Placement Groups

EC2 Placement Groups allow to influence the physical placement of EC2 instances within the AWS infrastructure. There are 3 types of placement groups: Cluster,Partition, and Spread.

1. Cluster:
   1. All instances in a single rack within one Availability Zone (AZ).
   2. Best for: Applications requiring high network throughput and low latency (e.g., HPC, ML).
   3. Risk: A rack failure affects all instances in the group.
2. Partition:
   1. Instances are divided into partitions, with each partition placed on separate racks.
   2. Can span multiple AZs.
   3. Limits: Up to 7 partitions per AZ; many instances per partition.
   4. Best for: Distributed and replicated workloads (e.g., Cassandra, HDFS).
3. Spread:
   1. Each instance is placed on a separate racks.
   2. Can span multiple AZs.
   3. Limits: Up to 7 running instances per AZ.
   4. Best for: Small, critical workloads requiring maximum isolation and high availability (e.g., DNS servers, control plane nodes).

Storage Options

1. Object Storage >> Amazon S3
   • Not EC2-attached directly; used for storing unstructured data like backups, logs, images, etc.
   • Highly durable (99.999999999%), scalable, and supports lifecycle management.
2. File storage >> EFS (Linux instances only), FSx
   1. Amazon EFS:
      • Scalable, fully managed file system for Linux-based EC2 instances.
      • Can be mounted on multiple instances simultaneously across AZs.
   2. Amazon FSx:
      • Fully managed file systems for Windows (FSx for Windows File Server) or Lustre (FSx for Lustre).
      • Supports Windows and Linux depending on the option.
3. File caching >> Amazon File Cache
   • Delivers temporary, high-speed cache for file-based workloads accessing data from S3, NFS, etc.
   • Used for low-latency access to remote datasets.
4. Block Storage >> Instance Store and EBS
   1. Instance Store Volumes:
      • Temporary (ephemeral) storage physically attached to the host.
      • Data is lost on stop, hibernate, or terminate.
      • High-performance, low-latency, and suitable for caches, buffers, and replicated data.
      • Cannot use Multi-Attach
      • Not all EC2 instance types support instance store.
   2. EBS(Elastic Block Store) Volumes:
      • Durable and persistent storage, survives instance stop/terminate.
      • Can take snapshots and restore data.
      • Multi-Attach is supported only for io1/io2 volumes, and only with certain instance types, within the same AZ.
      • Provisioned IOPS (io1/io2) offers high performance and low latency, but at higher cost.

Types of EBS Volumes

Amazon EBS provides persistent block storage volumes that can be attached to EC2 instances. Below are the EBS Volumes:

1. I → io1/io2 (Provisioned IOPS SSD):
   1. High-performance SSD for workloads that require high IOPS (up to 64,000 IOPS).
   2. Best for databases, big data analytics, and low-latency applications.
2. S → gp2/gp3 (General Purpose SSD):
   1. Balanced performance SSD suitable for balanced performance..
   2. Provides burstable performance with automatic scaling up to 3,000 IOPS.
3. S → st1 (Throughput Optimized HDD)(Previous-generation):
   1. HDD designed for throughput-intensive workloads like data warehousing.
   2. High sequential read/write performance at lower cost.
   3. AWS recommends avoiding using it for new workloads.
4. S → sc1 (Cold HDD):
   1. Low-cost HDD suitable for infrequent access data like backup and archival.
   2. High durability, but low IOPS and latency.
5. S → standard (Magnetic HDD)(Depreciated):
   1. Older magnetic HDD used for non-performance-critical workloads.
   2. Suitable for cost-effective, warm data storage.

Trick to memorize the types of EBS volumes: "I Got Some Smart Storage".

EC2 Instance Billing and Purchasing Options

1. On-Demand Instances: Pay per second (Linux) or per hour (Windows) with no long-term commitment. Best for short-term, unpredictable workloads.
2. Savings Plans: Save costs by committing to consistent usage (USD/hour) for 1 or 3 years. Offers flexibility across instance types, regions, and even Lambda & Fargate (Compute Savings Plan).
3. Reserved Instances (RIs): Save costs by committing to specific instance configurations for 1 or 3 years.
   • Standard RIs: Highest discount, but instance type cannot be changed.
   • Convertible RIs: Slightly lower discount but allows instance type, OS, and tenancy changes.
4. Scheduled Instances (Deprecated): Previously allowed reserving instances for recurring schedules, but removed in July 2023. Use On-Demand + automation instead.
5. Spot Instances: Use spare EC2 capacity at up to 90% lower cost, but instances can be interrupted anytime. Best for batch processing, fault-tolerant, and containerized workloads.
6. Dedicated Hosts: Rent a physical server for exclusive use, ideal for bringing existing software licenses (e.g., Windows Server, SQL Server). Provides host-level visibility.
7. Dedicated Instances: Pay hourly for instances running on single-tenant hardware, but without host-level visibility.
8. Capacity Reservations: Reserve EC2 capacity in a specific Availability Zone for any duration. Can be combined with RIs or Savings Plans for discounts.

AMI in Amazon EC2

An AMI is like a full backup of your entire computer, including the operating system, installed programs, and settings. It allows you to create new computers (EC2 instances) that are exact copies of the one you backed up.

AMI Specifies

1. Region: AWS Region where they are created. You can copy AMIs to other Regions if needed.
2. Operating System: Defines the OS (e.g., Amazon Linux, Ubuntu, Windows Server)
3. Processor Architecture: Specifies the CPU architecture (e.g., x86-64 or ARM64 ).
4. Virtualization Type: Defines the virtualization mode: HVM (Hardware Virtual Machine) or, PV (Paravirtual)
5. Launch Permissions: Controls who can use the AMI to launch instances
6. Root Device Type: Determines where the root file system is stored: EBS-backed or, Instance store-backed
7. Storage Details:
   1. Includes snapshots of volumes (e.g., root and additional volumes).
   2. Specifies block device mappings for storage configuration.
8. Other Metadata:
   1. AMI ID (unique identifier in the Region).
   2. Name and description.

AMI vs SNAPSHOT

1. Snapshot: Saves a point-in-time copy of the data on a specific volume(like your photos or documents). It only includes the data on the disk, not the operating system or configurations.
2. AMI: Saves a complete copy of the entire system setup, including:
   1. Operating System (OS)
   2. Software installed
   3. Data on the root volume
   4. Additional attached volumes (if specified)

Example - When a new AMI is copied from Region A into Region B. It automatically creates -

1. a snapshot in Region B because AMIs are based on the underlying snapshots.
2. an instance is created from this AMI in Region B. Hence, we have 1 Amazon EC2 instance, 1 AMI and 1 snapshot in Region B.

Instance Metadata Service(IMDS)

Instance Metadata Service (IMDS) provided by AWS EC2 allows an instance to retrieve dynamic data about itself and its environment.This information is typically accessed via a specific URL within the instance. ip is always fixed - 169.254.169.254

http://169.254.169.254/latest/meta-data/

Question: A company needs to look up configuration details about how a Linux-based Amazon EC2 instance was launched. Which command should a solutions architect run on the EC2 instance to gather the system metadata?

Answer: The only way to retrieve instance metadata is to use link with ip 169.254.169.254

When EC2 instance terminates immediately after launch

Possible Reasons for EC2 instance terminating immediately after launch are -

1. Maximum volume limit reached: If reached the maximum volume limit, the instance may fail to allocate the required storage and terminate.
2. Missing AMI: An EC2 instance cannot launch without a valid AMI, as it is required to create the root volume.
3. Corrupt snapshot: If a snapshot used to create the instance is corrupt, the instance will fail to initialize and may terminate.
4. Maximum EC2 instance limit reached: If the limit is reached, the instance launch will fail altogether, but it will not result in the instance being terminated—it simply will not be created.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

In AWS, IDS/IPS implementation is achieved using native services or third-party tools:

1. Native AWS Services:
   1. AWS Network Firewall: Traffic inspection and rule-based filtering.
   2. Amazon GuardDuty: Threat detection and anomaly monitoring.
   3. AWS WAF: Protects against web application attacks like SQL injection and XSS.
2. Third-Party Tools (deployable on EC2 instances):
   1. Suricata: Traffic inspection and network security monitoring.
   2. Snort: Real-time traffic analysis and rule-based detection.

Popular AMI Types

1. Golden AMI: A Golden AMI is a pre-configured, custom AMI that has a stable OS, the latest security patches, and commonly used software packages installed. It serves as a reference or "base" to create other AMIs. Pre-install the static components of your application, drastically reducing the installation time during instance creation.
   1. Use Cases:
      1. Ensures consistency across instances (e.g., in multiple environments like development, staging, and production).
      2. Speeds up deployment by providing a ready-made configuration that can be used repeatedly.
      3. Helps in maintaining a secure, up-to-date environment across your instances.
   2. If your organization always uses a specific version of Ubuntu, with a custom configuration, a Golden AMI can be created and used to launch instances consistently across various teams or applications.
2. Base AMI: A minimal AMI containing only the operating system, without any additional configurations or software, used as a clean starting point.
3. Master AMI: Another name for a Golden AMI, typically used as a reference image to launch multiple instances with consistent settings.
4. Database AMI: A purpose-built AMI optimized for running database workloads, pre-configured with necessary database software and settings.
5. Standard AMI: An AWS-provided, default AMI with minimal configuration, often used for basic deployments without custom software.
6. Custom AMI: An AMI created by users to include specific configurations, applications, or settings tailored to their needs.
7. Public AMI: An AMI that is publicly shared by AWS or other AWS users, available to anyone in the AWS ecosystem. It is commonly used to distribute commonly used software and tools (e.g., official Ubuntu or Amazon Linux images).
8. Private AMI: An AMI that is privately shared within your AWS account or with specific AWS accounts. It is not publicly accessible and is used for custom, private environments.

Amazon EC2 user data

EC2 user data allows you to provide configuration or initialization scripts when launching an EC2 instance. These scripts run automatically when the instance is first booted, enabling you to customize and configure your instances on startup.

Use Cases:

1. Automated Configuration: Automate the installation of software packages, updates, or security patches when the instance is launched.
2. Application Deployment: Deploy custom applications by downloading code or running deployment scripts.
3. System Configuration: Configure system settings like network configurations, storage, or environment variables on instance boot.

#!/bin/bash
yum update -y
yum install httpd -y
service httpd start

Security Group

Security groups are designed to control network traffic to and from resources within a VPC. They act as virtual firewalls that manage inbound and outbound traffic for EC2 instances, RDS instances, Elastic Load Balancers, Lambda functions, Redshift clusters, ElastiCache, and more.

However, services like S3, DynamoDB, Route 53, and CloudFront do not directly use security groups. Access control for these services is managed through IAM policies, bucket policies, or VPC endpoint policies.

Key Features of Security Groups

1. During instance launch, one or more security groups can be specified. If not specified, the default security group is used.
2. Rules within a security group allow or deny traffic to/from associated instances. Rules can be modified at any time.
3. New rules are automatically applied to all instances associated with the security group.
4. When deciding to allow traffic to an instance, all rules from all security groups associated with the instance are evaluated.
5. By default, security groups allow all outbound traffic.
6. Security group rules are always permissive; you cannot create rules that deny access.
7. Security groups are stateful, meaning return traffic is automatically allowed based on existing connections.

Think of

1. Security Groups(Layer 3/4) as the gatekeepers to your building, letting in only people who knock on the right door and speak the right language (IP, port, protocol).
2. AWS WAF(Layer 7) as the security scanner at the front desk, checking for dangerous items or suspicious behavior after someone is allowed inside.

based on the OSI model and AWS architecture - Security Group checks happen first, and then AWS WAF checks occur

Auto Scaling groups

Auto Scaling group helps ensure high availability by automatically managing and scaling instances to handle changes in demand or failure. Here's how it functions:

1. Health Monitoring: Continuously monitors the health of instances using Amazon EC2 health checks.
2. Instance Replacement: Automatically terminates the faulty instance and launches a new one to replace it.
3. Size Configuration: Auto Scaling groups allow you to define minimum, maximum, and desired capacity settings, which determine the limits and target size for the scaling actions.
4. Maintaining Desired Capacity: Configured with a desired capacity — the number of instances the group should maintain at any given time.
5. Scaling Policies: Automatically increase or decrease the number of instances based on specific metrics like CPU usage, network traffic, etc.
6. Multi-AZ Support: Auto Scaling supports deploying instances across multiple Availability Zones (AZs) within a single AWS region, ensuring high availability and fault tolerance.
7. Region Isolation: ASG cannot span multiple AWS regions. They are confined to a single region to ensure resources and scaling activities remain within that region.

Elastic IPs (EIP)

1. Static, public IPv4 address you allocate to your AWS account.
2. Remains yours until you release it.
3. Free only when associated with a running instance (charges if unused or associated with stopped instance).
4. Use for consistent IP across instance restarts.

ENI vs ENA vs EFA

1. ENI (Elastic Network Interface) – Virtual network card, can attach/detach from instances, primary & secondary IPs.
2. ENA (Elastic Network Adapter) – High-performance networking up to 100 Gbps (Nitro instances).
3. EFA (Elastic Fabric Adapter) – HPC & ML workloads; supports MPI for low-latency inter-node comms.

EC2 Instance Lifecycle

1. Pending → Running → Stopping/Stopped → Terminated
2. Pending = booting; Stopped = billed for storage only; Terminated = gone forever (root volume deleted if default).
3. Hibernate pauses RAM to disk, skip boot.

Spot Instance Interruptions

1. AWS can reclaim with 2-minute warning.
2. Interruption options: Stop, Hibernate, or Terminate (choose at request).
3. Best for fault-tolerant, flexible workloads.

Launch Templates vs Launch Configurations

1. Launch Template – Newer, supports versioning, mixed purchase options, tagging, T2/T3 Unlimited, etc.
2. Launch Configuration – Legacy, no versioning, must recreate to change settings.
3. Auto Scaling Groups now recommend Launch Templates.

EC2 Hibernate

1. Saves RAM contents to EBS root volume when stopping.
2. On start, reloads state instantly (faster than boot).
3. Requires encrypted EBS root, supported instance families only.
4. Useful for long-running processes needing quick resume.

Nitro System

1. Modern AWS virtualization stack using dedicated hardware.
2. Benefits: better performance, higher networking/storage speeds, better security isolation.
3. Required for ENA/EFA, NVMe EBS.

Elastic Load Balancing with EC2

1. ELB distributes traffic across EC2s in multiple AZs.
2. Types:
3. ALB – Layer 7 (HTTP/HTTPS, path/host-based routing).
4. NLB – Layer 4 (TCP/UDP, ultra-low latency, static IP).
5. GLB – Gateway Load Balancer (for appliance routing).
6. Health checks ensure traffic goes only to healthy instances.