EC2 Fleet and Spot Fleet are designed to be a useful way to launch a fleet of tens, hundreds, or thousands of Amazon EC2 instances in a single operation. Each instance in a fleet is either configured by a launch template or a set of launch parameters that you configure manually at launch.
AWS Nitro Enclaves
Create isolated execution environments, called enclaves, from Amazon EC2 instances.
Process highly sensitive data in an isolated compute environment (like Personally Identifiable Information (PII), healthcare, financial, …)
Fully isolated virtual machines, hardened, and highly constrained (Not a container, not persistent storage, no interactive access, no external networking)
Helps reduce the attack surface for sensitive data processing apps
Cryptographic Attestation – only authorized code can be running in your Enclave
Only Enclaves can access sensitive data (integration with KMS)
EC2 Instance Metadata (IMDS)
Info about the EC2 instance
access url is http://169.254.169.254/latest/meta-data, without using an IAM Role needed
retrieve the IAM Role name from the metadata
IMDSv2 is more secure, needs 2 steps
Get Session Token (limited validity) – using headers & PUT
Use Session Token in IMDSv2 calls – using headers
CLI for instances
The describe-instances command describes the specified instances or all instances.
[–dry-run | –no-dry-run]
[–instance-ids ]
[–filters ] : get only the details that you like from the output of your command
[–cli-input-json ]
[–starting-token ]
[–page-size ]
[–max-items ] : defines the total number of items to be returned in the command’s output
[–generate-cli-skeleton] : generate and display a parameter template that you can customize and use as input on a later command
EC2 Instance Recovery
Status Check:
Instance status = check the EC2 VM
System status = check the underlying hardware
Attached EBS status = check attached EBS volumes
Recovery: Same Private, Public, Elastic IP, metadata, placement group
EC2 Instances Migration between AZ
Cross-Account AMI Sharing
You can share an AMI with another AWS account
Sharing an AMI does not affect the ownership of the AMI
You can only share AMIs that have unencrypted volumes and volumes that are encrypted with a customer managed key
If you share an AMI with encrypted volumes, you must also share any customer managed keys used to encrypt them
Cross-Account AMI Copy
If you copy an AMI that has been shared with your account, you are the owner of the target AMI in your account
The owner of the source AMI must grant you read permissions for the storage that backs the AMI (EBS Snapshot)
If the shared AMI has encrypted snapshots, the owner must share the key or keys with you as well
Can encrypt the AMI with your own CMK while copying
Plenty Instance Types across 5 Instance Families
AWS offers over 300 EC2 instance types across 5 instance families (general purpose family, memory-optimized, storage-optimized, compute-optimized, and accelerated computing), each with varying resource and performance focuses
For example, within the compute-optimized family, you have C4 instance types (running on Haswell chips) and more recent C5 instance types (running on Skylake with Nitro system).
Instance Purchasing Options
On-Demand Instances – the default option, for short-term ad-hoc requirements where the job can’t be interrupted
On-Demand Capacity Reservations – the only way to reserve capacity for blocks of time such as 9am-5pm daily
​Spot instance – highest discount potential (50-90%) but no commitment from AWS, could be terminated with 2min notice. Could use for grid and high-performance computing.
Reserved Instances – for long-term workloads, 1 or 3 year commitment in exchange for 40-60% discount
Dedicated Instances – run on hardware dedicated to 1 customer (more $$)
Dedicated Host – fully dedicated and physically isolated server. Allows you to use your server-bound software licenses (e.g. IBM, Oracle) and addresses compliance and regulatory requirements and potentially reduce cost (note: billing is per-hour not per-instance)
Bare metal EC2 instance – for when the workload needs access to the hardware feature set (e.g. Intel hardware)
Launching Instances
Configurations / Launch Templates used to create new EC2 instances using stored parameters such as instance family, instance type, AMI, key pair and security groups. Auto-scaling groups can launch instances using config templates. You can’t edit a launch config, but you can create a new one and point to it.
User data – pass up to 16KB of user data at launch that the instance can run on startup such as config scripts
Instance metadata (e.g. instance ID, hostname, events, security groups, public keys, network interfaces,) can be accessed via a direct URI or by using the Instance Metadata Query Tool
When you launch an EC2 instance into a default VPC, it has a public and private DNS hostname and IP address. When you launch in a non-default VPC, it may not have a public hostname depending on the DNS and VPC configs.
Errors when launching include InsufficientInstanceCapacity, InstanceLimitExceeded
Instances terminate with no error if there are EBS problems (EBS volume limit, EBS snapshot is corrupt), or if the AMI you’re launching from is missing a required part
Each EC2 instance that you launch has an associated root device volume, either EBS volume or an Instance Store volume (more these under Storage section below). You can use block device mapping to specify additional EBS volumes or instance store volumes to attach to a live instance, attach additional EBS volumes to a running instance, but can’t directly add additional Instance Store volumes.
Run Command – run from the AWS Management Console, CLI or SDK, to install software, execute Powershell commands and scripts, configuring Windows settings, on live EC2 instances
Placement Groups
Cluster placement group = packs instances close together inside an AZ to achieve low latency, high throughput – use for HPC
Partition placement group = separate instances into logical partitions such that instances in one partition do not share hardware with instances in another partition. Gives you control and visibility into instance placement, but not great for performance. Used by large distributed workloads such as Hadoop.
Spread placement group = place 1 or few instances each in distinct hardware to reduce correlated failures. Not great for performance
