Launching an EC2 Instance

This tutorial covers the process to launch an EC2 instance (VM) using the aws cli

• The proceeding link provides details on installing the aws cli or using the preinstalled version available on the CADES SHPC condo environments.

The steps below provide examples of several aws commands for interacting with EC2 and collecting the information needed to launch instances.

AWS Documentation on using the Amazon Web Console to perform these steps is available here, this guide covers the steps to do so via the command line.

Collecting Required Details

We will collect the following details, learning more about the powerful aws command line as we go.

Once you have gone through these steps ones, launching any number of instances is easily achieved.

• Amazon Machine Image (AMI) Id
  • The flavor/distro of Linux we are going to launch
• Instance Type
  • User selectable type (Virtualization method, GPU, etc.) and size (CPU, MB, etc.)
• Create Keypair
  • .pem file for ssh access
• VPC subnet
  • The virual network your instances run within
• Security Group
• The aws firewall rules, which you control

Each step is show below, ending with the full command to launch the instance and then connect to it.

Amazon Machine Image (AMI) Id

Command to filter on Amazon Linux, Ubuntu, Suse, and Red Hat images and return the Id of the current version:

aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn2-ami-hvm-2.0.????????-x86_64-gp2' 'Name=state,Values=available' --output json --profile cades-ops-admin | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'
ami-009d6802948d06e52

To view details about the returned image (which should be the most recent)

aws ec2 describe-images --image-ids ami-009d6802948d06e52

Ref: aws docs

Instance Type

Full specs on CPU, Memory, etc. for each type can be found here

An abbreviated list of instance types can be obtained with:

aws pricing get-attribute-values --service-code AmazonEC2 --attribute-name instanceType --region  us-east-1

Ref: https://github.com/aws/aws-cli/issues/1279

Create Keypair

You must have access to a keypair (.pem file) to access your instance via ssh after launching.

• Keypairs should be safely stored, they will allow root access.
• Only keypairs for the defined or provided --region are shown

aws ec2 describe-key-pairs --profile default #or specify
{
    "KeyPairs": []
}

You may create a new keypair with

aws ec2 create-key-pair --key-name awstutorial --output text > ~/.ssh/awstutorial.pem
chmod 600 ~/.ssh/awstutorial.pem

Save the generate keypair in a safe location. The local $HOME./ssh directory may provide minimal protective permissions, though you may consider a mountable encrypted directory solution.

VPC Subnet

Subnets are created withing each AWS region, from which IPs are assigned.

You must choose a subnet matching the region you are launching in.

aws ec2 describe-subnets

Display a summary list of subnets for a specific --region

aws ec2 describe-subnets --region us-east-1 | jq '.Subnets[].AvailabilityZone, .Subnets[].State, .Subnets[].VpcId, .Subnets[].CidrBlock'

Security Group

Security groups are sets of firewall rules within AWS which you control.

The default security group normally has tcp/22 inbound, to allow ssh. You may modify this, or create additional groups to attach as appropriate.

Describe all defined security groups:

aws ec2 describe-security-groups

Filter on a specific group:

aws ec2 describe-security-groups --group-name default
or
aws ec2 describe-security-groups --group-ids sg-71fda600

Launch Your Instance

Now that we've chosen the desired Amazon Machine Image (OS), the size of the VM, and know to which security groups and subet to attach upon creation you may launch with:

aws ec2 run-instances --image-id ami-009d6802948d06e52 --count 1 --instance-type t2.micro --key-name cades-ops --security-group-ids sg-71fda600 --subnet-id subnet-091af86d

Output will show various details of the instance, including the InstanceId

The public IP address is not immediately displayed, as the IP is still being provisioned. After a moment, describe the instance to discover it's PublicIpAddress:

aws ec2 describe-instances --instance-ids i-07d1912eb6f402d36

or

aws ec2 describe-instances --instance-ids i-07d1912eb6f402d36 | jq '.Reservations[].Instances[].PublicIpAddress, .Reservations[].Instances[].PublicDnsName, .Reservations[].Instances[].State'
"35.170.65.50"
"ec2-35-170-65-50.compute-1.amazonaws.com"
{
  "Code": 16,
  "Name": "running"
}

SSH Into Instance

Outbound SSH from ORNL to the external world is blocked, however you can install and use corkscrew which allows connecting through the ORNL SSH proxy.

Once corkscrew is installed, you may connect by providing the .pem file (keypair, created above) and specifying the IP address or PublicDnsName of the instances

You may add the proxy command to ~/.ssh/config host profiles, as well as the location of your .pem file.

📝 Note: The user to connect as is determined by the AMI used to launch the instance and may be ec2-user, root, ubuntu, or something else.

ssh -o 'ProxyCommand corkscrew snowman.ornl.gov 3128 %h %p' -i ~/.ssh/awstutorial.pem ec2-user@35.170.65.50

or

ssh -o 'ProxyCommand corkscrew snowman.ornl.gov 3128 %h %p' -i ~/.ssh/awstutorial.pem ec2-user@ec2-35-170-65-50.compute-1.amazonaws.com
       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
22 package(s) needed for security, out of 54 available
Run "sudo yum update" to apply all updates.
Amazon Linux version 2018.03 is available.

Troubleshooting SSH Connections

• See aws docs for additional information on connecting.
• Verify your .pem file is not corrupt openssl rsa -in ~/.ssh/awstutorial.pem -check
• View console output of the VM with aws ec2 get-console-output --instance-id i-025d2161c86310a67

Stopping and Terminating Deleting Instance

Behavior when terminating (deleting) instances is covered here

A few important points:

• After you terminate an instance, it remains visible in the console for a short while, and then the entry is automatically deleted. You cannot delete the terminated instance entry yourself.
• By default, Amazon EBS root device volumes are automatically deleted when the instance terminates.
• However, by default, any additional EBS volumes that you attach at launch, or any EBS volumes that you attach to an existing instance persist even after the instance terminates.
  • This behavior is controlled by the volume's DeleteOnTermination attribute, which you can modify. For more information, see Preserving Amazon EBS Volumes on Instance Termination
• You can prevent an instance from being terminated accidentally by someone using the AWS Management Console, the CLI, and the API.

aws ec2 stop-instances --instance-ids i-07d1912eb6f402d36
aws ec2 terminate-instances --instance-ids i-07d1912eb6f402d36