Ec2
Chapter 6: Amazon EC2 - Deep Dive
Section titled “Chapter 6: Amazon EC2 - Deep Dive”Mastering Elastic Compute Cloud for Production Workloads
Section titled “Mastering Elastic Compute Cloud for Production Workloads”6.1 Overview
Section titled “6.1 Overview”Amazon EC2 (Elastic Compute Cloud) provides scalable computing capacity in the AWS cloud, enabling you to deploy virtual servers on demand.
EC2 Core Components+------------------------------------------------------------------+| || +------------------------+ || | Amazon EC2 | || +------------------------+ || | || +-----------+-----------+-----------+-----------+ || | | | | | || v v v v v || +-------+ +-------+ +-------+ +-------+ +-------+ || |Instance| | AMI | |Instance| | Storage| |Network| || | Types | | | | Profile| | | | | || +-------+ +-------+ +-------+ +-------+ +-------+ || || Instance Types: Compute optimization options || AMI: Machine images for launching instances || Instance Profile: IAM roles for instances || Storage: EBS, Instance Store || Network: Security Groups, ENIs, Placement Groups || |+------------------------------------------------------------------+6.2 EC2 Instance Types
Section titled “6.2 EC2 Instance Types”Instance Family Overview
Section titled “Instance Family Overview” EC2 Instance Families+------------------------------------------------------------------+| || Family | Code | Use Case | Example Types || --------|------|----------------------------|-----------------|| General | T3 | Burstable workloads | t3.micro || Purpose| M5 | Balanced performance | m5.xlarge || --------|------|----------------------------|-----------------|| Compute | C5 | High-performance computing | c5.2xlarge || Optimized| C6g | ARM-based compute | c6g.xlarge || --------|------|----------------------------|-----------------|| Memory | R5 | In-memory databases | r5.xlarge || Optimized| X2e | SAP HANA, large databases | x2e.xlarge || --------|------|----------------------------|-----------------|| Storage | I3 | NoSQL, data warehouses | i3.xlarge || Optimized| D3 | HDFS, distributed file | d3.xlarge || --------|------|----------------------------|-----------------|| Accelerated| P4 | ML, HPC | p4d.24xlarge || Computing| G5 | Graphics, video encoding | g5.xlarge || --------|------|----------------------------|-----------------|| Graviton | C6g | ARM-based workloads | c6g.xlarge || (ARM) | M6g | General purpose ARM | m6g.xlarge || |+------------------------------------------------------------------+Instance Type Naming Convention
Section titled “Instance Type Naming Convention” EC2 Instance Naming Convention+------------------------------------------------------------------+| || Example: m5.xlarge || || +---+---+------+ || | m | 5 |xlarge| || +---+---+------+ || | | | || | | +-- Size (resource capacity) || | | nano, micro, small, medium, large, xlarge, || | | 2xlarge, 4xlarge, 8xlarge, 9xlarge, 12xlarge || | | || | +-------- Generation (version) || | || +------------- Instance Family || m = General Purpose || c = Compute Optimized || r = Memory Optimized || i = Storage Optimized || g = GPU Instances || p = HPC/ML Instances || || Special Suffixes: || +----------------------------------------------------------+ || | a - AMD EPYC processor | || | g - Graviton (ARM) processor | || | n - Network optimized | || | d - NVMe storage | || | e - Enhanced (usually more resources) | || | z - High frequency | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Instance Size Comparison
Section titled “Instance Size Comparison” Instance Size Resource Comparison+------------------------------------------------------------------+| || Size vCPUs Memory (GiB) Network Performance || ---------- ------- ------------- ------------------- || nano 1 0.5 Very Low || micro 2 1 Low || small 1 2 Low || medium 2 4 Low to Moderate || large 2 8 Moderate || xlarge 4 16 Moderate || 2xlarge 8 32 High || 4xlarge 16 64 High || 8xlarge 32 128 10 Gigabit || 9xlarge 36 144 10 Gigabit || 12xlarge 48 192 20 Gigabit || 16xlarge 64 256 20 Gigabit || 18xlarge 72 288 25 Gigabit || 24xlarge 96 384 25 Gigabit || 32xlarge 128 512 50 Gigabit || |+------------------------------------------------------------------+6.3 Amazon Machine Images (AMI)
Section titled “6.3 Amazon Machine Images (AMI)”AMI Architecture
Section titled “AMI Architecture” AMI Components+------------------------------------------------------------------+| || +------------------------+ || | AMI | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Root | | Block | | Launch | || | Snapshot | | Device | | Permis- | || | | | Mapping | | sions | || +----------+ +----------+ +----------+ || || Root Snapshot: EBS snapshot of root volume || Block Device Mapping: Volumes attached at launch || Launch Permissions: Who can launch the AMI || |+------------------------------------------------------------------+AMI Sources
Section titled “AMI Sources” AMI Source Options+------------------------------------------------------------------+| || 1. AWS Provided AMIs || +----------------------------------------------------------+ || | - Amazon Linux 2023 | || | - Ubuntu, Debian, CentOS | || | - Windows Server | || | - Free to use, maintained by AWS | || +----------------------------------------------------------+ || || 2. AWS Marketplace AMIs || +----------------------------------------------------------+ || | - Pre-configured software | || | - Paid AMIs (hourly + software cost) | || | - Verified by AWS | || +----------------------------------------------------------+ || || 3. Custom AMIs || +----------------------------------------------------------+ || | - Created from existing instances | || | - Pre-installed software | || | - Organization-specific configurations | || +----------------------------------------------------------+ || || 4. Community AMIs || +----------------------------------------------------------+ || | - Shared by other AWS users | || | - Free to use | || | - Use at your own risk | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Creating Custom AMIs
Section titled “Creating Custom AMIs”# Create AMI from running instanceaws ec2 create-image \ --instance-id i-1234567890abcdef0 \ --name "my-custom-ami-v1" \ --description "Custom AMI with pre-installed software" \ --no-reboot
# Copy AMI to another regionaws ec2 copy-image \ --source-region us-east-1 \ --source-image-id ami-1234567890abcdef0 \ --region us-west-2 \ --name "my-custom-ami-v1-copy"
# Share AMI with another accountaws ec2 modify-image-attribute \ --image-id ami-1234567890abcdef0 \ --launch-permission "Add=[{UserId=123456789012}]"
# Make AMI publicaws ec2 modify-image-attribute \ --image-id ami-1234567890abcdef0 \ --launch-permission "Add=[{Group=all}]"
# Deregister AMIaws ec2 deregister-image --image-id ami-1234567890abcdef06.4 EC2 Instance Lifecycle
Section titled “6.4 EC2 Instance Lifecycle”Instance States
Section titled “Instance States” EC2 Instance Lifecycle+------------------------------------------------------------------+| || +------------------------+ || | Launch | || +------------------------+ || | || v || +------------------------+ || | Pending | || | (Instance booting) | || +------------------------+ || | || v || +------------------------+ || | Running |<----------+ || +------------------------+ | || / \ | || / \ | || v v | || +----------------+ +----------------+ | || | Reboot | | Stop | | || +----------------+ +----------------+ | || | | | || | v | || | +----------------+ | || | | Stopped | | || | +----------------+ | || | | | || | +----------+-----------+ || | | || +--------------------------------+ || || +------------------------+ || | Terminate | || +------------------------+ || | || v || +------------------------+ || | Terminated | || +------------------------+ || |+------------------------------------------------------------------+State Transitions and Billing
Section titled “State Transitions and Billing”| State | Description | Billed | Storage |
|---|---|---|---|
| Pending | Instance launching | No | Preserved |
| Running | Instance active | Yes | Preserved |
| Stopping | Instance stopping | No | Preserved |
| Stopped | Instance stopped | No | Billed for EBS |
| Rebooting | Instance rebooting | Yes | Preserved |
| Terminated | Instance deleted | No | Deleted (EBS optional) |
Stop vs Terminate
Section titled “Stop vs Terminate” Stop vs Terminate Comparison+------------------------------------------------------------------+| || Stop || +----------------------------------------------------------+ || | Pros: | || | - Instance preserved | || | - Can restart later | || | - No compute charges | || | - Can change instance type | || | | || | Cons: | || | - Still pay for EBS storage | || | - Public IP changes | || | - RAM contents lost | || +----------------------------------------------------------+ || || Terminate || +----------------------------------------------------------+ || | Pros: | || | - No more charges | || | - Resources released | || | | || | Cons: | || | - Cannot recover instance | || | - Data lost (unless EBS delete on termination disabled)| || | - Must recreate to use again | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+6.5 EC2 Storage Options
Section titled “6.5 EC2 Storage Options”EBS vs Instance Store
Section titled “EBS vs Instance Store” EC2 Storage Comparison+------------------------------------------------------------------+| || Elastic Block Store (EBS) || +----------------------------------------------------------+ || | | || | Instance EBS Volume | || | +--------+ +--------+ | || | | | | | | || | | |<------>| Data | | || | | | | | | || | +--------+ +--------+ | || | Network attached | || | | || | Features: | || | - Persistent storage | || | - Can detach and reattach | || | - Snapshots to S3 | || | - Encrypted at rest | || | - Can be used after instance termination | || +----------------------------------------------------------+ || || Instance Store || +----------------------------------------------------------+ || | | || | Instance | || | +---------------------------------+ | || | | | Instance Store | | | || | | | +--------+ | | | || | | | | Data | | | | || | | | +--------+ | | | || | +---------------------------------+ | || | Physically attached | || | | || | Features: | || | - Ephemeral storage | || | - Lost on stop/terminate | || | - Very high IOPS | || | - Included in instance price | || | - Cannot detach | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+EBS Volume Types
Section titled “EBS Volume Types” EBS Volume Types+------------------------------------------------------------------+| || Type | Use Case | Max IOPS | Throughput || --------------|-------------------|-------------|-------------|| gp3 | General purpose | 16,000 | 1,000 MB/s || (Default) | Boot volumes | | || --------------|-------------------|-------------|-------------|| io2 Block | Critical workloads | 256,000 | 4,000 MB/s || Express | High-performance | | || --------------|-------------------|-------------|-------------|| io2 | High IOPS | 64,000 | 1,000 MB/s || --------------|-------------------|-------------|-------------|| st1 | Throughput- | 500 per TB | 500 MB/s || (HDD) | optimized | | || --------------|-------------------|-------------|-------------|| sc1 | Cold storage | 80 per TB | 250 MB/s || (HDD) | Infrequent access | | || |+------------------------------------------------------------------+EBS Volume Configuration
Section titled “EBS Volume Configuration”# Create EBS volumeaws ec2 create-volume \ --size 100 \ --volume-type gp3 \ --availability-zone us-east-1a \ --iops 3000 \ --throughput 125
# Attach volume to instanceaws ec2 attach-volume \ --volume-id vol-1234567890abcdef0 \ --instance-id i-1234567890abcdef0 \ --device /dev/sdf
# Create snapshotaws ec2 create-snapshot \ --volume-id vol-1234567890abcdef0 \ --description "Daily backup snapshot"
# Copy snapshot to another regionaws ec2 copy-snapshot \ --source-region us-east-1 \ --source-snapshot-id snap-1234567890abcdef0 \ --region us-west-2
# Modify volume (increase size, change type)aws ec2 modify-volume \ --volume-id vol-1234567890abcdef0 \ --size 200 \ --volume-type gp3 \ --iops 50006.6 EC2 Networking
Section titled “6.6 EC2 Networking”Security Groups
Section titled “Security Groups” Security Group Architecture+------------------------------------------------------------------+| || Security Group = Virtual Firewall for EC2 Instances || || +----------------------------------------------------------+ || | Security Group | || | | || | Inbound Rules: | || | +------------------+------------------+----------------+ | || | | Type | Port | Source | | || | +------------------+------------------+----------------+ | || | | SSH | 22 | 10.0.0.0/8 | | || | | HTTP | 80 | 0.0.0.0/0 | | || | | HTTPS | 443 | 0.0.0.0/0 | | || | | Custom TCP | 8080 | sg-12345678 | | || | +------------------+------------------+----------------+ | || | | || | Outbound Rules: | || | +------------------+------------------+----------------+ | || | | Type | Port | Destination | | || | +------------------+------------------+----------------+ | || | | All Traffic | All | 0.0.0.0/0 | | || | +------------------+------------------+----------------+ | || +----------------------------------------------------------+ || || Key Characteristics: || +----------------------------------------------------------+ || | - STATEFUL: Return traffic automatically allowed | || | - Only ALLOW rules (no deny) | || | - Can reference other security groups | || | - Applied to ENIs (not instances directly) | || | - Up to 5 security groups per ENI | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Security Group vs NACL
Section titled “Security Group vs NACL” Security Group vs Network ACL+------------------------------------------------------------------+| || Security Group | Network ACL || ----------------------------|----------------------------------|| Instance level | Subnet level || Stateful | Stateless || Allow rules only | Allow and Deny rules || All rules evaluated | Rules evaluated in order || No rule number | Rule numbers (1-32766) || Default: Deny all inbound | Default: Allow all || Allow all outbound| Deny all inbound || Associated with ENI | Associated with subnet || |+------------------------------------------------------------------+Elastic Network Interfaces (ENI)
Section titled “Elastic Network Interfaces (ENI)” ENI Architecture+------------------------------------------------------------------+| || EC2 Instance || +----------------------------------------------------------+ || | | || | ENI 0 (Primary) ENI 1 (Secondary) | || | +------------------+ +------------------+ | || | | Primary IPv4: | | Secondary IPv4: | | || | | 10.0.1.10 | | 10.0.1.20 | | || | | | | | | || | | Secondary IPs: | | Secondary IPs: | | || | | 10.0.1.11 | | 10.0.1.21 | | || | | | | | | || | | Elastic IP: | | Elastic IP: | | || | | 54.0.1.100 | | 54.0.1.101 | | || | | | | | | || | | Security Groups: | | Security Groups: | | || | | sg-12345 | | sg-67890 | | || | +------------------+ +------------------+ | || | | || +----------------------------------------------------------+ || || Use Cases for Multiple ENIs: || +----------------------------------------------------------+ || | - Management network (separate from data network) | || | - Network appliances (firewalls, load balancers) | || | - Dual-homed instances | || | - High availability (ENI migration) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+6.7 Placement Groups
Section titled “6.7 Placement Groups”Placement Group Types
Section titled “Placement Group Types” EC2 Placement Groups+------------------------------------------------------------------+| || 1. Cluster Placement Group || +----------------------------------------------------------+ || | | || | +--------+ +--------+ +--------+ +--------+ | || | |Instance| |Instance| |Instance| |Instance| | || | | 1 | | 2 | | 3 | | 4 | | || | +--------+ +--------+ +--------+ +--------+ | || | \ / \ / | || | \ / \ / | || | +-----+----------+-----+ | || | Low-latency network | || | | || | Use Cases: | || | - HPC applications | || | - Big data processing | || | - Low-latency requirements | || | | || | Benefits: | || | - Highest network throughput | || | - Lowest latency | || | - Same rack placement | || +----------------------------------------------------------+ || || 2. Spread Placement Group || +----------------------------------------------------------+ || | | || | Rack 1 Rack 2 Rack 3 | || | +--------+ +--------+ +--------+ | || | |Instance| |Instance| |Instance| | || | | 1 | | 2 | | 3 | | || | +--------+ +--------+ +--------+ | || | | || | Use Cases: | || | - Critical applications | || | - High availability | || | - Single instance applications | || | | || | Benefits: | || | - Isolated hardware failures | || | - Max 7 instances per group (per AZ) | || +----------------------------------------------------------+ || || 3. Partition Placement Group || +----------------------------------------------------------+ || | | || | Partition 1 Partition 2 Partition 3 | || | +----------+ +----------+ +----------+ | || | |Instance 1| |Instance 4| |Instance 7| | || | |Instance 2| |Instance 5| |Instance 8| | || | |Instance 3| |Instance 6| |Instance 9| | || | +----------+ +----------+ +----------+ | || | | || | Use Cases: | || | - Large distributed systems | || | - Hadoop, Cassandra, Kafka | || | | || | Benefits: | || | - Up to 7 partitions per AZ | || | - Partition-level isolation | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+6.8 EC2 Launch Templates
Section titled “6.8 EC2 Launch Templates”Launch Template Structure
Section titled “Launch Template Structure”{ "LaunchTemplateData": { "ImageId": "ami-0c55b159cbfafe1f0", "InstanceType": "t3.medium", "KeyName": "my-key-pair", "SecurityGroupIds": ["sg-12345678"], "IamInstanceProfile": { "Name": "EC2InstanceProfile" }, "UserData": "IyEvYmluL2Jhc2gKZWNobyAnSGVsbG8gV29ybGQn", "Monitoring": { "Enabled": true }, "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeSize": 20, "VolumeType": "gp3", "DeleteOnTermination": true } } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ {"Key": "Name", "Value": "WebServer"}, {"Key": "Environment", "Value": "Production"} ] } ], "NetworkInterfaces": [ { "DeviceIndex": 0, "AssociatePublicIpAddress": true, "Groups": ["sg-12345678"] } ] }}Launch Template vs Launch Configuration
Section titled “Launch Template vs Launch Configuration” Launch Template vs Launch Configuration+------------------------------------------------------------------+| || Feature | Launch Template | Launch Configuration || ---------------------|-----------------|----------------------|| Versioning | Yes | No || Spot Instances | Yes | Limited || Multiple Instance | Yes | No || Types | | || T2/T3 Unlimited | Yes | No || Placement Groups | Yes | Yes || Elastic GPU | Yes | No || EBS Optimized | Yes | Yes || Recommended | Yes | No (deprecated) || |+------------------------------------------------------------------+6.9 EC2 Best Practices
Section titled “6.9 EC2 Best Practices”Security Best Practices
Section titled “Security Best Practices” EC2 Security Checklist+------------------------------------------------------------------+| || 1. Access Control || +----------------------------------------------------------+ || | [ ] Use IAM roles instead of access keys | || | [ ] Implement least privilege | || | [ ] Use Systems Manager Session Manager | || | [ ] Disable password-based SSH | || +----------------------------------------------------------+ || || 2. Network Security || +----------------------------------------------------------+ || | [ ] Restrict Security Group ingress | || | [ ] Use VPC endpoints for AWS services | || | [ ] Enable VPC Flow Logs | || | [ ] Use Network ACLs for additional protection | || +----------------------------------------------------------+ || || 3. Instance Security || +----------------------------------------------------------+ || | [ ] Keep OS and packages updated | || | [ ] Use Amazon Inspector for vulnerability scanning | || | [ ] Enable enhanced monitoring | || | [ ] Use Systems Manager for patch management | || +----------------------------------------------------------+ || || 4. Data Security || +----------------------------------------------------------+ || | [ ] Enable EBS encryption | || | [ ] Use KMS for key management | || | [ ] Encrypt data at rest and in transit | || | [ ] Regular snapshots | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Performance Best Practices
Section titled “Performance Best Practices” EC2 Performance Optimization+------------------------------------------------------------------+| || 1. Right-Sizing || +----------------------------------------------------------+ || | - Use CloudWatch metrics to analyze utilization | || | - Use AWS Compute Optimizer recommendations | || | - Consider Graviton instances for cost/performance | || +----------------------------------------------------------+ || || 2. Storage Optimization || +----------------------------------------------------------+ || | - Choose appropriate EBS volume type | || | - Pre-warm volumes (for non-gp3) | || | - Use RAID for higher performance | || | - Consider Instance Store for temporary data | || +----------------------------------------------------------+ || || 3. Network Optimization || +----------------------------------------------------------+ || | - Use Enhanced Networking (ENA) | || | - Use Placement Groups for low latency | || | - Consider Elastic Fabric Adapter (EFA) for HPC | || +----------------------------------------------------------+ || || 4. Monitoring || +----------------------------------------------------------+ || | - Enable detailed monitoring | || | - Set up CloudWatch alarms | || | - Use unified CloudWatch agent | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+6.10 Practical Commands
Section titled “6.10 Practical Commands”Instance Management
Section titled “Instance Management”# Launch instanceaws ec2 run-instances \ --image-id ami-0c55b159cbfafe1f0 \ --count 1 \ --instance-type t3.micro \ --key-name my-key-pair \ --security-group-ids sg-12345678 \ --subnet-id subnet-12345678 \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=WebServer}]'
# Describe instancesaws ec2 describe-instances \ --filters "Name=tag:Name,Values=WebServer" \ --query 'Reservations[*].Instances[*].[InstanceId,State.Name,InstanceType]'
# Start instanceaws ec2 start-instances --instance-ids i-1234567890abcdef0
# Stop instanceaws ec2 stop-instances --instance-ids i-1234567890abcdef0
# Reboot instanceaws ec2 reboot-instances --instance-ids i-1234567890abcdef0
# Terminate instanceaws ec2 terminate-instances --instance-ids i-1234567890abcdef0
# Modify instance type (stopped instance)aws ec2 modify-instance-attribute \ --instance-id i-1234567890abcdef0 \ --instance-type '{"Value": "t3.small"}'Security Group Management
Section titled “Security Group Management”# Create security groupaws ec2 create-security-group \ --group-name my-security-group \ --description "My security group" \ --vpc-id vpc-12345678
# Add inbound ruleaws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 22 \ --cidr 10.0.0.0/8
# Add rule referencing another security groupaws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 8080 \ --source-group sg-87654321
# Remove ruleaws ec2 revoke-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 22 \ --cidr 10.0.0.0/86.11 Exam Tips
Section titled “6.11 Exam Tips”
- Instance Types: Know the families (T, M, C, R, I, G, P) and their use cases
- Storage: EBS is persistent, Instance Store is ephemeral
- Security Groups: Stateful, allow rules only, default deny inbound
- Placement Groups: Cluster (HPC), Spread (HA), Partition (distributed)
- ENI: Can attach multiple ENIs, can migrate between instances
- AMI: Can share across accounts, copy across regions
- Stop vs Terminate: Stop preserves, terminate deletes
- Launch Templates: Preferred over Launch Configurations
Next Chapter
Section titled “Next Chapter”Chapter 7: Auto Scaling & Load Balancing
Last Updated: February 2026