TU

AWS EC2 — Elastic Compute Cloud Fundamentals

BeginnerTopic40 min6 min read10 Jan 2025AWS

Launch, configure, and connect to AWS EC2 instances. Understand instance types, AMIs, Security Groups, and key pairs.

What you'll learn

  • Understand what EC2 is and how it fits in the AWS compute family
  • Differentiate EC2 instance types and families
  • Launch an EC2 instance and connect via SSH
  • Configure Security Groups as virtual firewalls
  • Understand AMIs, EBS volumes, and instance lifecycle

Prerequisites

aws/fundamentals

Relevant for certifications

SAA-C03CLF-C02
#aws#ec2#compute#instances#ami#security-groups#saa-c03

What is Amazon EC2?

Elastic Compute Cloud (EC2) is AWS's virtual machine service. It lets you rent virtual servers in the cloud, choosing the OS, CPU, RAM, storage, and network configuration you need.

EC2 is the backbone of the AWS compute layer and is central to the SAA-C03 exam.

EC2 core idea

An EC2 instance is a virtual machine running on AWS hardware. You pay by the second (or hour) for as long as the instance runs.

EC2 Instance Types

Instance types define the hardware characteristics of your VM. They follow a naming pattern:

m5.xlarge
│  │ └── Size: nano / micro / small / medium / large / xlarge / 2xlarge…
│  └──── Generation: 5 (higher = newer)
└─────── Family: m (general purpose)

Instance Families

FamilyUse caseExamples
tBurstable, low-costt3.micro, t4g.small
mGeneral purposem6i.large, m5.xlarge
cCompute optimisedc6i.large, c5.2xlarge
rMemory optimisedr6i.xlarge, r5.4xlarge
iStorage optimisedi3.large, i4i.xlarge
p / gGPU / ML workloadsp3.2xlarge, g4dn.xlarge

Free Tier

t2.micro or t3.micro is included in the AWS Free Tier (750 hours/month for 12 months).

Amazon Machine Images (AMIs)

An AMI is a template that contains:

  • The operating system (e.g., Amazon Linux, Ubuntu, Windows Server)
  • Pre-installed software and configuration
  • EBS snapshot(s) for the root volume

Sources of AMIs:

  1. AWS provided — Amazon Linux 2023, Ubuntu, Windows
  2. AWS Marketplace — vendor-provided (e.g., Palo Alto firewall, NGINX Plus)
  3. Community AMIs — shared by other users (use with caution)
  4. Custom AMIs — AMIs you create from existing instances

Security Groups

A Security Group is a virtual firewall that controls inbound and outbound traffic to your EC2 instance.

Key rules:

  • Security groups are stateful — if you allow inbound, the response is automatically allowed outbound
  • Default: all inbound traffic blocked, all outbound traffic allowed
  • You can attach multiple security groups to one instance
  • Rules allow traffic only — you cannot create deny rules (use NACLs for that)
# Example: allow SSH from a specific IP
Inbound rule:
  Type: SSH
  Protocol: TCP
  Port: 22
  Source: 203.0.113.0/32   # Your IP only

Warning

Never set SSH source to 0.0.0.0/0 (anywhere) in production. Restrict SSH access to your IP or use AWS Systems Manager Session Manager instead.

Key Pairs

A key pair provides SSH access to Linux instances:

  1. AWS stores the public key on the instance
  2. You download and store the private key (.pem file)
  3. You use the private key to authenticate SSH connections
# Connect to an EC2 instance
chmod 400 my-key.pem
ssh -i my-key.pem ec2-user@<public-ip>

# For Ubuntu AMIs, the default user is 'ubuntu'
ssh -i my-key.pem ubuntu@<public-ip>

Warning

If you lose your private key, you cannot SSH into the instance. There is no recovery — you must use EC2 Instance Connect or a different method.

EBS Volumes

Elastic Block Store (EBS) provides persistent block storage for EC2 instances. Think of it as the hard drive attached to your VM.

Volume TypeUse caseIOPS
gp3General purpose SSD (recommended default)Up to 16,000
io2High-performance, latency-sensitiveUp to 64,000
st1Throughput-optimised HDDN/A (MB/s based)
sc1Cold HDD (cheap, infrequent access)N/A

EBS volumes persist independently of the instance. By default, the root volume is deleted on termination — you can change this.

Instance Lifecycle

Pending → Running → Stopping → Stopped → Terminated
                 ↘ Rebooting ↗
StateBilling
RunningBilled per second
StoppedNot billed for compute (EBS still charged)
TerminatedNo billing

User Data

User Data is a script that runs once when an instance first launches (before it becomes available). Used for bootstrapping:

#!/bin/bash
yum update -y
yum install -y nginx
systemctl start nginx
systemctl enable nginx

Paste this into the "User data" field when launching an instance. It runs as root.

Elastic IP Addresses

By default, an EC2 instance gets a new public IP each time it starts. An Elastic IP (EIP) is a static public IP you own and can reassign between instances.

# EIPs are free while attached to a running instance
# You're charged if an EIP is allocated but NOT attached

Launching Your First Instance (Quick Steps)

1. Go to EC2 Console → Launch Instance
2. Choose an AMI (Amazon Linux 2023 for labs)
3. Choose instance type (t3.micro for free tier)
4. Create or select a key pair
5. Configure security group: allow SSH (port 22) from your IP
6. Launch

Common Interview Questions

Q: What is the difference between stopping and terminating an EC2 instance? Stopping an instance shuts it down but preserves the EBS root volume and associated resources (EIP, ENI). You can restart it. Terminating permanently deletes the instance and (by default) the root EBS volume.

Q: What is an AMI and why would you create a custom one? An AMI is a template containing OS, software, and configuration. You'd create a custom AMI from a configured instance to replicate that exact environment across multiple instances — useful for Auto Scaling groups or blue-green deployments.

Q: What is the difference between a Security Group and a NACL? Security Groups are stateful, instance-level firewalls that only allow rules. NACLs are stateless, subnet-level firewalls that support both allow and deny rules. Because they're stateless, you must explicitly allow both inbound and outbound traffic for each connection.

Common Mistakes

  • Using t2.micro in production — burstable instances throttle CPU after credits are exhausted
  • Opening port 22 to 0.0.0.0/0 — immediately targeted by bots; restrict to your IP
  • Forgetting EBS costs for stopped instances — stopped instances still incur EBS storage charges
  • Using the default security group — it allows all traffic from instances in the same group

What to Learn Next

  1. AWS EC2 Auto Scaling — scale capacity automatically
  2. AWS Networking — VPC Fundamentals — how networking works in AWS
  3. AWS IAM Roles for EC2 — securely grant permissions to instances
Back to Amazon Web Services