Introduction to AWS EC2 and VPC
advertisement
Forrest C. Shields II SysOps Engineer PGi http://aws.amazon.com/what-is-cloud-computing/ Virginia Oregon N. California Ireland Frankfurt Singapore Tokyo Sydney São Paulo Beijing GovCloud http://aws.amazon.com/about-aws/global-infrastructure/ Region Availability Zone Data Center Subnet A Virtual Private Cloud (VPC) is a logical grouping of one or more subnets that may span across availability zones in the same region. Virtual Machines Machine Images Storage Storage Snapshots Firewall (Security Groups) Public IPs Load Balancing Auto Scaling Basic Performance Metrics http://aws.amazon.com/ec2/ Networks Subnets Route Tables DHCP Basic DNS Internet Gateways VPN Connections Network ACLs Enhanced Firewall (Security Groups) http://aws.amazon.com/vpc/ Instance Families Instance Sizes General Purpose M3 – standard, T2 - burstable Compute Optimized C3 – up to 32 cores Memory Optimized R3 – up to 244 GB RAM GPU G2 – NVIDIA GPU w/ 1,536 CUDA cores Storage Optimized Micro Small Medium Large xLarge 2xLarge 4xLarge 8xLarge I2 – up to 8 local 800 GB SSD drives HS1 – 24 local 2 TB SSD drives http://aws.amazon.com/ec2/instance-types/ Burstable Performance (CPU credits) Enhanced Networking (SR-IOV) Graphics Processing Unit (GPU) Elastic Block Storage Optimized Cluster Networking Dedicated Instance Detailed Monitoring Based on: Instance Type Region Operating System Storage Optional Features Pricing models: On-demand Reserved (3 types) Spot pricing Dedicated Examples: t2.micro Linux instance in Virginia = $0.013 per hour c3.xlarge Windows instance in São Paulo = $0.210 per hour http://aws.amazon.com/ec2/pricing/ http://calculator.s3.amazonaws.com/calc5.html Amazon-provided Amazon Linux RHEL derived like CentOS Microsoft Windows Server 2003 R2, 2008, 2008 R2, 2012, & 2012 R2 Base OS or with SQL Server: Express, Web, or Standard Community AMIs AWS Marketplace My AMIs (imported or customized) http://aws.amazon.com/amis/ http://aws.amazon.com/windows/amis/ Instance Store (ephemeral local storage) Elastic Block Storage (EBS) Types Magnetic General Purpose (SSD) Provisioned IOPS (SSD) Size: 1 GB to 1 TB Encryption option Snapshots http://aws.amazon.com/ebs/ Security Groups A named set of allowed network connections for an instance. Each security group consists of a list of protocols, ports, and IP address ranges. A security group can apply to multiple instances, and multiple groups can regulate a single instance. Acts like a per-machine virtual firewall Very flexible (better than ACLs) Eliminates requirements to know IP addresses Protocols: TCP, UDP, ICMP, Custom Associate with a CIDR block or other security group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html Elastic IP Addresses (EIP) A fixed (static) IP address that you have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with your account, not a specific instance. They are elastic because you can easily allocate, attach, detach, and free them as your needs change. Unlike traditional static IP addresses, Elastic IP addresses allow you to mask instance or Availability Zone failures by rapidly remapping your public IP addresses to another instance. You “own” (rent) the public IP address Can be easily moved from one instance to another, or held in reserve Enables creation of DNS “A” records Can only be applied to instances in a public subnet http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html Placement Groups A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in a lowlatency, 10 Gbps network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. Fastest inter-machine network available Some limitations: All servers need to be in the same availability zone Servers should be all the same instance type Adding servers later can be problematic https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html Elastic Load Balancing (ELB) Elastic Load Balancing automatically distributes incoming application traffic across multiple instances in the cloud. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic. Increased availability (spans availability zones) Easy elasticity when combined with Auto Scaling Types: Public (Internet-facing) or Private Listeners: HTTP, HTTPS, TCP, SSL (Secure TCP) Utilizes Health Checks Provides SSL offloading http://aws.amazon.com/elasticloadbalancing/ Key Pairs A set of security credentials you use to prove your identity electronically. A key pair consists of a private key and a public key. Used directly by Linux instances for SSH authentication Used to “unlock” the auto assigned Windows Administrator password for viewing Safer than username/password combinations Region-specific, but can be copied to other regions https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html Elastic Network Interfaces (ENI) A network interface that can be attached to an instance. ENIs include a primary private IP address, one or more secondary private IP addresses, a MAC address, and membership in specified security groups. You can create an ENI, attach it to an instance, detach it from an instance, and attach it to another instance. This is how you get multiple private IPs Allows an instance to span subnets within the same availability zone You can bind multiple EIPs to ENIs with multiple private IPs Primary EIP created by default with 1 IP address https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html A service designed to launch or terminate instances automatically based on userdefined policies, schedules, and health checks. Increases availability Reduces costs Self-healing (if you have a good health check) Scheduled spin-up/spin-down, or based upon any load metric you desire http://aws.amazon.com/autoscaling/ Basic metrics included at 5 minute intervals: CPU Utilization Disk Reads/Writes Disk Read/Write Ops Network In/Out Detailed Monitoring checks the same metrics at 1 minute intervals ($) Keeps metrics for two weeks Ship your own metrics to CloudWatch ($) http://aws.amazon.com/cloudwatch/ Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.* * Description “borrowed” from the AWS website http://aws.amazon.com/vpc/ You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.* * Description “borrowed” from the AWS website http://aws.amazon.com/vpc/ Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.* Your own private slice of the “cloud” * Description “borrowed” from the AWS website http://aws.amazon.com/vpc/ VPC Name CIDR block DNS Settings Default Route Table DHCP and DNS resolution are provided http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html Subnet Name CIDR block (size /28 or larger) Availability Zone Route Table Network ACL Route Table determines if the subnet is public or private http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html Route Types: Local (within the VPC) Internet Gateway Virtual Private Gateway (for VPN) Instance (for NAT or software VPN) VPC Peering Associated with one or more subnets http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html Must have one to use EIPs One per VPC Works with Route Table If a subnet has a route table whose default route (0.0.0.0/0) points to an Internet Gateway, then that subnet is considered “public” and you can use EIPs. However, instances in that same subnet that do not utilize EIPs, will not be reachable from the Internet http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html Controls the DHCP options that are sent to each instance. You can set the following values: Domain name Domain name servers NTP servers NetBIOS name servers NetBIOS node type http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. Works within your account or cross-account Limitations: Cannot route “thru” a peering connection Not cross-region Address space must not collide Can’t reference Security Groups in other VPC http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html A network access control list (ACL) is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. Kind of old fashioned, but sometimes necessary Not stateful (must open return port as well) Can be confusing to combine with Security Groups http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html Security Group Network ACL Operates at the instance level (first layer of defense) Supports allow rules only Is stateful: Return traffic is automatically allowed, regardless of any rules All rules are evaluated before deciding whether to allow traffic Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Operates at the subnet level (second layer of defense) Supports allow rules and deny rules Is stateless: Return traffic must be explicitly allowed by rules Processes rules in number order when deciding whether to allow traffic Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group) http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html Primary use is to connect you VPC to your corporate network or datacenter. Only works with hardware VPN devices (sorry, no software VPN) IPSec-based Supports static or BGP routing http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html 750 hours of Linux t2.micro instance usage and 750 hours of Microsoft Windows Server t2.micro instance usage (1 GB of memory and 32-bit and 64-bit platform support) – enough hours to run both continuously each month 750 hours of an Elastic Load Balancer plus 15 GB data processing 30 GB of Elastic Block Storage: any combination of General Purpose (SSD) or Magnetic, and 1 GB of snapshot storage Much more at aws.amazon.com/free/ http://aws.amazon.com/free/
