Amazon Web Services (AWS) comprise a public cloud, a collection of computing services that allows one to build and run software services in Amazon's data centers. Fedora publishes system images for AWS's virtual machine platform, Amazon Elastic Compute Cloud (EC2), which allows one to create virtual machines in the cloud with very little effort. The objective of this primer is to familiarize the reader with EC2's terminology and functionality. For more detailed documentation, see the AWS website.
What follows are some short explanations of EC2 terminology. For more detailed information, see the EC2 documentation.
Images and Instances
A machine image is a snapshot of a system (specifically its
/ filesystem) that provides the basis for a virtual machine in EC2. When running a new virtual machine in EC2 you choose a machine image to use as a template. The new virtual machine is then an instance of that machine image that contains its own copy of everything in the image. The instance keeps running until you stop or terminate it, or until it fails. If an instance fails, you can launch a new one from the same image. You can create multiple instances of a single machine image. Each instance will be independent of the others.
You can use a single image or multiple images, depending on your needs. From a single image, you can launch different types of instances. An instance type defines what hardware the instance has, including the amount of memory, disk space, and CPU power.
Amazon, Fedora, other groups, and individuals publish images for public use. You might only need to use images that reputable sources provide, and you can simply customize the resulting instances to suit your needs as you launch them. You can also create your own machine images, but that is beyond the scope of this document.
Machine images in EC2 are sometimes referred to as AMIs.
Machine images have identifiers that begin with
ami, such as
ami-6ebe4507. Instances have identifiers that begin with the letter
i, such as
Regions and Availability Zones
Amazon hosts datacenters many parts of the world. Those from a particular part of the world make up a region. Regions' names are based on their locations, such as in
Regions are broken up into availability zones, which are designed to isolate failures from one another but still provide faster communication than communication between regions. Distributing a web application amongst several availability zones can help improve its reliability if an availability zone encounters problems. Availability zones' names are based on the regions in which they reside, such as
EC2 instances use one or more of three types of storage provided by AWS:
Amazon Simple Storage Service (S3) is a web service-based storage system that is accessible inside EC2 and elsewhere on the Internet. As this primer will not focus on S3, see the Amazon S3 documentation for more details.
Elastic Block Store (EBS)
Amazon Elastic Block Store (EBS) provides instances with persistent, disk-like storage that you can attach to and detach from instances, similar to portable disk drives. By creating EBS volumes and attaching them to instances you can store data that you wish to be portable to more than one instance in the event an instance fails or is replaced. Since instances' root filesystem tend to have limited space, volumes also provide a simple way of adding additional disk capacity to instances.
Volumes have identifiers that begin with
vol, such as
You can create a backup snapshot of a volume. From the snapshot you can then create a new volume and attach it to another instance.
Snapshots have identifiers that begin with
snap, such as
Some instance types have instance storage, scratch space that persists only as long as an instance runs. Instance storage is destroyed when an instance stops, terminates, or fails. For this reason, it is also referred to as ephemeral storage.
When EC2 was first introduced, all machine images were backed by instance storage, meaning that their instances' root filesystems were stored in instance storage. Machine images can now also be backed by EBS, meaning that their instances' root filesystem instead reside on EBS volumes.
A security group defines firewall rules for your instances. These rules specify which incoming network traffic should be delivered to an instance (e.g., accept web traffic on port 80 or SSH traffic on port 22). All other traffic is ignored. You can modify the rules for a group at any time.
Every instance runs inside of a security group. You can create your own security groups, or you can use the
default security group that EC2 provides for you. When you run a new instance it will run in the
default security group unless you choose a different one.
Getting Started with Fedora on EC2
Getting account details
To use AWS you need to create an online account. You can do this by going to the AWS web site, clicking on Create an AWS Account, and following the instructions.
One can interact with EC2 through either a web-based management console or via euca2ools, a suite of command line tools designed for services like EC2. This tutorial will focus on using EC2 with euca2ools at the command line.
To using the command line tools you first need to obtain access keys for your account. You can find them by going to the AWS management console on the web, clicking your name on the top, followed by
Security Credentials, and scrolling down to the section titled Access Credentials. Make note of the Access Key ID and the Secret Access Key that appears beside it. Both of them should be long sets of alphanumeric characters. Create a file called
.iamrc in your home directory that contains those keys in this format:
Since euca2ools is designed to work with all AWS-compatible clouds, not just AWS itself, it needs to know which cloud to contact. Create a file called
.eucarc in your home directory with the following content to point it toward AWS:
export AWS_CREDENTIAL_FILE=~/.iamrc export EC2_URL=https://ec2.amazonaws.com/ export S3_URL=https://s3.amazonaws.com/ export EUARE_URL=https://iam.amazonaws.com/ source "$AWS_CREDENTIAL_FILE" export EC2_ACCESS_KEY=$AWSAccessKeyId export EC2_SECRET_KEY=$AWSSecretKey export AWS_ACCESS_KEY=$AWSAccessKeyId export AWS_SECRET_ACCESS_KEY=$AWSSecretKeyFinally, add these settings to your shell's environment by running:
Install the Command Line ToolsInstall the euca2ools package. To do so with yum, run:
yum install euca2ools
Choose a Region
Choose an EC2 region to use. Things to consider when choosing a region include how geographically close it is to you, the pricing for instances in that region, and whether the image you wish to use is available in that region. You can get a list of regions by running
euca-describe-regions, which results in a list such as this:
REGION eu-west-1 ec2.eu-west-1.amazonaws.com REGION us-east-1 ec2.us-east-1.amazonaws.com REGION ap-northeast-1 ec2.ap-northeast-1.amazonaws.com REGION us-west-1 ec2.us-west-1.amazonaws.com REGION ap-southeast-1 ec2.ap-southeast-1.amazonaws.comWhen you choose an EC2 region you can make euca2ools start using it by editing the line that contains
export EC2_URL=https://ec2.us-east-1.amazonaws.com/...and then re-set the settings in your shell's environment:
Create a Key Pair
The primary way of logging into Fedora instances is via SSH. Since Fedora instances have no passwords, you need a SSH key pair to log in to them. The private half of this key pair is stored on your computer, while the public half is stored in EC2 so instances can download them as they start. This allows you to securely log into your instances without a password.
You can have multiple key pairs. Each key pair has its own name. Key pairs are specific to each EC2 region.Choose a name for a new key pair and then use the
euca-add-keypaircommand to create it and write the private key to a file. Be sure to choose a name that is easy to remember.
euca-add-keypair mykey > mykey.pem
You can use
euca-describe-keypairs to display a list of your keypairs.
$ euca-describe-keypairs KEYPAIR mykey1 7b:9b:33:cf:bf:12:4d:62:b6:7c:fa:02:f2:f7:bc:59:e3:7e:40:fb KEYPAIR mykey2 f9:93:1e:73:4b:2e:c1:0d:7f:79:e1:bc:c0:d0:7c:95:32:55:b7:ddYou can use
euca-delete-keypairsto delete a keypair. Deleting a keypair does not remove it from instances that are already running; it merely prevents new instances from using it.
Set up a Security Group
Each security group has its own set of firewall rules. While this tutorial uses the
default security group that EC2 provides for you, you can also create your own security groups.
euca-authorizecommand lets you tell EC2 to allow traffic from ranges of IP addresses and ports into a security group. To allow access to SSH (TCP port 22) running on instances in the
defaultsecurity group, run the following command:
euca-authorize default -p 22 -s your_system's_ip_address/32If you do not specify a range of IP addresses then the port(s) you choose will be open to the entire Internet. For example, the following command allows SSH access from any machine Internet, not just your computer:
euca-authorize default -p 22To allow pings and other ICMP traffic you can run:
euca-authorize default -P icmp
The opposite of
euca-revoke. You can use
euca-describe-groups to obtain a list of security groups and the firewall permissions you have applied to them.