10 Things I Wish I Knew About EC2 Before Starting

Prashant Lakhera
6 min readJun 3, 2024

--

Today, I want to share some of the features of EC2 I have learned over using AWS for years. While many of you might already be familiar with these features, I hope you discover at least one new thing from this blog. If you do, I’ll consider it a success. Additionally, please share your experiences and any features you love that should be added to this list.
I will share the advantages of each feature and some pitfalls or considerations you need to be aware of while using them.

1️⃣ Get system logs

✅ System logs help diagnose kernel problems, service configuration, or any issue that becomes your instance unreachable.

❌ It’s not real-time; only the most recent 64KB of posted output is stored.

💡You can also access the serial console, but the instance type must be Nitro based.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html

aws ec2 get-console-output --instance-id <instance id>

2️⃣ Replace root volumes

✅ This is a life savior for me and helpful in cases where your system is not reachable after the Kernel upgrade. If you took a snapshot of the same volume, you could replace it with just one click. You can restore the instance’s root volume to its initial launch state from a specific snapshot or an AMI.
❌ Remember snapshot is from the same volume, and during the restore process, the RAM content is erased during the reboot.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replace-root.html

3️⃣ Connect to EC2 instance if you lost SSH Keypair

✅ Amazon has well-documented steps for connecting to an EC2 instance if you lose the SSH key pair. The easiest one is to copy the below script under user data https://aws.amazon.com/premiumsupport/knowledge-center/user-data-replace-key-pair-ec2/

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: username <-- Don't forget to replace your username(centos, ec2-user)
ssh-authorized-keys:
- PublicKeypair <-- Copy the entire public key starting with ssh-rsa
  • Use the below command to get the public part of the key from the private key pair.
ssh-keygen -y -f <private key pair>

❌ Require a stop and start of the instance. If you are using public IP, that IP will be lost(the best practice is to use the Elastic IP)

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/describe-keys.html

🎥 https://www.youtube.com/watch?v=5V2hKFj9_SI

4️⃣ EC2 Instance connect

✅ Simple and secure way to connect to an EC2 instance without sharing and managing SSH keys. The way it works is when you connect to an instance using EC2 instance connect, the API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication and connect you to the instance.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html

5️⃣ Change the EC2 instance type

✅AWS provides a way to resize/change the instance type of an existing instance. E.g. you choose the instance type which is too small or under utilized.
❌ In case your instance is part of the auto-scaling group, auto-scaling will mark that instance unhealthy and try to replace it with a healthy instance. So before performing the instance type change, always suspend the scaling process

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html

6️⃣ Attaching multiple ENI to the instance

Depending upon the type of instance, we can attach multiple ENI to the instance https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

✅ Use case EKS, which uses these secondary IP addresses by assigning an IP address to your pod, and these pods will act as first class citizens of your VPC.

ENI is an availability zone scoped. When you create an ENI, you are creating it into a specific availability zone within your VPC, you can’t move that ENI to another availability zone.

Default ENI created during the instance creation can’t be detached or deleted and lives for the lifecycle of the instance it was created with.

7️⃣ Attach multiple Security Group(SG)

✅ Security Groups are attached to Elastic Network Interfaces (ENIs). I think we use this in loose terms where we mentioned SG is attached to an instance, whereas in reality, it’s attached to an Elastic Network Interfaces (ENIs).
✅ As mentioned in #6, an instance can have multiple ENI(depending upon the instance type), meaning it can have multiple security groups attached.
✅ Use case, one ENI could be used for external traffic, and a different ENI could be used for internal traffic.

8️⃣ Instance Termination Protection

✅ I found this feature handy to prevent the instance from being deleted accidentally.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html

9️⃣ Attach or Replace an IAM role to an existing instance

✅ Anyone using AWS for sometime(~5 year) knows this feature’s importance. Earlier, if we needed to modify the existing IAM role attached to an instance, we needed to rebuild the instance from the snapshot.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

🔟 Launch more like this

✅ This, for me, is a kind of hidden feature. We generally use the Infrastructure as Code(IaC) tool to ensure the new instance we launch have the same configuration. This feature enables you to use a current instance as a base for launching other instances. This option automatically populates the Amazon EC2 launch instance wizard with specific configuration details from the selected instance.
❌ These were not copied number of ENI(only the default one copied) and storage(only default storage)

--

--

Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP