Security Groups and SSH

 Security Groups

  • Security Groups are the fundamental of network security in AWS
  • They control how traffic is allowed into or out of our EC2 Instances
  • Security groups only contain allow rules
  • Security groups rules can reference by IP or by security group

  • Security groups are acting as a "firewall" on EC2 instances
  • They regulate:
    • Access to Ports
    • Authorized IP ranges - IPv4 and IPv6
    • Control of inbound network (from other to the instance)
    • Control of outbound network (from the instance to other)


  • Can be attached to multiple instances
  • Locked down to a region/VPC combination
  • Does live "outside" the EC2 - if traffic is blocked then EC2 instance won't see it
  • It's good to maintain one separate security group for SSH access
  • If your application is not accessible (time out), then it's a security group issue
  • If your application gives a "connection refused" error, then it's an application error or it's not launched
  • All inbound traffic is blocked by default
  • All outbound traffic is authorized by default

Classic Ports to know

  • 22 = SSH (Secure Shell) - log into a Linux instance
  • 21 = FTP (File Transfer Protocol) - upload files into a file share
  • 22 = SFTP (Secure File Transfer Protocol) - upload file using SSH
  • 80 = HTTP - access unsecured websites
  • 443 = HTTPS - access secured websites
  • 3389 = RDP (Remote Desktop Protocol) - log into a Windows instance

SSH Summary Table (a protocol)

  • SSH is a command line utility to connect to other servers
  • Putty the same command line utility for windows 
  • EC2 Instance connect use browser for connection and work for all OS
  • SSH:
    • Mac, Linux and Windows from 10 onwards
  • Putty:
    • Windows
  • EC2 Instance connect:
    • For all OS

SSH into your EC2 Instance Linux/Mac OS X:

  • SSH is one of the most important function which allow you to control a remote machine, all using the command line.

Commands for Linux:

ssh username@IP
ssh ec2-user@3.250.26.200

If it not work then check are you in same folder where ssh key file named as pem file is present and file name must not contain any space in it.

ssh -i pemfielname username@IP
ssh -i ec2tutorial.pem ec2-user@3.250.26.200

If your .pem file is not having right permissions then it will give error.
chmod 0400 .pem as you must not keep your .pem file in editable permission as that is not allowed and it is your security file.

Once you are in your EC2 instance you will see the OS message and then you can run the commands from it.
like:
whoami
ping google.com
many more.
to exit from EC2 access please write exit or press ctrl+z

For Windows:

  • Need to configure Putty for doing SSH on Windows
Install Putty.
Use Putty Gen - Generate PPK format from it. Select the file of SSH which you have downloaded it from AWS and select as private key for connectivity.

As it will convert ppm to ppk file.

Now open Putty app and fill hostname and port to connect the server.
Make entry as ec2-user@3.250.26.200 with port as 22. Now select SSH option then go to Auth browse the private you have created by using Putty gen application.

It will directly authenticate and provide you login into the server of EC2 Instance.

For Windows 10 and above:

In Windows 10 we can use PowerShell. 

Need to direct yourself to the folder where we have the pem file to allow ssh into EC2 instance from Windows.

ssh -i ec2tutorial.pem ec2-user@3.250.26.200

If you get the permission issue. Then go to file and change the permission by using property.

Troubleshooting steps:

  • Connection timeout - It will be because of security group issue need to enable ssh for all ips. You need to add inbound rule for it. Still issue persist then need to check your firewall permissions from personal system and corporate network side.
  • ssh does not work on Windows - Use putty for connect.
  • Connection refused - It means no ssh utility is working over EC2 side. Restart the instance.
  • Permission denied (publikey, gssapi-keyex, gssapi-with-mic) - Use right security key and check if instance is working or not. Have you provide right hostname along with username and right IP address to use it.
  • Nothing is working - Use EC2 Instance Connect for establishing connection.
  • Able to connect previously but not now - If you restarted the EC2 instance then its public IP address will change so check it and even check your system IP address as well if you are not allowing all IPs to connect to server.

EC2 Instance Connect

  • Go to EC2 instance and click on connect to open this EC2 Instance connect facility.
  • It has multiple options:
    • EC2 Instance Connect - Browser based connection where you need to provide the username for connection. It will not ask for any ssh key as it will create a temporary ssh key for us to connect with EC2 Instance. After clicking on connect it will open an terminal over browser for us to perform our activities.
    • Session Manager - 
    • SSH client - 
    • EC2 Serial Console -
  • Secure usage rules:
    • Never configure AWS by using cli as anyone can retrieve it from your laptop or if you are using the EC2 Instance Connect then from EC2 instance.
    • Use IAM Role to gaining access - To make is possible create a IAM role with desired permissions and then come back to EC2 Instance and then go to security tab in action and then select the desired IAM role to gain access over the EC2 Instance to perform desired activities. This IAM role is replacing the credential part to connect with EC2 Instance and help to perform desired actions and activity in the Instance.

EC2 Instances Purchasing Options

  • On-Demand Instance - short workload, predictable pricing, pay by second.
  • Reserved (1 & 3 years)
    • Reserved Instance - long workloads
    • Convertible Reserved Instances - long workloads with flexible instances
  • Savings Plans (1 & 3 years) - commitment to an amount of usage, long workload
  • Spot Instances - short workloads, cheap, can lose instance (less reliable)
  • Dedicated Hosts - book an entire physical server, control instance placement
  • Dedicated Instances - no other customers will share your hardware
  • Capacity Reservations - reserve capacity in a specific AZ for any duration

EC2 On Demand

  • Pay for what you use:
    • Linux or Windows - billing per second, after the first minute
    • All other operating systems - billing per hour
  • Has the highest cost but no upfront payment
  • No long-term commitment
  • Recommended for shot-term and un-interrupted workloads, where you can't predict how the application will behave

EC2 Reserved Instances

  • Up to 72% discount compared to On-demand
  • You reserve a specific instance attributes (Instance Type, Region, Tenancy, OS)
  • Reservation Period - 1 year (+discount) or 3 years (+++discount)
  • Payment Options - No Upfront(+), Partial Upfront(++), All Upfront(+++)
  • Reserved Instance's Scope - Regional or Zonal (reserve capacity in an AZ)
  • Recommended for steady-state usage applications (think database)
  • You can buy and sell in the Reserved Instance Marketplace
  • Convertible Reserved Instance
    • Can change the EC2 instance type, instance family, OS, scope and tenancy
    • Up to 66% discount

EC2 Saving Plans

  • Get a discount based on long-term usage (up to 72% - same as RIs)
  • Commit to a certain type of usage ($ 10/hour for 1 or 3 years)
  • Usage beyond EC2 Savings Plans is billed at the On-Demand price
  • Locked to a specific family & AWS region (e.g., M5 un us-east-1)
  • Flexible across:
    • Instance size (e.g., m5large, m5.2xlarge)
    • OS (e.g., Linux, Windows)
    • Tenancy (Host, Dedicated, Default)

EC2 Spot Instance

  • Can get a discount up to 90% compared to On-demand
  • Instances that you can "lose" at any point of time if your max price is less than the current spot price
  • The MOST cost-efficient instances in AWS
  • Useful for workloads the are resilient to failure
    • Batch jobs
    • Data analysis
    • Image processing
    • Any distributed workloads
    • Workloads with a flexible start and end time
  • Not suitable for critical jobs or databases

EC2 Dedicated Hosts

  • A physical server with EC2 instance capacity fully dedicated to your use
  • Allows you address compliance requirements and use your existing server-bound software licenses (per-socket, per-core, pe - VM software license)
  • Purchase Options:
    • On-demand - pay per second for active Dedicated Host
    • Reserved - 1 or 3 years (No upfront, Partial upfront, All upfront)
  • The most expensive option
  • Useful for software that have complicated licensing model (BYOL - Bring Your Own License)
  • Or for companies that have strong regulatory or compliance needs

EC2 Dedicated Instances

  • Instances run on hardware that's dedicated to you
  • May share hardware with other instances in same account
  • No control over instance placement (can move hardware after stop/start)

EC2 Capacity Reservations

  • Reserve On-Demand instances capacity in a specific AZ for any duration
  • You always have access to EC2 capacity when you need it
  • No time commitment (create/cancel anytime), no billing discounts
  • Combine with Regional Reserved Instances and Savings Plans to benefit from billing discounts
  • You're charged at On-Demand rate whether you run instances or not
  • Suitable for short-term, uninterrupted workloads that needs to be in a specific AZ

EC2 Section - Summary

  • EC2 Instance: AMI (OS) + Instance Size (CPU + RAM) + Storage + security groups + EC2 User Data
  • Security Groups: Firewall attached to the EC2 instance
  • EC2 User data: Script launched at the first start of an instance
  • SSH: start a terminal into our EC2 Instance (port 22)
  • EC2 Instance Role: link to IAM roles
  • Purchasing Options: On-Demand, Spot, Reserved (Standard + Convertible), Dedicated Host, Dedicated Instance

Comments

Post a Comment

Popular posts from this blog

Machine Learning

Image
 Machine Learning Amazon Rekognition Find objects, people, text, scenes in images and videos using ML Facial analysis and facial search to do user verification, people counting Create a database of "familiar faces" or compare against celebrities Use cases: Labeling Content Moderation Text Detection Face Detection and Analysis (gender, age ranges, emotions...) Face Search and Verification Celebrity Recognition Pathing (ex: for sports game analysis) Amazon Transcribe Automatically convert speech to text Uses a deep learning process called automatic speech recognition (ASR) to convert speech to text quickly and accurately Automatically remove Personally Identifiable Information (PII) using Redaction Supports Automatic Language Identification for multi-lingual audio Use cases: transcribe customer service calls automate closed captioning and subtitling generate metadata for medis assets to create a fully searchable archive Amazon Polly Turn text into lifelike speech using deep lea...
Read more

Cloud Computing and IT

Image
Cloud Computing and IT How Website work?   Server composed of: Compute, memory, storage(file or database), network - Routers, switch, DNS server. IT terminology: Network: cables, routers and servers connected with each other. Router: A networking device that forwards data packets between computer networks. They know where to send your packets on the internet. Switch: takes a packet and send it to the correct server/client on your network. Problems: Pay rent for datacenter Pay for power, cooling and maintenance Adding and replacing hardware takes time Scaling is limited Hire 24/7 team to monitor the infrastructure Plan for taking care of disasters. eg: Earth-Quake, Power-Supply issue etc... Demand: How to externalize all above task? Solution: Cloud Cloud Computing: (on-demand/pay-as-you-go/) Cloud computing is the on-demand delivery of compute power, database storage, applications and other IT resources. Cloud services are pay-as-you-go pricing. Provision exactly the right type and ...
Read more

Cloud Monitoring

Image
 Cloud Monitoring Amazon CloudWatch Metrics CloudWatch provides metrics for every services in AWS Metric is a variable to monitor ( CPUUtilization, Networking...) Metrics have timestamps Can create CloudWatch dashboards of metrics Important Metrics EC2 instances: CPU Utilization, Status Checks, Network (not RAM) Default metrics every 5 minutes Option for Detailed Monitoring ($$$): metrics every 1 minute EBS volumes: Disk Read/Writes S3 buckets: BucketSizeBytes, NumberOfObjects, AllRequests Billing: Total Estimated Charge (only in us-east-1) Service Limits: how many you've been using a service API Custom mertics: push your own metrics Amazon CloudWatch Alarms Alarms are used to trigger notifications for any metric Alarms actions Auto Scaling: increase or decrease EC2 instances "desired" count EC2 Actions: stop, terminate, reboot or recover an EC2 instance SNS notifications: send a notification into an SNS topic Various options (sampling, %, max, min, etc...) Can choose the...
Read more