These are my notes on EC2 and VPC for the AWS Certified Associate Level exams. I attempted the AWS Certified Solution Architect - Associate and AWS Certified Developer - Associate and scored 78% and 90% respectively.

It took me about a week (3-4 hours a day) to prepare for both, after being working professionally with AWS for over 3 years.

EC2

  • Can start an AMI to create any number of on-demand instances by using the RunInstances call. Default max is 20 per account.
  • If the request is good, the RunInstances call returns success with a list of DNS names, and instances begin to launch within 10 minutes.
  • The launch request is associated with a reservation ID. One reservation ID can map to multiple instances which are all a part of one launch request.
  • The status can be checked via DescribeInstances call
  • Can be terminated using TerminateInstances call
  • If a running instances uses EBS-backed root volume (boot partition), it can be stopped by StopInstances call. This preserves the data.
  • The same can be done via CLI or the Console instead of REST APIs
  • EBS based root device store will preserve data, hence it is not tied to the life of the instance. Local instance based store persistence is tied to the life of the instance. There is no “stop” option.
  • Local instance store is inexpensive
  • An AMI (Amazon Machine Image) is a package with base operating system, and optional set of applications to boot an instance.
  • You can create a custom AMI, but have to bundle it with either EBS backed store or Instance backed store.
  • For instances backed with local instance store, the instances use S3
  • Reserved limit is 20 for all instance types
  • On demand limit varies, and is 20 for all T2, M1, M3 type instances. I plan to roll the dice on these questions, so won’t bother remembering them.
  • Some instance types are not available in all regions.
  • The instances can send emails, but have a fixed amount which needs to be requested to be increased if needed.
  • Currently supported operating systems are RHEL, Centos, Ubuntu, Oracle Linux, Amazon Linux, Gentoo, Suse, Fedora, Debian and Windows
  • All the underlying hardware in EC2 uses ECC memory (Error Correcting Code memory)
  • All instances are billed in hourly usage units. Even if the instance is up for a minute, you get billed for a full hour.
  • Data transferred between AWS services in different regions is charged on both ends.
  • Billing starts when the boot sequence of the instance is initiated.
  • Billing ends when the instance terminates or stops. If it is shut down, the instance hours aren’t billed but you pay for the EBS storage that has the root device data on it.
  • Data transfer rates apply between instances on both ends regardless of AZ (Regional Data Transfer) or region (Internet Data Transfer). The sender gets billed for outbound, the receiver gets billed for inbound data.
  • Tax is extra, it is not included in the pricing
  • There are 5 families of instances
    1. General Purpose - M3 and M4 with fixed performance, and T2 for burstable.
    2. Compute Optimized - C3 and C4
    3. Memory Optimized - R3
    4. GPU Optimized - P2 are Nvidia Tesla parallel processing GPU Compute, and G2 provide high performance 3D graphics (GPU Graphics)
    5. Storage Optimized - I2 are SSD based for high IO, D2 are dense (also SSD based) for data intensive operations with sequential IO
  • M3 are consistent and cheaper over M1 and also support SSD based instance storage. But if you need a larger disk, use M1.
  • The amount of CPU allocated to an instance is measured in EC2 Compute Units. It provides the relative measure of integer processing power of an instance.
  • To get a history of all EC2 API calls including VPC and EBS, use CloudTrail
  • There are 5 Elastic IPs per region in any account by default, because ipv4 is a scare resource
  • If the EIP isn’t associated with any running instance, you get charged an hourly penalty for hogging a scarce resource
  • By default, every instance comes with a Public IP and a Private IP.
  • When the instance stops or terminates, the private IP is released. So you may see a diff private IP when you boot it back up. The public IP behaves the same way but it can also be replaced with an EIP.
  • EIP remapping can take several minutes.
  • You can configure the reverse DNS record for the EIP by filling a form. But a forward DNS record (record -> EIP) must exist.
  • Each AZ is physically distinct and independent.
  • The same AZ can mean a diff physical location for a different account. My us-east-1a could be in New York while your us-east-1a could be in Richmond, VA.
  • Enhanced networking is supported via single root IO Virtualization (SR-IOV). It allows for high Packet Per Second (PPS) on the network
  • This is achieved via Elastic Network Adapter (ENA) available in X1 and M4.16xlarge. Others use Intel Virtual Function Interface. The Amazon Linux AMI support both drivers.
  • There is no additional fee for enhanced networking, but it is not available in EC2-Classic, only in EC2-VPC.
  • If using instance store backed instance, for durable data, use S3. Use EBS backed if you need the data to be independent of the instance’s life.
  • 3 Types of EBS volumes - General Purpose SSD, PIOPS SSD, Magnetic.
  • GP SSD EBS volumes provide ratio of 3 IOPS per GB, and can burst up to 3000 IOPS.
  • IOPS is measured as 256kBps for SSD, 1024kBps for Magnetic.
  • PIOPS EBS is good for large NoSQL and RDS databases
  • HDD or Magnetic is cheapest and fit for infrequently accessed data.
  • Once instance can have many volumes but one volume can only be tied to one instance.
  • EBS snapshots are only accessible via EC2 APIs even though they’re stored on S3

Soft/Hard Limits on stuff

  • 5 VPCs per region
  • 50 peering connections per VPC
  • Gateway Cached Volumes 32TB
  • Gateway Store Volumes 16TB
  • Gateway Cached Volumes Cache Size 16TB
  • 5 EIPs per region
  • 500 security groups per instance
  • 200 subnets per VPC
  • 5 internet gateways per region
  • 50 customer gateways per region
  • 5 Virtual Private Gateways per region
  • 50 VPN connections per region
  • 50 VPN peering connections per VPC
  • 200 Route Tables per VPC
  • 500 security groups per VPC
  • 5 security groups per network interface
  • 200 NACLs per VPC (same as subnets)
  • 500 Hosted Zones in Route 53
  • 50 Domains in Route 53
  • 100 TB Total RDS storage
  • 5000 IAM users per account
  • 250 IAM Roles
  • 100 IAM Groups
  • 100 Instance Profiles
  • 20 Load Balancers per region
  • 10 listeners per load balancer
  • 5 security groups per load balancer
  • 1 route table per subnet
  • Multiple subnets per route table
  • 1 subnet per AZ
  • Max VPC size is /16
  • Min VPC size is /28
  • 5 IP addresses are always reserved in any subnet (251 for /24, 4091 for /20..)
  • 6 replicas for AuroraDB in 3 AZs
  • 100 S3 buckets per account (not region!)
  • 5 TB max object size
  • 5 GB max upload size per PUT operation
  • 100 launch configurations
  • 20 Auto Scaling Groups
  • 200 Cloud Formation Stacks
  • 200 Cloudfront Web distributions
  • 100 Cloudfront RTMP distributions
  • 25 origins per distribution
  • 20 on-demand instances per region
  • 5000 EBS volumes
  • 10000 EBS Snapshots

Creating a custom VPC

  • Use 10.0.0.0/16 CIDR, most commonly used
  • This creates a default route table allowing all traffic within this VPC to flow through (Destination 10.0.0.0/16 local
  • This creates a default NACL which allows all inbound and outbound traffic
  • If you create a new NACL, it is set to deny all inbound and outbound traffic
  • Create an IGW if you are going to build a public subnet.
  • Attach to your custom VPC
  • DO NOT Add a route in the VPC’s route table to direct internet bound traffic to this IGW (0.0.0.0/0 -> IGW)
  • Create a new route table, call it public route. It will allow all traffic within the VPC.
  • Add a route in this route table (0.0.0.0/0 -> IGW)
  • Next, we add 2 subnets, 1 public 1 private
  • Pick /24 CIDR block allowing for 251 IPs each
  • Public is 10.0.1.0/24 named as 10.0.1.0-public-us-east-1a
  • Private is 10.0.2.0/24 named as 10.0.2.0-private-us-east-1a
  • Note that both these subnets are associated with the default VPC NACL
  • Note that both these subnets are associated with the default route table
  • Now we change the route table of our public subnet to use the public route table
  • Go to route tables, pick the public route, look for subnet associations. Click edit and attach our public subnet with this route table
  • Next, we launch an instance in the public subnet, and make sure we can connect to it
  • While launching it, create a new security group called MyWebSG, allow 80 and 22 from 0.0.0.0/0 for now
  • Note the public IP and use it to ssh into this instance
  • Run yum update and you’ll see it goes through (internet connectivity outbound)
  • Launch an instance in private subnet this time. This is connected to a route which does not have internet connectivity.
  • While doing this, create a new security group, call it MyBackendSG allowing 8080 from MyWebSG
  • While still in the public instance, install apache and run it. Curl localhost to make sure it works, use the IP in the browser to verify also.
  • Notice that your private instance has no internet connectivity, you cannot ssh into it.
  • We need a bastion host to do so, we create it in the public Subnet. The security group will need to allow 22 from the internet. Call it bastionSG