By Philip Knerr
Introduction
Are you interested in configuring a general purpose Elastic Compute Cloud (EC2) instance at Amazon Web Services (AWS)? Here’s how!
This configuration is designed to keep all data files on a separate volume. This facilitates moving the data volume to a separate instance if necessary.
The context and caveats in the Foreword apply to this article.
This information is current as of July 4, 2017.
Creating an Amazon EC2 instance
First, you’ll need to access the Amazon Web Services website at: https://aws.amazon.com/
If you don’t already have an AWS account, it’s easy to create one. Just click the “Create an AWS Account” button in the upper-right hand corner of the page. But note that the clock starts ticking on the 12 months of the Free Tier when you create an AWS account, not when you spin up your first EC2 instance. So you’ll want to wait until you’re ready to start configuring your EC2 instance before creating your AWS account.
If you already have an account, you can just go to the “My Account” drop-down menu in the header. From that menu, select “AWS Management Console”. You may be prompted to sign in if you have not already done so.
Once signed in to the AWS Management Console, make sure the best region for you is selected. AWS hardware is housed at several places throughout the world so as to be closer to the people it serves. Each of these places is known as a region. In the upper-right hand corner of the page, there should be a drop-down menu titled, “N. Virginia”, or possibly the name of another place. From this menu, select the region closest to you or, more important, your users.
Then, go to the EC2 Dashboard. To do so, click the “EC2” link on the main page of the AWS Management Console. This link can be found by opening the “All Services” drop-down menu and looking under the “Compute” section.
From that page, create an Amazon Elastic Compute Cloud (EC2) instance by clicking the “Launch Instance” button. An EC2 instance is a virtual server. It appears to the outside world to be a distinct computing system. However, it is actually hosted by a physical server which may also host other virtual servers. Fortunately, even in that case, the virtual servers are strictly isolated from each other.
Then, configure your new EC2 instance as follows:
Step 1: Choose an Amazon Machine Image (AMI)
Unless you have a specific reason not to, select the most recent version of the Amazon Linux AMI. As of this writing, this is “Amazon Linux AMI 2017.03.1 (HVM), SSD Volume Type”, with a unique ID of “ami-a4c7edb2”. An AMI includes an operating system and other applications and configuration settings needed for you to get started.
As soon as you click the “Select” button next to the AMI, you’ll proceed to the next step.
Step 2: Choose an Instance Type
If in doubt, choose “t2.micro”. If you qualify for the Free Tier, you can spin up one t2.micro EC2 instance at no charge. This type is also adequate for many applications. If you don’t qualify for the Free Tier, the “t2.nano” website is somewhat cheaper and still suitable for some applications.
The Instance Type needed is highly dependent on exactly what you want to do with your EC2 instance. Generally, more intensive applications require more powerful EC2 instances. But you don’t want to overprovision, because more powerful EC2 instances cost more money. The specific computing resources your applications require are also relevant. For more intensive applications, EC2 instances optimized for computing power, memory, or storage are offered.
Then, click the “Next: Configure Instance Details” button to proceed to the next step.
Step 3: Configure Instance Details
In the “Subnet” drop-down menu, the default setting of “No Preference” is usually acceptable. One exception is that if you would like to attach an existing volume to your new EC2 instance, you should instead select, from this drop-down menu, the Availability Zone for the subnet in which the volume exists.
In the “Auto-assign Public IP” drop-down menu, select “Disable”. This is because Public IP addresses are linked to a specific EC2 instance. Therefore, they are not suitable for DNS usage. (You will manually add an Elastic IP address later as described below.)
Check the “Enable termination protection” checkbox. This prevents you from accidentally destroying your EC2 instance.
In most cases, the default settings for other options in this step do not need to be changed.
Then, click the “Next: Add Storage” button to proceed to the next step.
Step 4: Add Storage
For the Root volume, uncheck the “Delete on termination” checkbox. This preserves the data on the root volume even if your EC2 instance is terminated. In most cases, the default settings for other options for this volume do not need to be changed.
Click the “Add New Volume” button to add a data volume. It is a good practice to keep data separated from core system files. One benefit is that you can later detach your data volume from this EC2 instance and reattach it to a different EC2 instance if needed. For the new volume, select the following options:
- Volume Type: The default of “EBS” is fine in most cases.
- Device: The default is fine in most cases. Remember this value, as it will be needed below.
- Snapshot: Leave this field blank.
- Size (GiB): If in doubt, enter
4. If you have a general idea of how much storage your applications will require, enter that amount here. It is wise to include a margin of safety. However, if you underestimated or your storage needs grow in the future, additional volumes can be added later. - Volume Type: The default of “General Purpose SSD (GP2)” is fine in most cases.
- Delete on Termination: Make sure this checkbox is unchecked, for the reasons noted above.
- Encrypted: You may check this checkbox if desired.
N.B. Storage can be added later under the “Volumes” page of the “Elastic Block Store” section of the EC2 Dashboard.
Then, click the “Next: Add Tags” button to proceed to the next step.
Step 5: Add Tags
You may tag your new EC2 instance with one or more key-value pairs. This step is completely optional.
Then, click the “Next: Configure Security Group” button to proceed to the next step.
Step 6: Configure Security Group
First, name the security group so it can be reused for other EC2 instances by selecting the following options:
- Security group name:
web-server - Description:
Rules for EC2 instances which serve websites and web applications.
If you have already created this security group, you can skip this step. To do so, select the “Select an existing security group” radio button, then select this security group.
By default, the security group allows Secure Shell (SSH) traffic from 0.0.0.0/0. This rule allows anyone on the Internet to attempt to connect to your instance via SSH. This includes the ability to connect using protocols based on SSH, such as the Secure Fire Transfer Protocol (SFTP) and some configurations of the Git version control system. Of course, the correct key file or password is still needed to obtain access. If in doubt, leave this rule alone. However, you can improve security by editing this rule to accept SSH traffic only from specific, predefined IP addresses. This is feasible if:
- It is known in advance that the server will only need to be administered from specific local systems with known IP addresses.
- You are willing to connect to the EC2 Dashboard and adjust this rule every time you would like to connect from a new IP address.
N.B. SSH traffic should be accepted from any host which may need to use protocols enabled thereby, such as SFTP and Git.
Allow HTTP traffic from anywhere on the Internet. To do so, click the “Add Rule” button. Then, select a Type of “HTTP” in the new row. The other columns in the row should update to the correct defaults. In particular, the source should be 0.0.0.0/0, ::/0.
Allow Secure HTTP (HTTPS) traffic from anywhere on the Internet. To do so, click the “Add Rule” button again. Then, select a Type of “HTTPS” in the new row. The other columns in the row should update to the correct defaults. Again, the source should be 0.0.0.0/0, ::/0.
Other ports should continue to be disallowed. It is a good practice to enable only the specific ports which need to be accessed from outside the EC2 instance. Even then, the ports should only be accessible to the whole world if they potentially need to be accessed by anyone from anywhere.
N.B. Security groups can be edited later under the “Security Groups” page of the “Network & Security” section of the EC2 Management Console.
Then, click the “Review and Launch” button to proceed to the next step.
Step 7: Review Instance Launch
Double-check your selections here. It is easier to make changes now than it will be after your EC2 instance is launched.
When you are satisfied with your selections, click the “Launch” button.
Creating a new key pair
A modal pop-over will open, prompting you to create or select a key pair. A key pair allows you to connect to your EC2 instance with greater security. The key pair includes a private key and a public key. You need to install the private key on any local system from which you will access your EC2 instance via the command line. The public key is installed on your EC2 instance.
If you already have a key pair which you would like to reuse, select “Choose an existing key pair” from the first drop-down menu. Then, in the “Select a key pair” drop-down menu, choose the desired key pair.
Otherwise, select “Create a new key pair” from the first drop-down menu. In the “Key pair name” text field, enter a name for the key pair. The name can be whatever you like. Then, click “Download Key Pair”. Your web browser should prompt you to save the file containing your private key to your local system. This file should have an extension of .pem. Save the file locally. Be sure not to lose this file or forget where it was saved, as it can only be downloaded once for security reasons.
Then, change the file permissions of the private key file to a mode of 400. This mode ensures that any other users of your local system cannot read the private key file or use it to access your instance. It also prevents you from accidentally overwriting the private key file. The following command may be used, where <fullPathToPrivateKeyFile> is the full path at which you stored your private key file on your local system:
chmod 400 <fullPathToPrivateKeyFile>
Then, click “Launch Instances”.
A page should be displayed to advise you that your EC2 instance is launching. It should advise you of the unique ID of your EC2 instance. This will be “i-“, followed by 17 hexadecimal digits. For example, it could look like “i-069e56789e2636e8c”. This page will correctly point out that it may take a few minutes for your EC2 instance to launch.
You may click the “View Instances” button to view your new EC2 instance. When the Instance State of your new EC2 instance is listed as “running”, it is ready to be configured. At this time, you may complete the configuration as follows:
Allocating an Elastic IP address
Elastic IP’s persist as long as they are needed. They can even be reassigned between servers. This property makes Elastic IP’s suitable for web servers, other Internet servers, and DNS usage. Therefore, assign one to your new EC2 instance as follows:
Go to the “Elastic IPs” page of the “Network & Security” section of the EC2 Dashboard.
Click the “Allocate new address” button. A new page will load with the message, “Allocate a new Elastic IP address by selecting the scope in which it will be used”. Confusingly, there is no option to select a scope, nor is it actually required to do so. All that is needed to confirm creating the IP address is to click the “Allocate” button. This will assign a new Elastic IP. Its IP address will be displayed in the following page. From here, you can just click “Close” to go back to the “Elastic IPs” page.
Select the new Elastic IP, if it is not already selected. Then, under the “Actions” drop-down menu, select “Associate address”. A new page will be displayed with a form. In this form, click the “Instance” field. A drop-down menu will be displayed with a list of the unique ID’s of your EC2 instances. Select the resource identifier for the new EC2 instance. Then, click the “Associate” button. A confirmation message will be displayed in the following page. From here, you can just click “Close” to go back to the “Elastic IPs” page.
Configuring command-line aliai to connect to your EC2 instance
The commands to connect to your new EC2 instance are long. Fortunately, you can define command-line aliai which are easier to type and remember. This is technically optional, but it will make your life easier.
This section assumes you’re using bash, which is often the default shell in Linux distributions. The concepts should be similar if you’re using another shell.
On your local system, add the following lines to the .bash_aliases file in your home directory:
alias <sshAliasName>='ssh -i <fullPathToKeyFile> ec2-user@<elasticIP>'
alias <sftpAliasName>='sftp -i <fullPathToKeyFile> ec2-user@<elasticIP>'
In these aliai:
<sshAliasName>is the command you want to type to open a command line on your instance.<sftpAliasName>is the command you want to type to transfer files to and from your instance.<fullPathToKeyFile>is the full path to where you stored your key file on your local system.<elasticIP>is the Elastic IP address for your instance. (The Public DNS will also work, as will another hostname which routes to this IP address. However, using the actual IP address works even in the unlikely event of a DNS failure. The Public DNS is based on the actual IP address, so it will change if the IP address does.)
For example:
alias ssh-mybox='ssh -i /home/me/AWS/KeyPair1.pem ec2-user@34.1.2.3'
alias sftp-mybox='sftp -i /home/me/AWS/KeyPair1.pem ec2-user@34.1.2.3'
Then, open a new shell instance. On Macintosh computers and many Linux distributions, this is done by opening a Terminal window. (This is necessary because the aliai only work in shells started after the aliai were defined.)
Now, you should be able to type either alias to connect to your AWS instance.
N.B. If you create a different account on the server for yourself, ec2-user in the commands above will need to be replaced by the username of your account.
Configuring your EC2 instance
Connecting to your EC2 instance
First, connect to your EC2 instance via SSH. This may be done by typing, on the command line of your local system, the name of the alias created above for this purpose.
The first time you connect, you should see a question similar to the following:
The authenticity of host '34.228.34.124 (34.228.34.124)' can't be established.
ECDSA key fingerprint is 8d:ef:30:a6:75:d0:6d:36:6a:3c:c3:cb:11:7f:b4:6d.
Are you sure you want to continue connecting (yes/no)?
This is normal, so type yes. Then, the system should display text similar to the following:
Warning: Permanently added '34.228.34.124' (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
Note that commands listed below should be executed on the instance, not on your local system.
You may or may not see a message similar to the following:
No packages needed for security; 3 packages available
Run "sudo yum update" to apply all updates.
This is fine. You’ll install any pending updates next.
Updating pre-installed packages
Update all packages whch are currently installed. This is necessary because the packages included in the AMI are not always the latest versions. The AMI is a snapshot at a specific point in time, and packages are constantly being updated. Execute the following command:
sudo yum update -y
Initializing the data volume
Important: Omit the following step if you are reinstalling a data volume which already has data on it. The following step will destroy any data on the volume, so it should only be used on brand new volumes.
If the data volume is completely new and contains no data, initialize it with the ext4 file system. This is the newest version of the most common file system for Linux servers. Execute the following command:
sudo mkfs -t ext4 /dev/xvd<deviceLetter>
In this and subsequent commands, <deviceLetter> is the last letter of the Device selected when creating the data volume. For example, if the Device was /dev/sdb, <deviceLetter> would be b. In this case, you would type:
sudo mkfs -t ext4 /dev/xvdb
This command should respond with output similar to the following:
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 1048576 4k blocks and 262144 inodes
Filesystem UUID: 7e229227-a866-4c26-9d23-56def761900c
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Mounting the data volume
Note: Continue with the following step if you are reinstalling a data volume which already has data on it.
Create a directory in which to mount the data volume by executing the following command:
sudo mkdir /mnt/data1
You may choose a name for the directory other than data1 (but subsequent commands would need to be updated accordingly). While placing this directory in the /mnt/ directory is not required, doing so is a convention understood by other Linux DevOps professionals.
Then, edit the /etc/fstab file as the superuser. For example, to do so using the nano text editor, execute this command:
sudo nano /etc/fstab
Add the following line to the bottom of the file. The columns should ideally be lined up with the other columns.
/dev/xvd<deviceLetter> /mnt/data1 ext4 defaults 1 1
Adding the data volume to this file should cause it to be automatically mounted if the EC2 instance is restarted in the future. Unfortunately, this is not retroactive. So for now, mount the data volume manually by executing the following command:
sudo mount /dev/xvd<deviceLetter>
Conclusion
You now have a functioning Amazon EC2 instance. However, it now needs to be configured to serve its specific purpose. Fortunately, AWS offers a great deal of flexibility in doing so.
–Phil Knerr