well as the web server?
1. Launch a VPC instance with two network interfaces. Assign a separate security group to each and AWS will assign a separate public IP to them. (AWS cannot assign public IPs for instance with multiple ENIs)
2. Launch VPC with two separate subnets and make the instance a part of both the subnets.
3. Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them.
4. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subnet.
An organization has created multiple components of a single application for compartmentalization. Currently all the components are hosted on a single EC2 instance. Due to security reasons the organization wants to implement two separate SSLs for the separate modules although it is already using VPC. How can the organization achieve this with a single instance?
1. Create a VPC instance, which will have both the ACL and the security group attached to it and have separate rules for each IP address.
2. Create a VPC instance, which will have multiple network interfaces with multiple elastic IP addresses.
3. You have to launch two instances each in a separate subnet and allow VPC peering for a single IP.
4. Create a VPC instance, which will have multiple subnets attached to it and each will have a separate IP address.
Your system automatically provisions EIPs to EC2 instances in a VPC on boot. The system provisions the whole VPC and stack at once. You have two of them per VPC. On your new AWS account, your attempt to create a Development environment failed, after successfully creating Staging and Production environments in the same region. What happened?
1. You didn’t choose the Development version of the AMI you are using.
2. You didn’t set the Development flag to true when deploying EC2 instances.
3. You hit the soft limit of 5 EIPs per region and requested a 6th. (There is a soft limit of 5 EIPs per Region for VPC on new accounts. The third environment could not allocate the 6th EIP)
4. You hit the soft limit of 2 VPCs per region and requested a 3rd.
A user has created a VPC with a public subnet. The user has terminated all the instances, which are part of the subnet. Which of the below mentioned statements is true with respect to this scenario?
1. The user cannot delete the VPC since the subnet is not deleted
2. All network interface attached with the instances will be deleted
3. When the user launches a new instance it cannot use the same subnet
4. The subnet to which the instances were launched with will be deleted

References

Amazon EC2 User Guide – Security & Network

AWS EC2 Amazon Machine Image – AMI

January 25, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 6 Comments

Amazon Machine Image – AMI

An Amazon Machine Image – AMI provides the information required to launch an instance, which is a virtual server in the cloud.
An AMI is basically a template and can be used to launch as many instances as needed
Within a VPC, instances can be launched from as many different AMIs
An AMI includes the following:
- One or more EBS snapshots, or, for instance-store-backed AMIs, a template for the root volume of the instance for e.g, an operating system, an application server, and applications
- Launch permissions that control which AWS accounts can use the AMI to launch instances for e.g. AWS account ids whom the AMI is shared
- A block device mapping that specifies the volumes to attach to the instance when it’s launched
Amazon Machine Images can be either
- AWS managed, provided, and published AMIs
- Third-party or Community provided public custom AMIs
- Private AMIs created by other AWS accounts and shared with you
- Private and Custom AMIs created by you

AMI Types

Region & Availability Zone
- are regional but can be copied over to other regions
Operating system
- are available in a variety of OS flavors for e.g. Linux, windows, etc.
Architecture (32-bit or 64-bit)
Launch Permissions
- Launch permissions define who has access to the AMI
  - Public – Accessible to all AWS accounts
  - Explicit – Shared with specific AWS accounts
  - Private/Implicit – Owned and available for AMI creator account only
Root device storage
- can have EBS or Instance store as the root device storage
- EBS backed
  - EBS volumes are independent of the EC2 instance lifecycle and can persist independently
  - EBS backed instances can be stopped without losing the volumes
  - EBS instance can also be persisted without losing the volumes on instance termination if the Delete On Termination flag is disabled
  - EBS backed instances boot up much faster than the Instance store backed instances as only the parts required to boot the instance needs to be retrieved from the snapshot before the instance is made available
  - AMI creation is much easier for AMIs backed by EBS. The CreateImage API action creates the EBS-backed AMI and registers it
- Instance Store backed
  - Instance store is ephemeral storage and is dependent on the lifecycle of the Instance
  - Instance store is deleted if the instance is terminated or if the EBS backed instance, with attached instance store volumes, is stopped
  - Instance store volumes cannot be stopped
  - Instance store volumes have their AMI in S3 and have higher boot times compared to EBS backed instances, as all the parts have to be retrieved from S3 before the instance is made available
  - To create Linux AMIs backed by the instance store, you must create an AMI from your instance on the instance itself using the Amazon EC2 AMI tools.

More detailed @ EBS vs Instance Store

Linux Virtualization Types

Linux Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM).
Main difference between PV and HVM AMIs is the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
For the best performance, AWS recommends the use of current generation instance types and HVM AMIs when launching instances.
HVM AMIs
- HVM AMIs are presented with a fully virtualized set of hardware and boot by executing the master boot record of the root block device of the image.
- HVM virtualization type provides the ability to run an operating system directly on top of a virtual machine without any modification as if it were run on bare-metal hardware.
- EC2 host system emulates some or all of the underlying hardware that is presented to the guest.
- HVM guests, unlike PV guests, can take advantage of hardware extensions that provide fast access to the underlying hardware on the host system.
- HVM AMIs are required to take advantage of enhanced networking and GPU processing. In order to pass through instructions to specialized network and GPU devices, the OS needs to be able to have access to the native hardware platform; HVM virtualization provides this access.
- All current generation instance types support HVM AMIs.The CC2, CR1, HI1, and HS1 previous generation instance types support HVM AMIs.
PV AMIs
- PV AMIs boot with a special boot loader called PV-GRUB, which starts the boot cycle and then chain loads the kernel specified in the menu.lst file on your image.
- Paravirtual guests can run on host hardware that does not have explicit support for virtualization, but they cannot take advantage of special hardware extensions such as enhanced networking or GPU processing
- C3 and M3 current generation instance types support PV AMIs. The C1, HI1, HS1, M1, M2, and T1 previous generation instance types support PV AMIs.

Shared AMIs

Shared AMI is an AMI that can be created and shared with others for use
A Shared AMI with all the components needed can be used to get started and then add custom components as and when needed
Shared AMI can be risky as Amazon does not perform detailed checks and vouch for the integrity and security of these AMIs
Before using a Shared AMI, check for any pre-installed credentials that would allow unwanted access to the instance by a third party and no pre-configured remote logging that could transmit sensitive data to a third party
Amazon allows you to share an image, by defining launch permissions, to all (making it public) or only to specific AWS accounts
Launch permissions work at the AWS account level only, and can’t be used to restrict specific users within an AWS account.
Sharing an image does not affect the ownership of the AMI
Only AMIs with unencrypted volumes or encrypted with a customer-managed key can be shared.
AMIs are a regional resource. Therefore, sharing an image makes it available in that Region. To make an image available in a different Region, copy the AMI to the Region and then share it.
Make AMI Public
- AMIs with encrypted volumes cannot be made public.
- AMI with product codes or snapshots of an encrypted volume can’t be made public; they can be shared only with specific AWS accounts.
Guidelines for Shared Linux AMIs
- Update the AMI Tools at Boot-Time
  - Update the AMI tools or any software during startup.
  - Take into account the software updates do not break any software and consider the WAN traffic as the downloads will be charged to the AMI user
- Disable Password-Based Remote Logins for Root
  - Fixed root passwords can be a security risk and need to be disabled
- Disable Local Root Access
  - disable direct root logins
- Remove SSH Host Key Pairs
  - Remove the existing SSH host key pairs located in /etc/ssh, which forces SSH to generate new unique SSH key pairs when someone launches an instance using your AMI, improving security and reducing the likelihood of “man-in-the-middle” attacks
- Install Public Key Credentials
  - EC2 allows users to specify a public-private key pair name when launching an instance.
  - A valid key pair name needs to be provided when launching an instance, the public key, the portion of the key pair that EC2 maintains on the server, is made available to the instance through an HTTP query against the instance metadata and appended to the authorized keys
  - Users can launch instances of the AMI with a key pair and log in without requiring a root password
- Disabling sshd DNS Checks (Optional)
  - Disabling sshd DNS checks slightly weaken the sshd security. However, if DNS resolution fails, SSH logins still work. If you do not disable sshd checks, DNS resolution failures prevent all logins.
- Identify Yourself
  - AMI is only represented by an account ID without any further information, so it is better to provide more information to help describe the AMI
- Protect Yourself
  - Don’t store any sensitive data or software on the AMI
  - Exclude & Skip any directories holding sensitive data or secret information and delete the shell history before creating an AMI

AMI lifecycle

- Create and register an AMI
- launch new instances. (You can also launch instances from an AMI if the AMI owner grants you launch permissions)
- Copy an AMI to the same region or to different regions.
- Deregister the AMI, when finished launching an instance from an AMI

AMI Creation

EBS-Backed Linux AMI

Screen Shot 2016-04-12 at 7.39.18 AM.png

EBS-Backed Linux AMI can be created from the instance directly or from the EBS snapshot
EBS-backed Linux AMI creation process:-
1. Select an AMI #1 similar to what you want to have your new AMI #2
2. Launch an Instance from AMI #1 and configure it accordingly
3. Stop the instance to ensure data integrity
4. Create AMI #2 OR create an EBS snapshot and then create an AMI #2 from the snapshot
5. Amazon automatically register the EBS-backed AMI
6. AMI #2 can be now used to launch new instances
By default, EC2 shuts down the instance, takes snapshots of any attached volumes, creates and registers the AMI, and then reboots the instance.
No Reboot option
- No Reboot option prevents the instance from shut down & reboot
- AMI will be crash consistent as all the volumes are snapshotted at the same time
- However, AMI is not application consistent as all the operating system buffers are not flushed to disk before the snapshots are created and file system integrity can’t be guaranteed
EC2 creates snapshots of the instance’s root volume and any other EBS volumes attached to the instance. If any volumes attached to the instance are encrypted, the new AMI only launches successfully on instances that support Amazon EBS encryption
For any additional instance-store volumes or EBS volumes, the block device mapping for the new AMI contains information for these volumes and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes.
While data on EBS volumes persist, the Instance-store volumes specified in the block device mapping for the new instance are new and don’t contain any data from the instance store volumes of the instance you used to create the AMI.
It’s more efficient to create an EBS-backed AMI with EBS snapshots already taken as the snapshot created during AMI creation is just an incremental one
You are charged for the storage of both the image and the snapshots

Instance Store-Backed Linux AMI

Screen Shot 2016-04-12 at 7.39.28 AM.png

Instance Store-Backed Linux AMI creation process
1. Select an AMI #1 similar to what you want to have your new AMI #2
2. Launch an Instance from AMI #1 and configure the instance accordingly
3. Bundle the Instance. It takes several minutes for the bundling process to complete.
4. After the process completes, you have a bundle, which consists of an image manifest (image.manifest.xml) and files (image.part.xx) that contain a template for the root volume.
5. Upload the bundle to the S3 bucket
6. Register the Instance Store-backed AMI.
7. Launching an instance using the new AMI #2, the root volume for the instance is created using the bundle that you uploaded to S3.
Charges are incurred for the storage space used by the bundle in S3 until deleted
For additional instance store volumes, not root volumes, the block device mapping for the new AMI contains information for these volumes and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes.

Deregistering AMI

Charges are incurred on the AMI created and they can be deregistered, if not needed.
Deregistering an AMI does not delete the EBS snapshots or the bundles in the S3 buckets and have to be removed separately
Once deregistered, new instances cannot be launched from the AMI. However, it does not impact already created instances from the AMI
Clean up EBS-Backed AMI

Screen Shot 2016-04-12 at 8.11.28 AM.png

- Deregister the EBS-Backed AMI
- Delete the EBS Snapshot, as deregistering the AMI doesn’t impact the snapshot
Clean up Instance Store-backed AMI

Screen Shot 2016-04-12 at 8.11.21 AM.png

- Deregister the EBS-Backed AMI
- Delete the bundle from the S3 bucket, as deregistering the AMI doesn’t affect the bundles stored in the S3 bucket

AMIs with Encrypted Snapshots

AMIs, with EBS backed snapshots, can be attached with both an encrypted root and data volume
AMIs copy image can be used to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots. By default, copy image preserves the encryption status of the snapshots
Snapshots can be encrypted with either default AWS Key Management Service customer master key (CMK), or with a custom key that you specify

AMI Copying

EBS-backed AMIs and instance store-backed AMIs can be copied.
Copying an AMI
- An identical target AMI is created, but with its own unique identifier
- For EBS backed AMI, identical but distinct root and data snapshots are created
- Encryption status of the snapshots are preserved
- However, Launch permissions, user-defined tags, or S3 bucket permissions are not copied from the source AMI to the new AMI. After the copy operation is complete, different launch permissions, user-defined tags, and S3 bucket permissions to the new AMI
Source AMI can be deregistered without any impact to the Target AMI
AMIs owned or shared with proper permissions can be copied
AMIs are created specific to a region and can be copied within or across regions which can help to aid in the consistent global deployment and build highly scalable and available applications
AMI copy image can be used to encrypt an AMI from an unencrypted AMI
AMIs with encrypted snapshots can be copied and also encryption status changed during the copy process.
AWS Marketplace AMI cannot be copied, regardless of whether obtained directly or shared. Instead, launch an EC2 instance using the AWS Marketplace AMI and then create an AMI from the instance.

Amazon Linux 2 and Amazon Linux AMI

Amazon Linux 2 and Linux AMI is a supported and maintained Linux image provided by AWS with the following features

A stable, secure, and high-performance execution environment for applications running on EC2.
- does not allow remote root SSH by default.
- Password authentication is disabled to prevent brute-force password attacks.
- Instances launched using Amazon Linux AMI must be provided with a key pair at launch to enable SSH logins
- Inbound security group must allow SSH access
- By default, the only account that can log in remotely using SSH is ec2-user ; this account also has sudo privileges.
- are configured to download and install security updates at launch time.
Provided at no additional charge to Amazon EC2 users.
Repository access to multiple versions of MySQL, PostgreSQL, Python, Ruby, Tomcat, and many more common packages.
Updated on a regular basis to include the latest components, and these updates are also made available in the yum repositories for installation on running instances.
Includes pre-installed packages to enable easy integration with AWS services, such as the AWS CLI, Amazon EC2 API, and AMI tools, the Boto library for Python, and the Elastic Load Balancing tools.

EC2 Image Builder

EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date server images that are pre-installed and pre-configured with software and settings to meet specific IT standards
EC2 Image Builder simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises.
Image Builder significantly reduces the effort of keeping images up-to-date and secure by providing a simple graphical interface, built-in automation, and AWS-provided security settings.
Image Builder removes any manual steps for updating an image and you do not have to build your own automation pipeline.
Image Builder provides a one-stop-shop to build, secure, and test up-to-date Virtual Machine and container images using common workflows.
Image Builder allows image validation for functionality, compatibility, and security compliance with AWS-provided tests and your own tests before using them in production.
Image Builder is offered at no cost, other than the cost of the underlying AWS resources used to create, store, and share the images.

AWS Certification Exam Practice Questions

A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned credentials is not required while creating the AMI?
1. AWS account ID
2. 509 certificate and private key
3. AWS login ID to login to the console
4. Access key and secret access key
A user has launched an EC2 Windows instance from an instance store backed AMI. The user wants to convert the AMI to an EBS backed AMI. How can the user convert it?
1. Attach an EBS volume to the instance and unbundle all the AMI bundled data inside the EBS
2. A Windows based instance store backed AMI cannot be converted to an EBS backed AMI
3. It is not possible to convert an instance store backed AMI to an EBS backed AMI
4. Attach an EBS volume and use the copy command to copy all the ephemeral content to the EBS Volume
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?
1. Stop one of the instances and change the availability zone
2. The zone can only be modified using the AWS CLI
3. From the AWS EC2 console, select the Actions – > Change zones and specify new zone
4. Create an AMI of the running instance and launch the instance in a separate AZ
A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating another small instance in Europe. How can the user achieve DR?
1. Copy the running instance using the “Instance Copy” command to the EU region
2. Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI
3. Copy the instance from the US East region to the EU region
4. Use the “Launch more like this” option to copy the instance from one region to another
A user has launched an EC2 instance store backed instance in the US-East-1a zone. The user created AMI #1 and copied it to the Europe region. After that, the user made a few updates to the application running in the US-East-1a zone. The user makes an AMI#2 after the changes. If the user launches a new instance in Europe from the AMI #1 copy, which of the below mentioned statements is true?
1. The new instance will have the changes made after the AMI copy as AWS just copies the reference of the original AMI during the copying. Thus, the copied AMI will have all the updated data
2. The new instance will have the changes made after the AMI copy since AWS keeps updating the AMI
3. It is not possible to copy the instance store backed AMI from one region to another
4. The new instance in the EU region will not have the changes made after the AMI copy
George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George’s account from the US West region?
1. No, copy AMI does not copy the permission
2. It is not possible to share the AMI with a specific account
3. Yes, since copy AMI copies all private account sharing permissions
4. Yes, since copy AMI copies all the permissions attached with the AMI
EC2 instances are launched from Amazon Machine images (AMIS). A given public AMI can:
1. be used to launch EC2 Instances in any AWS region.
2. only be used to launch EC2 instances in the same country as the AMI is stored.
3. only be used to launch EC2 instances in the same AWS region as the AMI is stored. (An AMI is tied to the region where its files are located within Amazon S3)
4. only be used to launch EC2 instances in the same AWS availability zone as the AMI is stored.

References

Amazon EC2 User Guide – AMIs

AWS EC2 Instance Store Storage

November 21, 2022 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 19 Comments

EC2 Instance Store

An instance store provides temporary or Ephemeral block-level storage for an Elastic Cloud Compute – EC2 instance.
is located on the disks that are physically attached to the host computer.
consists of one or more instance store volumes exposed as block devices.
The size of an instance store varies by instance type.
Virtual devices for instance store volumes that are ephemeral[0-23], starting the first one as ephemeral0 and so on.
While an instance store is dedicated to a particular instance, the disk subsystem is shared among instances on a host computer.
is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.
delivers very high random I/O performance and is a good option for storage with very low latency requirements, but you don’t need the data to persist when the instance terminates or you can take advantage of fault-tolerant architectures.

Instance Store Lifecycle

Instance store data lifetime is dependent on the lifecycle of the Instance to which it is attached.
Data on the Instance store persists when an instance is rebooted.
However, the data on the instance store does not persist if the
- underlying disk drive fails
- instance terminates
- instance hibernates
- instance stops i.e. if the EBS-backed instance with instance store volumes attached is stopped
Stopping, hibernating, or terminating an instance would cause every block of storage in the instance store to be reseted.
If an AMI is created from an Instance with an Instance store volume, the data on its instance store volume isn’t preserved.

Instance Store Volumes

Instance type of an instance determines the size of the instance store available for the instance and the type of hardware used for the instance store volumes.
Instance store volumes are included as part of the instance’s hourly cost.
Some instance types use solid-state drives (SSD) to deliver very high random I/O performance, which is a good option when storage with very low latency is needed, but the data does not need to be persisted when the instance terminates or architecture is fault tolerant.

Instance Store Volumes with EC2 instances

EBS volumes and instance store volumes for an instance are specified using a block device mapping.
Instance store volume
- can only be attached to an EC2 instance only when an instance is launched.
- cannot be detached and reattached to a different instance.
After an instance is launched, the instance store volumes for the instance should be formatted and mounted before it can be used.
Root volume of an instance store-backed instance is mounted automatically

Instance Store Optimizing Writes

Because of the way that EC2 virtualizes disks, the first write to any location on an instance store volume performs more slowly than subsequent writes.
Amortizing (gradually writing off) this cost over the lifetime of the instance might be acceptable.
However, if high disk performance is required, AWS recommends initializing the drives by writing once to every drive location before production use

EBS vs Instance Store

Refer blog post @ EBS vs Instance Store

AWS Certification Exam Practice Questions

Please select the most correct answer regarding the persistence of the Amazon Instance Store
1. The data on an instance store volume persists only during the life of the associated Amazon EC2 instance
2. The data on an instance store volume is lost when the security group rule of the associated instance is changed.
3. The data on an instance store volume persists even after associated Amazon EC2 instance is deleted
A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data?
1. Yes, the block device mapping will have information about the additional instance store volume
2. No, since the instance store backed AMI can have only the root volume bundled
3. It is not possible to attach an additional instance store volume to the existing instance store backed AMI instance
4. No, since this is ephemeral storage it will not be a part of the AMI
When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on the root volume?
1. Data is automatically saved as an EBS volume.
2. Data is automatically saved as an EBS snapshot.
3. Data is automatically deleted
4. Data is unavailable until the instance is restarted.
A user has launched an EC2 instance from an instance store backed AMI. If the user restarts the instance, what will happen to the ephemeral storage data?
1. All the data will be erased but the ephemeral storage will stay connected
2. All data will be erased and the ephemeral storage is released
3. It is not possible to restart an instance launched from an instance store backed AMI
4. The data is preserved
When an EC2 EBS-backed instance is stopped, what happens to the data on any ephemeral store volumes?
1. Data will be deleted and will no longer be accessible
2. Data is automatically saved in an EBS volume.
3. Data is automatically saved as an EBS snapshot
4. Data is unavailable until the instance is restarted
A user has launched an EC2 Windows instance from an instance store backed AMI. The user has also set the Instance initiated shutdown behavior to stop. What will happen when the user shuts down the OS?
1. It will not allow the user to shutdown the OS when the shutdown behavior is set to Stop
2. It is not possible to set the termination behavior to Stop for an Instance store backed AMI instance
3. The instance will stay running but the OS will be shutdown
4. The instance will be terminated
Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)
1. The Elastic IP will be dissociated from the instance
2. All data on instance-store devices will be lost
3. All data on EBS (Elastic Block Store) devices will be lost
4. The ENI (Elastic Network Interface) is detached
5. The underlying host for the instance is changed

References

Amazon EC2 User Guide Instance Store

AWS EC2 Network – Enhanced Networking

November 10, 2022 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 9 Comments

EC2 Enhanced Networking

Enhanced networking results in higher bandwidth, higher packet per second (PPS) performance, lower latency, consistency, scalability and lower jitter
EC2 provides enhanced networking capabilities using single root I/O virtualization (SR-IOV) only on supported instance types
- SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization
Amazon Linux AMIs and Windows Server 2012 R2 AMI already have the module installed with the attributes set and do not require any additional configurations.
It can be enabled for other OS distributions by installing the module with the correct attributes configured
Enhanced Networking is supported using
- Elastic Network Adapter (ENA)
  - The Elastic Network Adapter (ENA) supports network speeds of up to 100 Gbps for supported instance types.
  - The current generation instances use ENA for enhanced networking, except for C4, D2, and M4 instances smaller than m4.16xlarge.
- Intel 82599 Virtual Function (VF) interface
  - The Intel 82599 Virtual Function interface supports network speeds of up to 10 Gbps for supported instance types.
  - supported instance types: C3, C4, D2, I2, M4 (excl. m4.16xlarge), and R3.

VF Enhanced Networking Key Requirements

VPC, as enhanced networking can’t be enabled for instance in EC2-Classic
an HVM virtualization type AMI
Instance kernel version
- Linux kernel version of 2.6.32+
- Windows: Server 2008 R2+
Appropriate Virtual Function (VF) driver
- Linux – should have the ixgbevf module installed and that sriovNetSupport attribute set for the instance
- Windows- Intel 82599 Virtual Function driver
supported instance types: C3, C4, D2, I2, M4 (excl. m4.16xlarge), and R3.

AWS Certification Exam Practice Questions

You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers
1. Amazon EC2 placement groups (would not work for multiple AZs)
2. Enhanced networking (provides network performance, lowest latency)
3. Amazon PV AMI (Requires HVM)
4. Amazon HVM AMI (Requires HVM)
5. Amazon Linux (Can be on others as well)
6. Amazon VPC (works only in VPC, can’t enable enhanced networking if the instance is in EC2-Classic)
A group of researchers is studying the migration pattern of a beetle that eats and destroys gram. The researchers must process massive amounts of data and run statistics. Which one of the following options provides the high performance computing for this purpose.
1. Configure an Autoscaling Scaling group to launch dozens of spot instances to run the statistical analysis simultaneously
2. Launch AMI instances that support SR-IOV in a single Availability Zone
3. Launch compute optimized (C4) instances in at least two Availability Zones
4. Launch enhanced network type instances in a placement group

References

Enhanced_Networking_on_Linux