10 things I wish I know about EC2

Today I am sharing some of the features of EC2 that I learned while using AWS for so many years. Most of you should be aware of these features, but if you learn atleast one new thing from this blog, I will believe that I have done a good job 🕺. But please share your experience if there is any feature you love a lot and needs to be added to this list 🙏.

To read the complete blog https://www.101daysofdevops.com/courses/100-days-of-aws/lessons/day-54/

✅ System logs help diagnose kernel problems, service configuration, or any issue that becomes your instance unreachable.

❌ It’s not real-time; only the most recent 64KB of posted output is stored.

💡You can also access the serial console, but the instance type must be Nitro based.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html

aws ec2 get-console-output --instance-id <instance id>

✅ This is a life savior for me and helpful in cases where your system is not reachable after the Kernel upgrade. If you took a snapshot of the same volume, you could replace it with just one click. You can restore the instance’s root volume to its initial launch state from a specific snapshot or an AMI.
❌ Remember snapshot is from the same volume, and during the restore process, the RAM content is erased during the reboot.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replace-root.html

✅ Amazon has well-documented steps for connecting to an EC2 instance if you lose the SSH key pair. The easiest one is to copy the below script under user data https://aws.amazon.com/premiumsupport/knowledge-center/user-data-replace-key-pair-ec2/

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: username <-- Don't forget to replace your username(centos, ec2-user)
ssh-authorized-keys:
- PublicKeypair <-- Copy the entire public key starting with ssh-rsa
  • Use the below command to get the public part of the key from the private key pair.
ssh-keygen -y -f <private key pair>

❌ Require a stop and start of the instance. If you are using public IP, that IP will be lost(the best practice is to use the Elastic IP)

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/describe-keys.html

🎥 https://www.youtube.com/watch?v=5V2hKFj9_SI

✅ Simple and secure way to connect to an EC2 instance without sharing and managing SSH keys. The way it works is when you connect to an instance using EC2 instance connect, the API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication and connect you to the instance.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html

✅AWS provides a way to resize/change the instance type of an existing instance. E.g. you choose the instance type which is too small or under utilized.
❌ In case your instance is part of the auto-scaling group, auto-scaling will mark that instance unhealthy and try to replace it with a healthy instance. So before performing the instance type change, always suspend the scaling process

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html

✅ Depending upon the type of instance, we can attach multiple ENI to the instance https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

✅ Use case EKS, which uses these secondary IP addresses by assigning an IP address to your pod, and these pods will act as first class citizens of your VPC.

❌ ENI is an availability zone scoped. When you create an ENI, you are creating it into a specific availability zone within your VPC, you can’t move that ENI to another availability zone.

❌ Default ENI created during the instance creation can’t be detached or deleted and lives for the lifecycle of the instance it was created with.

✅ Security Groups are attached to Elastic Network Interfaces (ENIs). I think we use this in loose terms where we mentioned SG is attached to an instance, whereas in reality, it’s attached to an Elastic Network Interfaces (ENIs).
✅ As mentioned in #6, an instance can have multiple ENI(depending upon the instance type), meaning it can have multiple security groups attached.
✅ Use case, one ENI could be used for external traffic, and a different ENI could be used for internal traffic.

✅ I found this feature handy to prevent the instance from being deleted accidentally.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html

✅ Anyone using AWS for sometime(~5 year) knows this feature’s importance. Earlier, if we needed to modify the existing IAM role attached to an instance, we needed to rebuild the instance from the snapshot.

📖 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

✅ This, for me, is a kind of hidden feature. We generally use the Infrastructure as Code(IaC) tool to ensure the new instance we launch have the same configuration. This feature enables you to use a current instance as a base for launching other instances. This option automatically populates the Amazon EC2 launch instance wizard with specific configuration details from the selected instance.
❌ These were not copied number of ENI(only the default one copied) and storage(only default storage)

📖 To view the complete course https://lnkd.in/gjeGAPd2

➡️ You can contact me via https://lnkd.in/dePjvNDw

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP