Amazon EC2 provides the following purchasing options for instances:
On-Demand Instances: Pay for the instances that you use by the hour, with no long-term commitments or up-front payments.
Reserved Instances: Make a low, one-time, up-front payment for an instance, reserve it for a one- or three-year term, and pay a significantly lower hourly rate for these instances.
Spot Instances: Specify the maximum hourly price that you are willing to pay to run a particular instance type. The Spot Price fluctuates based on supply and demand, but you never pay more than the maximum price you specified. If the Spot Price moves higher than your maximum price, Amazon EC2 shuts down your Spot Instances.
An Amazon Machine Image (AMI) is a template that contains a software configuration (for example, an operating system, an application server, and applications). From an AMI, you launch instances, which are copies of the AMI running as virtual servers in the cloud.
Each region contains multiple distinct locations called Availability Zones. Each availability Zone is engineered to be isolated from failures in other Availability Zones, and to provide inexpensive, low-latency network connectivity to other zones in the same region. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location.
Amazon EBS – Elastic Block Store – provides your instances with persistent, block-level storage. Amazon EBS volumes are essentially hard disks that you can attach to a running instance. Amazon EBS is especially suited for applications that require a database, a file system, or access to raw block-level storage.
All instance types, with the exception of Micro instances, offer instance store, which provides your instances with temporary, block-level storage. This is storage that is physically attached to the host computer. The data on an instance store volume doesn’t persist when the associated instance is stopped or terminated.
Amazon S3 is storage for the Internet. It provides a simple web service interface that enables you to store and retrieve any amount of data from anywhere on the web.
Instances launched from an AMI backed by Amazon EBS use an Amazon EBS volume as the root device. The root device volume of an Amazon EBS-backed AMI is an Amazon EBS snapshot. When an instance is launched using an Amazon EBS-backed AMI, a root EBS volume is created from the EBS snapshot and attached to the instance. The root device volume is then used to boot the instance.
Instances launched from an AMI backed by instance store use an instance store volume as the root device. The image of the root device volume of an instance store-backed AMI is initially stored in Amazon S3. When an instance is launched using an instance store-backed AMI, the image of its root device is copied from Amazon S3 to the root partition of the instance. The root device volume is then used to boot the instance.
You can launch instances in one of two platforms: EC2-Classic and EC2-VPC. An instance that’s launched into EC2-Classic is assigned a public IP address. By default, an instance that’s launched into EC2-VPC is assigned public IP address only if it’s launched into a default VPC. An instance that’s launched into a non-default VPC must be specifically assigned a public IP address at launch, or you must modify your subnet’s default public IP addressing behaviour.
Security Groups: You can use security groups to control who can access your instances. These are analogous to an inbound network firewall that enables you to specify the protocols, ports, and source IP ranges that are allowed to reach your instances. You can create multiple security groups and assign different rules to each group. You can then assign each instance to one or more security groups, and we use the rules to determine which traffic is allowed to reach the instance. You can configure a security group so that only specific IP addresses or specific security groups have access to the instance.
With Amazon CloudWatch, you can monitor various aspects of your instance and set up alarms based on criteria you choose. For example, you could configure an alarm to send you an email when an instance’s CPU exceeds 70 percent.
Amazon EC2 instance store-backed AMIs are limited to 10 GB storage for the root device, whereas Amazon EBS-backed AMIs are limited to 1 TB. All Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 AMIs are backed by an Amazon EBS volume by default because of their larger size.
You can stop an Amazon EBS-backed instance, but not an Amazon EC2 instance store-backed instance. Stopping causes the instance to stop running (its status goes from running to stopping to stopped). A stopped instance persists in Amazon EBS, which allows it to be restarted. Stopping is different from terminating; you can’t restart a terminated instance. Because Amazon EC2 instance store-backed AMIs can’t be stopped, they’re either running or terminated.
VM Import/Export is compatible with Citrix Xen, Microsoft Hyper-V, or VMware vSphere virtualization environments. If you’re using VMware vSphere, you can also use the AWS Connector for vCenter to export a VM from VMware and import it into Amazon EC2. If you use Microsoft Systems Center, you can also use AWS Systems Manager for Microsoft SCVMM to import Windows VMs from SCVMM to Amazon EC2.
When you stop your instance, it enters the stopping state, and then the stopped state. We don’t charge hourly usage or data transfer fees for your instance after you stop it, but we do charge for the storage for any Amazon EBS volumes. While your instance is in the stopped state, you can modify certain attributes of the instance, including the instance type.
When you start your instance, it enters the pending state, and we move the instance to a new host computer. Therefore, when you stop and start your instance, you’ll lose any data on the instance store volumes on the previous host computer.
If your instance is running in EC2-Classic, it receives a new private IP address, which means that an Elastic IP address (EIP) associated with the private IP address is no longer associated with your instance. If your instance is running in EC2-VPC, it retains its private IP address, which means that an EIP associated with the private IP address or network interface is still associated with your instance. Each time you transition an instance from stopped to running, we charge a full instance hour, even if these transitions happen multiple times within a single hour.
Rebooting an instance is equivalent to rebooting an operating system; the instance remains on the same host computer and maintains its public DNS name, private IP address, and any data on its instance store volumes. It typically takes a few minutes for the reboot to complete, but the time it takes to reboot depends on the instance configuration. Rebooting an instance doesn’t start a new instance billing hour.
The EC2Config service runs in the Local System account and performs tasks on the instance. For example, it can send Windows event logs and IIS request logs to Amazon CloudWatch Logs. The EC2Config service runs Sysprep.
Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it’s important that you store your private keys in a secure place.
The keys that Amazon EC2 uses are 2048-bit SSH-2 RSA keys. You can have up to five thousand key pairs per region.
A security group acts as a virtual firewall that controls the traffic for one or more instances. By default, security groups allow all outbound traffic. If there is more than one rule for a specific port, we apply the most permissive rule. Your AWS account automatically has a default security group per region for EC2-Classic. When you create a VPC, we automatically create a default security group for the VPC. If you don’t specify a different security group when you launch an instance, the instance is automatically associated with the appropriate default security group.
A default security group is named default, and it has an ID assigned by AWS. The following are the initial settings for each default security group:
- Allow inbound traffic only from other instances associated with the default security group
- Allow all outbound traffic from the instance
The default security group specifies itself as a source security group in its inbound rules. This is what allows instances associated with the default security group to communicate with other instances associated with the default security group. You can change the rules for a default security group. For example, you can add an inbound rule to allow RDP connections so that specific hosts can manage the instance. You can’t delete a default security group.
After you launch an instance in EC2-Classic, you can’t change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group.
After you launch an instance in a VPC, you can change its security groups. You can also change the rules of a security group, and those changes are automatically applied to all instances that are associated with the security group. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group. When you specify a security group for a non-default VPC to the CLI or the API actions, you must use the security group ID and not the security group name to identify the security group.
IAM – AWS Identity and Access Management enables you to do the following:
- Create users and groups under your AWS account
- Assign unique security credentials to each user under your AWS account
- Control each user’s permissions to perform tasks using AWS resources
- Allow the users in another AWS account to share your AWS resources
- Create roles for your AWS account and define the users or services that can assume them
- Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources
By default, IAM users don’t have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. (This means that they also can’t do so using the Amazon EC2 console or CLI.) To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permission to use the specific resources and API actions they’ll need, and then attach those policies to the IAM users or groups that require those permissions.
Amazon Virtual Private Cloud (Amazon VPC) enables you to define a virtual network in your own logically isolated area within the AWS cloud, known as a virtual private cloud (VPC).You can launch your AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using AWS’s scalable infrastructure. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the Internet. You can connect your VPC to your own corporate data center, making the AWS cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists.
ClassicLink allows you to link your EC2-Classic instance to a VPC in your account, within the same region. This allows you to associate the VPC security groups with the EC2-Classic instance, enabling communication between your EC2-Classic instance and instances in your VPC using private IP addresses. ClassicLink removes the need to make use of public IP addresses or Elastic IP addresses to enable communication between instances in these platforms.
A linked EC2-Classic instance can communicate with instances in a VPC, but it does not form part of the VPC. Linked EC2-Classic instances can access the following AWS services in the VPC: Amazon Redshift, Amazon ElastiCache, Elastic Load Balancing, and Amazon RDS. However, instances in the VPC cannot access the AWS services provisioned by the EC2-Classic platform using ClassicLink.
When you enable a VPC for ClassicLink, a static route is added to all of the VPC route tables with a destination of 10.0.0.0/8 and a target of local. This allows communication between instances in the VPC and any EC2-Classic instances that are then linked to the VPC. If you add a custom route table to a ClassicLink-enabled VPC, a static route is automatically added with a destination of 10.0.0.0/8 and a target of local. When you disable ClassicLink for a VPC, this route is automatically deleted in all of the VPC route tables.
An Elastic IP address is a public IP address that you can allocate to your account. You can associate it to and from instances as you require, and it’s allocated to your account until you choose to release it.
Amazon provides a DNS server that resolves DNS hostnames to IP addresses. In EC2-Classic, the Amazon DNS server is located at 172.16.0.23. In EC2-VPC, the Amazon DNS server is located at the base of your VPC network range plus two.
In EC2-VPC, you can specify multiple private IP addresses for your instances. The number of network interfaces and private IP addresses that you can specify for an instance depends on the instance type.
It can be useful to assign multiple private IP addresses to an instance in your VPC to do the following:
- Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address.
- Operate network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.
- Redirect internal traffic to a standby instance in case your instance fails, by reassigning the secondary private IP address to the standby instance.
After you assign a secondary private IP address to your instance, you need to configure the operating system on your instance to recognize the secondary private IP address.
By default, AWS assigns each instance in EC2-Classic two IP addresses at launch: a private IP address and a public IP address that is mapped to the private IP address through network address translation (NAT).
The public IP address is allocated from the EC2-Classic public IP address pool, and is associated with your instance, not with your AWS account. You cannot reuse a public IP address after it’s been disassociated from your instance.
When you associate an EIP with an instance, the instance’s current public IP address is released to the EC2-Classic public IP address pool. If you disassociate an EIP from the instance, the instance is automatically assigned a new public IP address within a few minutes. In addition, stopping the instance also disassociates the EIP from it.
An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. Each instance in a VPC has a default network interface. The default network interface has a primary private IP address in the IP address range of its VPC.You can create and attach additional network interfaces. The maximum number of network interfaces that you can use varies by instance type.
Attaching multiple network interfaces to an instance is useful when you want to:
- Create a management network.
- Use network and security appliances in your VPC.
- Create dual-homed instances with workloads/roles on distinct subnets.
- Create a low-budget, high-availability solution.
You can create EBS Magnetic volumes from 1 GB to 1 TB in size; you can create EBS General Purpose (SSD) and Provisioned IOPS (SSD) volumes up to 16 TB in size. You can mount these volumes as devices on your Amazon EC2 instances. You can mount multiple volumes on the same instance, but each volume can be attached to only one instance at a time.
With General Purpose (SSD) volumes, your volume receives a base performance of 3 IOPS/GB, with the ability to burst to 3,000 IOPS for extended periods of time. General Purpose (SSD) volumes are ideal for a broad range of use cases such as boot volumes, small and medium size databases, and development and test environments. General Purpose (SSD) volumes support up to 10,000 IOPS and 160 MB/s of throughput.
With Provisioned IOPS (SSD) volumes, you can provision a specific level of I/O performance. Provisioned IOPS (SSD) volumes support up to 20,000 IOPS and 320 MB/s of throughput. This allows you to predictably scale to tens of thousands of IOPS per EC2 instance.
You can create point-in-time snapshots of EBS volumes, which are persisted to Amazon S3. Snapshots protect data for long-term durability, and they can be used as the starting point for new EBS volumes. The same snapshot can be used to instantiate as many volumes as you wish. These snapshots can be copied across AWS regions.
EBS volumes are created in a specific Availability Zone, and can then be attached to any instances in that same Availability Zone. To make a volume available outside of the Availability Zone, you can create a snapshot and restore that snapshot to a new volume anywhere in that region. You can copy snapshots to other regions and then restore them to new volumes there, making it easier to leverage multiple AWS regions for geographical expansion, data center migration, and disaster recovery.
CloudWatch metrics are statistical data that you can use to view, analyze, and set alarms on the operational behaviour of your volumes.
Basic – Data is available automatically in 5-minute periods at no charge. This includes data for the root device volumes for Amazon EBS-backed instances.
Detailed – Provisioned IOPS (SSD) volumes automatically send one-minute metrics to CloudWatch.
If a volume is impaired because the volume’s data is potentially inconsistent.
IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second (that is 256 KB or smaller) as one IOPS. I/O operations that are larger than 256 KB are counted in 256 KB capacity units. For example, a 1,024 KB I/O operation would count as 4 IOPS.
An instance store provides temporary block-level storage for use with an instance. The size of an instance store ranges from 900 MB to up to 48 TB, and varies by instance type and instance size. Some instance families, such as T2 and T1, do not support instance store volumes at all and they use Amazon EBS exclusively for storage.