Before you start!
Go to "Launch Instance." From here, we're going to select Amazon Linux 2 AMI and we're going to leave T2.micro the default set and go ahead and click "Next" to configure instance details. Now we're going to deploy one instance. The next option is purchasing options. So if you remember, we talked about the three different types of purchasing options, do you remember what they were? Reserved, spot, and on demand. So we're going to deploy in an demand instance we're not going to do a spot based instance. So we'll come down here to VPC and we have our default VPC set up and then for subnet we're going to go ahead and we're going to pick the US East 1a subnet and auto assign a public IP address. We're going to leave that set to enabled this is important because we need a public IP address in order for us to connect to that instance from outside of the VPC. Placement groups we're not going to do anything with because that's a more advanced topic. Capacity reservation again, an advanced topic we're not going to do anything with. Roles if you remember we talked about IAM roles. Here is where you could assign an IAM role that you've created. And then what should happen when shut down is selected on an instance and then here is your termination protection. So this prevents someone from accidentally terminating your instance. You can also enable monitoring for CloudWatch on this instance. We haven't talked about CloudWatch yet, but we will be talking about that a little bit later on and then tenancy is run on shared hardware.
Always remember the EC2
So if you remember, we mentioned that there's underlying hardware that supports all of the virtual servers or the instances. This is where you select should it share hardware with other instances, or notice that you can actually select dedicated. Elastic interface that also is something else that's a more advanced topic, and T3/T2 unlimited also is a more advanced topic as well. And if we scroll down, I mentioned that the instance gets an interface, a network interface or adapter assigned to it. Here, you can see the ID of the adapter, and you can see the interface. We're creating a new one, the subnet that that interface is going to belong to, and that's based off of the subnet up here and then the IP address and here is going to auto assign an IP address. Now, you could have it also assigned additional IP addresses as well. Again, that's all something that's more advanced, but just pointing it out so that you see it. You see that the interface is attached to the instance and that you can add additional IP addresses. Now, we're not going to go under advanced detail. We're going to go ahead and click "Next" to add storage. Here we can set the EBS storage this instance has an eight gig root volume. We're going to leave that, as is we don't need any additional storage, so we're going to go ahead and click "Next" to add tags and for tags, we're going to go ahead and give it a tag, a key of name and a value of SSH test and then I'm going to click "Next" to configure the security group. So if you remember, we talked about the security groups in the previous lesson, and we talked about how you assign permissions for that security group. So we're going to go ahead and select an existing security group and the default security group we're going to select. So if you look at this, this security group says all traffic from this security group and then HTTP traffic is also allowed. That doesn't quite do what we want, so we're going to go ahead and click, "Create a New Security Group." We're going to call this SSH test for both the name and the description, and we want SSH allowed. So we're going to leave this open, so that SSH access to this instance can happen from anywhere in the world. Now, typically, you would not want to do that, right? So from a security perspective, you would want to make sure that that was locked down to either a specific subnet or an individual host depending upon how your admins actually access the instance. So we want to allow SSH traffic inbound, and then we're going to go ahead and click "Review and Launch." This just confirms all of the details. So we're going to leave everything as is and click "Launch" and here's where we get access to the key pair.
Create in pairs AWS instances
So we're going to go ahead and create a new key pair, and this key pair is going to be called SSH test key pair and I'm going to download that key pair, and you can see that it download with a dot—with a .pem extension. I'm going to go ahead and hit "Launch Instances" and this instance is in the process of being launched. I'm going to click "View Instances," and you can see the existing instance that's already running. And then here is our instance SSH the tag that we gave to it, it's in the process of pending right so of being set up. Once this is complete, they will be able to connect to it using SSH from either our Windows or nonWindows computers. So I'm going to click the instance to select it. And if you come down here, there's a few things that you can see. One is the public DNS name. So if we wanted to try to connect to it by name, this is the DNS name that we will use. That name is publicly available over the internet, at least for while this instance is up and running. Then we have the IPv4 address this is the IP address that we could use to connect. So they're a couple of different ways that we can actually connect. Now other information you can see here the ID of the instance, the state of the instance, which it's actually up and running now, the instance type, the availability zone where it was deployed. The private IP address you're later actually going to work in a lab exercise where you can see the difference in connecting to a public versus a private subnet to access an instance. So you can see here that we have a private IP address, which means that this IP address doesn't that work over the internet. It will only work locally within the network. The public IP address is what makes that instance accessible over the internet. And then we have our security group rules. And then there's some other details here as well the AMI ID, what VPC it's in, the subnet that it belongs to, the key pair that's used to access it, when it was launched. See, there's a lot of additional information down here. All right, so let's go ahead and go over here to our security groups. So we talked about security groups previously, and we looked at the inbound and we allowed SHH inbound and the outbound again the default is that it's going to allow all traffic outbound. So when we SSH into the instance, the inbound traffic is going to be port 22. But remember, I mentioned before you can use SSH. You could use port 80 for web traffic. The return traffic is not necessarily going to be on the same port. It depends on what port is used for that inbound traffic. So SSH here we have port 22, for HTTP we have port 80, for HTTPS it's 443 Now the return traffic is going to be based off of a different port. How's that port selected? It's based on the computer that initially sends the request, that request is sent out of a specific port. That's within a range that we call the ephemeral port range. That could be anything between 1024 in 65535. That computer or your computer then uses port 22 as the destination into the EC2 instance, so inbound, that's why we allow port 22. But when the traffic leaves to go back to where it came from, it has to go back to the same port. So we have to allow a range of ports called ephemeral reports outbound. Now, for a security group, this is not as much of a big deal because once the traffic comes in, it's automatically allowed to go back out because security groups are stateful. But if it is a NACL we would actually have to create an outbound rule as well to allow that ephemeral port range. So I just wanted to run through that again because security groups and NACLs can sometimes be a confusing topic for some folks. So we can actually go to VPCs really quickly and take a look at our network access control list for our default VPC. And we're going to go with this one it's the de—default and the inbound rules notice that it has right now allow all inbound and allow all outbound. So if we wanted to remove this allow all outbound, then we could edit these rules. And we can actually change this from all traffic to a custom rule. And then we could do say that 1024 through 65535 and this says allow that traffic out of the NACL so that return traffic could then get back. Now, the rule that says allow all allows everything so we wouldn't have to do this again I'm pointing it out because we aren't currently customizing or creating that customized rule right now. So I just wanted to point out to you so you're aware that sometimes that is required to allow those port—that port range and those are called ephemeral ports some people say ephemeral. Alright, so I'm going to hit, "Cancel" and close this VPC tab and minimize that back and go back up to instances.
Finals steps in the AWS EC2
I'm going to go back of here to instances and then here are the instances that we have running the one called SSH test. So I'm going to click that one and then notice if we click the "Connect" button that it shows us how to connect. So we need to use an SSH client. Now this is where the difference comes in if you're connecting using a Windows computer versus using terminal on a Linux or a Mac computer, the difference is that you have to download and use an application like PuTTY in order to connect to that instance. And the instructions for doing so are going to be a little bit different. If you're not using PuTTY because you're on a Linux or a Mac based computer, then these are the instructions that need to be followed. So we're going to stop this lesson right here and in the next lesson, we're going to actually do that connection from a Windows computer. And then you also have the option of skipping that lesson and completing that lesson on how to connect using a Mac/Linux computer, basically a nonWindows computer using terminal in the following lesson. Again, you're welcome to skip the lesson that doesn't apply to your computer. If you have Linux skip the Windows lesson. If you have Windows, skipped the Terminal lesson, just go ahead and hit the button to mark it complete again so that you get full credit for completing the entire course. So that's going to do it. Thanks for watching. I'll see you in the next lesson.