AWS Tips - Create a Linux EC2 Instance

   

Scenario

As a major component under Compute category, an EC2 instance can be used as a virtual server by the client just like on-premises. It can host applications, databases, containers, or can be used as a file server with an EFS file system mounted, or can work integrated with ECS or EKS, etc.

AWS provides a bunch of pre-defined AMIs such as, Amazon Linux, macOS, Ubuntu, Windows, Red Hat, SUSE Linux, Debian and other third-party products.

Instance type determines the hardware such as CPU, memory, and storage for the instance you are going to create. For example, t2.micro is used for the Linux instance we are launching here.

t - instance family

2 - instance generation

micro - instance size

Once the instance is created, we can connect to it via an SSH client.

Examples

Let’s walk through the instance launch step by step.

Click Launch instance, navigate to the following page. In Name textbox, enter TestPublicLinuxServer.

For AMI, choose Amazon Linux, Amazon Machine 2023 AMI Free tier eligible.

Under Instance type, choose t2.micro Free tier eligible.

For Key pair (login), select the private key if you have one on hands, or create a new one. Here we pick the previously created key, KeyToLinuxInstance.

Under Network settings, select the destination VPC and subnet. In this demo, we choose a public subnet in the default VPC under this account.

Subsequently, select Enable for Auto-assign public IP.

For Firewall (security groups), you can use the default VPC security group or create your own one. We create a new one for this instance, and at the same time, we add SSH to Inbound Security Group Rules.

 For Advanced network configurations, we keep the default settings.

Under Configure storage, we use general purpose EBS and default volume for this instance. We come to the point launching the instance now.

Click Launch instance.

It is under construction. The process bar indicates how much percent of work has been done. 

Success, when you see it on top of the screen, means the launch has gone well.

Click Launch log, you’ll find more detailed information.

Be noted the instance may not be ready for use at this moment. It still needs some time to go through the initializing process. You can check its status on Instance page. 

When the instance becomes ready, we can connect to it now. Let’s try EC2 instance connect first. This works only for an instance in a public subnet.

Click Connect.

A new browser tab is opened. When you see the hawk icon, congratulations, you logged in the EC2 instance.

It is common to connect the instance via an SSH client. Click SSH client tab, you’ll find the procedure and commands for establishing an SSH connection.

In this demo, we use Windows PowerShell as the tool to run the SSH client. The private key file is located on the current folder, The access to it is set up properly as stated in Security Setting for the Private Key File section.

Copy and paste the connection command, press Enter.

Happy to see the hawk icon again, we successfully connected to the instance.

Security Setting for the Private Key File

If you are using a Linux client, you can use chmod 400 to grant read-only access to the key file. It is straightforward.

If you are using a Windows client, following the steps stated below will guide you there.

Right click on the file

Select Properties

Click Security tab

Click Advanced

Click Disable inheritance on the left bottom.

You’ll see the access setting like the screenshot shows below.

How to Connect to an Instance in a Private Subnet via SSH?

We’ve demonstrated how to connect to a public instance via SSH above. For a private instance, connect to the public instance first, use it as a transit server to connect to the private instance using SSH. Here are the points summarized. 

For a private instance, make sure you disable Auto-assign public IP at its creation. As a result, your private instance will not have a public IP address.

By default, a VPC is created with an open ACL and an open security group, both state all traffic is allowed for inbound and outbound. If you go with the default settings, you wouldn’t have any issue connecting to the private instance using the commands below.

sudo su                                                        # Switch to the root user.

nano instanceprivatekey.pem                     # Paste the private key and save the file.

chmod 400 instanceprivatekey.pem           # Grant read only access.

ssh -i “instanceprivatekey.pem” ec2-user@privateinstanceip

For an instance in a private subnet, the public DNS is unavailable, instead, we’ll need to use its private IP address.

In this case, your private subnet is protected by the router. If you want to make the ACL more secure, saying, allow some specific traffic, please keep in mind that you’ll need to set up the right ports for inbound and outbound, because ACL is stateless, and a protocol could use a response port differing from its listening port.