AWS EC2 — Elastic Compute Cloud Fundamentals
Launch, configure, and connect to AWS EC2 instances. Understand instance types, AMIs, Security Groups, and key pairs.
What you'll learn
- Understand what EC2 is and how it fits in the AWS compute family
- Differentiate EC2 instance types and families
- Launch an EC2 instance and connect via SSH
- Configure Security Groups as virtual firewalls
- Understand AMIs, EBS volumes, and instance lifecycle
Prerequisites
Relevant for certifications
What is Amazon EC2?
Elastic Compute Cloud (EC2) is AWS's virtual machine service. It lets you rent virtual servers in the cloud, choosing the OS, CPU, RAM, storage, and network configuration you need.
EC2 is the backbone of the AWS compute layer and is central to the SAA-C03 exam.
EC2 core idea
An EC2 instance is a virtual machine running on AWS hardware. You pay by the second (or hour) for as long as the instance runs.
EC2 Instance Types
Instance types define the hardware characteristics of your VM. They follow a naming pattern:
m5.xlarge
│ │ └── Size: nano / micro / small / medium / large / xlarge / 2xlarge…
│ └──── Generation: 5 (higher = newer)
└─────── Family: m (general purpose)
Instance Families
| Family | Use case | Examples |
|---|---|---|
| t | Burstable, low-cost | t3.micro, t4g.small |
| m | General purpose | m6i.large, m5.xlarge |
| c | Compute optimised | c6i.large, c5.2xlarge |
| r | Memory optimised | r6i.xlarge, r5.4xlarge |
| i | Storage optimised | i3.large, i4i.xlarge |
| p / g | GPU / ML workloads | p3.2xlarge, g4dn.xlarge |
Free Tier
t2.micro or t3.micro is included in the AWS Free Tier (750 hours/month for 12 months).
Amazon Machine Images (AMIs)
An AMI is a template that contains:
- The operating system (e.g., Amazon Linux, Ubuntu, Windows Server)
- Pre-installed software and configuration
- EBS snapshot(s) for the root volume
Sources of AMIs:
- AWS provided — Amazon Linux 2023, Ubuntu, Windows
- AWS Marketplace — vendor-provided (e.g., Palo Alto firewall, NGINX Plus)
- Community AMIs — shared by other users (use with caution)
- Custom AMIs — AMIs you create from existing instances
Security Groups
A Security Group is a virtual firewall that controls inbound and outbound traffic to your EC2 instance.
Key rules:
- Security groups are stateful — if you allow inbound, the response is automatically allowed outbound
- Default: all inbound traffic blocked, all outbound traffic allowed
- You can attach multiple security groups to one instance
- Rules allow traffic only — you cannot create deny rules (use NACLs for that)
# Example: allow SSH from a specific IP
Inbound rule:
Type: SSH
Protocol: TCP
Port: 22
Source: 203.0.113.0/32 # Your IP only
Warning
Never set SSH source to 0.0.0.0/0 (anywhere) in production. Restrict SSH access to your IP or use AWS Systems Manager Session Manager instead.
Key Pairs
A key pair provides SSH access to Linux instances:
- AWS stores the public key on the instance
- You download and store the private key (
.pemfile) - You use the private key to authenticate SSH connections
# Connect to an EC2 instance
chmod 400 my-key.pem
ssh -i my-key.pem ec2-user@<public-ip>
# For Ubuntu AMIs, the default user is 'ubuntu'
ssh -i my-key.pem ubuntu@<public-ip>
Warning
If you lose your private key, you cannot SSH into the instance. There is no recovery — you must use EC2 Instance Connect or a different method.
EBS Volumes
Elastic Block Store (EBS) provides persistent block storage for EC2 instances. Think of it as the hard drive attached to your VM.
| Volume Type | Use case | IOPS |
|---|---|---|
gp3 | General purpose SSD (recommended default) | Up to 16,000 |
io2 | High-performance, latency-sensitive | Up to 64,000 |
st1 | Throughput-optimised HDD | N/A (MB/s based) |
sc1 | Cold HDD (cheap, infrequent access) | N/A |
EBS volumes persist independently of the instance. By default, the root volume is deleted on termination — you can change this.
Instance Lifecycle
Pending → Running → Stopping → Stopped → Terminated
↘ Rebooting ↗
| State | Billing |
|---|---|
| Running | Billed per second |
| Stopped | Not billed for compute (EBS still charged) |
| Terminated | No billing |
User Data
User Data is a script that runs once when an instance first launches (before it becomes available). Used for bootstrapping:
#!/bin/bash
yum update -y
yum install -y nginx
systemctl start nginx
systemctl enable nginx
Paste this into the "User data" field when launching an instance. It runs as root.
Elastic IP Addresses
By default, an EC2 instance gets a new public IP each time it starts. An Elastic IP (EIP) is a static public IP you own and can reassign between instances.
# EIPs are free while attached to a running instance
# You're charged if an EIP is allocated but NOT attached
Launching Your First Instance (Quick Steps)
1. Go to EC2 Console → Launch Instance
2. Choose an AMI (Amazon Linux 2023 for labs)
3. Choose instance type (t3.micro for free tier)
4. Create or select a key pair
5. Configure security group: allow SSH (port 22) from your IP
6. Launch
Hands-on: Launch an EC2 Web Server
Goal: Create an Amazon Linux instance, bootstrap a web server, connect to it, and verify the app from a browser.
- Open the EC2 console and choose Launch instance.
- Name the instance
cloudops-web-01. - Choose Amazon Linux 2023 AMI.
- Choose
t3.microor the free-tier eligible option available in your Region. - Create a new key pair named
cloudops-lab-key, or choose Proceed without a key pair if you will use EC2 Instance Connect or SSM later. - Create a security group with SSH TCP 22 from My IP only and HTTP TCP 80 from
0.0.0.0/0. - Expand Advanced details and paste this user data:
#!/bin/bash
dnf update -y
dnf install -y nginx
systemctl enable nginx
systemctl start nginx
echo "hello from $(hostname -f)" > /usr/share/nginx/html/index.html
- Launch the instance and wait for both status checks to pass.
- Copy the public IPv4 address and open
http://<public-ip>in a browser. - Connect using EC2 Instance Connect from the console, then run:
systemctl status nginx
curl -s http://localhost
- Stop the instance when done, or terminate it if you no longer need the lab.
Warning
If the browser cannot reach the instance, check the security group first, then confirm the subnet has a route to an Internet Gateway and the instance has a public IPv4 address.
Hands-on: Create and Use a Custom AMI
Goal: Capture a configured instance as an AMI and launch a second instance from that image.
- Use the web server instance from the previous lab.
- In EC2 > Instances, select the instance.
- Choose Actions > Image and templates > Create image.
- Set image name to
cloudops-nginx-ami. - Keep No reboot unchecked for a cleaner filesystem snapshot.
- Choose Create image.
- Go to AMIs and wait until the AMI state is
Available. - Select the AMI and choose Launch instance from AMI.
- Launch a new instance with a different name, such as
cloudops-web-02. - Open the new instance public IP and confirm nginx is already installed and serving the same content.
- Clean up by deregistering the AMI and deleting the associated snapshot after the lab.
Hands-on: Change EC2 Instance Type
Goal: Safely resize an instance when CPU or memory needs change.
- Select a non-production test instance.
- Choose Instance state > Stop instance and wait for
Stopped. - Choose Actions > Instance settings > Change instance type.
- Change from
t3.microtot3.smallor another compatible type. - Start the instance.
- Verify the application and instance status checks.
- If the instance fails to start, review whether the AMI, virtualization type, architecture, EBS optimization, and ENA support match the target family.
Common Interview Questions
Q: What is the difference between stopping and terminating an EC2 instance? Stopping an instance shuts it down but preserves the EBS root volume and associated resources (EIP, ENI). You can restart it. Terminating permanently deletes the instance and (by default) the root EBS volume.
Q: What is an AMI and why would you create a custom one? An AMI is a template containing OS, software, and configuration. You'd create a custom AMI from a configured instance to replicate that exact environment across multiple instances — useful for Auto Scaling groups or blue-green deployments.
Q: What is the difference between a Security Group and a NACL? Security Groups are stateful, instance-level firewalls that only allow rules. NACLs are stateless, subnet-level firewalls that support both allow and deny rules. Because they're stateless, you must explicitly allow both inbound and outbound traffic for each connection.
Common Mistakes
- Using t2.micro in production — burstable instances throttle CPU after credits are exhausted
- Opening port 22 to 0.0.0.0/0 — immediately targeted by bots; restrict to your IP
- Forgetting EBS costs for stopped instances — stopped instances still incur EBS storage charges
- Using the default security group — it allows all traffic from instances in the same group
What to Learn Next
- AWS EC2 Auto Scaling — scale capacity automatically
- AWS Networking — VPC Fundamentals — how networking works in AWS
- AWS IAM Roles for EC2 — securely grant permissions to instances