The Elastic Compute Cloud (EC2)
Consider the meaning of elastic in many of the AWS (Amazon Web Services) service names. When you see the word elastic, you should think of the ability to stretch and contract. All the AWS documentation alludes to this fact, but it often makes the whole process sound quite complicated when it really isn’t. Just think about a computer that can stretch when you need more resources and contract when you don’t.
With AWS, you pay only for the services you actually use, so this capability to stretch and contract is important because it means that your organization can spend less money and still end up with just the right amount of services needed.
Even though some members of your organization might fixate on the issue of money, the real value behind the term elastic is time. Keeping your own equipment right sized is time consuming, especially when you need to downsize. Using EC2 means that you can add or remove computing capacity in just a few minutes, rather than weeks or months. Because new requirements tend to change quickly today, the capability to right size your capacity in minutes is crucial, especially if you really do want that pay raise.
As important as being agile and keeping costs low are to an administrator, another issue is even more important: being able to make the changes without jumping through all sorts of hoops. EC2 provides two common methods for making configuration changes:
- Manually using the AWS Console
- Automatically using the AWS Application Programming Interface (API)
Just as you do with your local server, you have choices to make when building an EC2 instance (a single session used to perform one or more related tasks). The instance can rely on a specific operating system, such as Linux or Windows. You can also size the instance to provide a small number of services or to act as a cluster of computers for huge computing tasks (and everything in between). AWS bases the instance size on the amount of CPU type, memory, and storage required to perform the tasks you assign to the instance. In fact, you can create optimized instances for tasks that require more resources in the following areas:
As the tasks that you assign to an instance change, so can the instance configuration. You can adjust just the memory allocation for an instance or provide more storage when needed. You can also choose a pricing model that makes sense for the kind of instances you create:
- On Demand: You pay for what you use.
- Reserved Instance: Provides a significantly reduced price in return for a one-time payment based on what you think you might need in the way of service.
- Spot Instance: Lets you name the price you want to pay, with the price affecting the level of service you receive.
Autoscaling is an EC2 feature that you use to ensure that your instance automatically changes configuration as the load on it changes. Rather than require someone to manage EC2 constantly, you can allow the instance to make some changes as needed based on the requirements you specify. The metrics you define determine the number and type of instances that EC2 runs. The metrics include standards, such as CPU utilization level, but you can also define custom metrics as needed. A potential problem with autoscaling is that you’re also charged for the services you use, which can mean an unexpectedly large bill. Every EC2 feature comes with pros and cons that you must balance when deciding on how to configure your setup.
AWS also provides distinct security features. The use of these security features will become more detailed as the book progresses. However, here is a summary of the security features used with EC2:
- Virtual Private Cloud (VPC): Separates every instance running on the physical server from every other instance. Theoretically, no one can access someone else’s instance (even though it can happen in the real world).
- Network Access Control Lists (ACLs) (Optional): Acts as a firewall to control both incoming and outgoing requests at the subnet level.
- Identity and Access Management (IAM) Users and Permissions: Controls the level of access granted to individual users and user groups. You can both allow and deny access to specific resources managed by EC2.
- Security Groups: Acts as a firewall to control both incoming and outgoing requests at the instance level. Each instance can have up to five security groups, each of which can have different permissions. This security feature provides finer-grained control over access than Network ACLs, but you must also maintain it for each instance, rather than for the virtual machine as a whole.
- Hardware Security Device: Relies on a hardware-based security device that you install to control security between your on-premises network and the AWS cloud.
No amount of security will thwart a determined intruder. Anyone who wants to gain access to your server will find a way to do it no matter how high you build the walls. In addition to great security, you must monitor the system and, by assuming that someone will break in, deal with the intruder as quickly as possible. Providing security keeps the less skilled intruder at bay as well as helps keep essentially honest people honest, but skilled intruders will always find a way in. The severity of these breaches varies, but it can actually cause businesses to fail, as in the case of Code Spaces. A number of security researchers warn that AWS is prone to security lapses. However, don’t assume that other cloud services provide better security. Any time you use external services, you take significant risks as well.
A final consideration is the use of storage. Each instance comes with a specific amount of storage based on the kind of instance you create. If the instance storage doesn’t provide the functionality or capacity you need, you can also add Elastic Block Store (EBS) support. The main advantage of using EBS, besides capacity and flexibility, is the capability to define a specific level of storage performance to ensure that your application runs as expected.