After first weeks with AWS you’re starting to understand what is the main Amazon service. And, of course, it’s Elastic Compute Cloud (shortly EC2). EC2 instances – virtual machines running on demand. It’s necessary to know how services connect to instances and interact with each other.
For this issue I’ve drawn scheme. It has to explain what are the main products working with EC2 and how they’re working.
So, let’s start to describe what is the each component and how does it work with EC2.
AMI (Amazon Machine Image)
AMI is a virtual machine snapshot. It’s used as a filesystem template from which new EC2 instance is going to be deployed. Every Amazon Image has its own EBS snapshot where all data stored. In my opinion, AMI deployment is such comfortable. You can easily run few more instances like one for scaling reasons.
To start from scratch there is already baked images from Amazon marketplace. There you can find Amazon OS, Ubuntu, SUSE, RHEL and Windows Server images.
Also autoscaling groups with launch configurations takes responsibility to run new instances. They’re using AMI image too. But in my scheme I just wish to describe a simple EC2 launch, not scaling process.
EBS (Elastic Book Store)
EBS is a SSD-type storage usually with low capacity. EBS volume stores EC2 filesystem and receives all data going to machine. You can also mount S3 low-cost bucket to your EC2 instance to keep big data like media content. But that’s the different question for special purposes.
From subnet as a part of VPC network EC2 instance takes private IP address. With this IP address machine can interact with other instances and special AWS resources.
There could be RDS database accessible only from EC2 subnet. Could be Elastic Load Balancer (ELB) for incoming traffic redirections to EC2. Could be Route53 DNS server which resolves EC2 public IP address with special hostname.
SSH security key
SSH pem key used for access control to EC2 instances. You can surely add more SSH keys for different users access to EC2, but AWS key is the main one.
SSH key can be taken only once after initialization. Losing this key means losing console access to EC2. And there is no way to recover that except creating new similar instance.
Security policy is a simple firewall accepting inbound and outbound connections by TCP/UDP ports. You can set policy rules for your instance to restrict SSH access or simply open 80 port for web-access.
IAM role assigned to EC2 instances to permit some operations with AWS services.
In described scheme I put CodeDeploy as an example. For access to EC2 there is a special role assigned to deployment group. But also EC2 itself needs to look at S3 bucket where project revisions is stored. Without permissions to list and get bucket objects, EC2 engine won’t be able to fetch the code. So deployment won’t be succeeded. For this issue IAM role helps to clarify what EC2 instance can do and where.
Keep in mind: you can’t switch IAM role for launched EC2 instance. Change the roles policy – sure, but it’s impossible to move EC2 to different IAM role. Losing your role, you losing all granted permissions lost role included. To fix this, you have to recreate your EC2 instance as for SSH key problem. This way has been set by Amazon deliberately, probably for security reasons. Of course, it has some benefits and lacks.
I probably missed more interesting Amazon resources could be connected to EC2 instance directly. But AWS opportunities toolkit is so huge. It’s definitely easy to confuse and skip the basics of EC2 circulation. So, I just described there the most famous resources. Hope that’s the main Elastic ecosystem every Amazon novice should know.