EC2 stands for elastic compute cloud, where AWS really focuses on the elastic part. EC2 basically is a big "cloud" of CPU's and memory. You use just the amount of those that your application needs at every moment. If used correctly it will scale elastically with your needs.
Although the premise of elasticity is awesome, we are not going to use that part yet. That will be something for another series. Now we'll keep it relatively simple and only run two "fixed" EC2 instances.
In this part we'll setup the basics for the instance and configure the Windows instance. In Part 6 – Servers in EC2 part 2 the Linux (Ubuntu) instance will be configured as well, we'll make snapshots and discuss some optional or future improvements.
Before we launch these instances, we'll first setup two security features: Security Groups and Key Pairs. You can also do it during the launch of the instance, but I found it easier to have them prepared in advance.
A security group can be seen as a virtual firewall. It will block all ports, except the ones you explicitly open. We're going to setup four security groups; one for webserver access, one for the MS SQL engine, one for remote management and one for our applications.
From the main console get to EC2 by searching for
Check if you're in the correct region. You can change it in the top right corner. I'm in Frankfurt (
In the EC2 dashboard go to Security Groups in the menu on the left.
Click the Create Security Group button and add the Group name and description. We only have the default VPC, so we can't change this setting.
Next we add a rule for each port we want to open. For example, when creating the
Webserver group, click Add Rule and select the
HTTP as type. The Protocol and port will be automatically entered. Choose
anywhere when you want people to see your website. Choose
My IP when only you want to have access.
|Security group||Type||Protocol||Port Range||Source||Description|
Click on the Outbound tab and notice that there is a rule for
All traffic. This means all ports are open to anywhere. We'll leave it like it is and click Create to create the security group.
We'll repeat this for every group.
Next we need to make a key pair. We'll actually make two, one for each instance, but you can also choose to use the same one twice.
A key pair consists of a public and a matching private key. The public key will be used by AWS and added to your instances. If you want to access an instance it is only possible if you supply the private key that matches the public key. As only you have that private key, nobody else, even AWS, has no access to your data. So if you lose it, it's gone and you lose access to your instances. To prevent that I've stored mine in Bitwarden.
More info on key pairs in AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
You can create key pairs yourself and import the public key, but we'll let AWS do it for us. Go to Key Pairs in the menu on the left and click Create key pair. We'll give it a name with prefix
kp for key pair and for which server/application:
Because we want to use this key in Windows, we choose
ppk as the file format. You can always change the file type later.
Source of .pem to .ppk instructions: https://aws.amazon.com/premiumsupport/knowledge-center/convert-pem-file-into-ppk/
kp-jodibooks-linux-server. Again we choose
ppkas type, because we'll use PuTTY to access it later. Also store this private key somewhere safe.
We're ready to launch an instance. Yeah, finally!
You can start the process from the main EC2 dashboard. There is a big orange button on the dashboard that says Launch instance. Click it and choose Launch instance. Alternatively you can go to Instances through the menu on the left and click a blue Launch instance button on the top of the page.
![launch instance button](ec2-7.png "Left: the launch instance button on the EC2 dashboard. Right: the launch instance button in the Instances screen)"
In step 1 we choose an AMI (Amazon Machine Image). Click AWS Marketplace on the left. These are AMI's maintained by AWS. Then search for
Windows 2019 sql express. Currently it returns 4 results from which we'll select Microsoft Windows Server 2019 with SQL Server 2017 Express.
After we press the Select button, we get a summary of the chosen AMI and link to the license agreement. Also we get a list of Instance Types and their pricing. You don't have to choose anything yet and click Continue.
In step 2 we choose the instance type. This will be the Windows instance with MS SQL, so we need at least 2 GB of memory. To get started with a t-type instance is best. It's the cheapest option and has sufficient computing power for webhosting. We choose the
t3.small instance (more on instance selection in Appendix D).
Mind that we will click on Next: Configure Instance Details not the shiny blue Review and Launch button.
Step 3 let's you configure the instance. Most of the default values are fine, but we'll change a few.
Disablethis option. With a t-type instance you get a certain amount of CPU credits per day. When you need more, you pay an additional fee. This option enables you to use an unlimited amount of addition credits.
After we press Next: Add Storage we can add the EBS volumes in Step 4. These are the "virtual hard disks" for your instance. The volumes exist separate from the instance, so if the instance is terminated, the volumes (and your data) are still there (if configured).
In Step 5 we can add tags. I added 4 tags:
Step 6 is adding or configuring your security group. As said, you can create a new group here, but we already made one earlier, so we can select the
MS SQL engine and
Remote server management security groups. Here you can see why it is important to add a good name and description, because sg-00fe53048d876aa05 isn't really descriptive.
Almost there, just step 7 to go. Review all the details and click Launch. You can ignore the "Your instance configuration is not eligible for the free usage tier" remark.
Microsoft Windows Server 2019 with SQL Server 2017 Express
MS SQL engine,
Remote server management
T2/T3 Unlimited Disabled
Encryptedand Delete on Termination:
Name, apps, databases and tools
After pressing Launch you have to select a key pair. We already made one for our Windows instance, so let's select that one, acknowledge that you have the private key and press Launch Instance.
Go to the Elastic IP addresses screen by clicking on Elastic IP in the menu on the left. Now click Allocate Elastic IP address.
There's nothing much to do in the next screen, but to click Allocate.
Now we click Actions and choose Associate Elastic IP address.
Click in the Choose an instance search bar and select the Windows instance. Now click Associate. Select the Allow this Elastic IP address to be reassociated option.
Now that the IP address is associated with the instance we can select it, click on the Tags tab and click Manage tags.
Now we can add a name by adding
Name as Key and
eip-jodibooks-windows-server as value. Finish by clicking the Save button.
An IAM role allows the EC2 to communicate with other AWS services on your behalf. Our Windows instance will send log data to CloudWatch, user data (PDF's) to an S3 bucket and backups of our database to another S3 bucket.
Select the Windows instance, click Actions, Instance Settings and Attach/Replace IAM Role.
Select the IAM role we made for dotnetapp and click Apply.
Now that we have a running Windows instance with a fixed IP public address, let's connect through the RDP (remote desktop). You can read the full guide here:
Open the remote desktop tool in Windows. Copy the Public DNS from your instance and past it as the Computer address. Click connect.
If you are connecting from the IP address you've allowed, you're now asked to enter your credentials. Your user name is
administrator to find your password, we have to decode the private key. Click Actions and then Get Windows Password.
Now browse to your private key file or paste the key in the text area.
After clicking the Decrypt Password button you will get your login password.
The second volume we added to our instance needs to be initialized and formatted, before it's usable in Windows. Start the Server Manager if it hasn't automatically started. Search for Server Manager in the start menu.
Go to File and Storage Services.
Click Disks, select the volume with 4GB unallocated space and click To create a volume, start the New Volume Wizard link.
Before You Begin: Click Next.
Server and Disk: select the server and disk and click Next.
Yes, we want the disk to be brought online and initialized as a GPT disk.
Select the full capacity:
GB and press Next.
Select a Drive letter, we I chose
D. Press Next.
Set File system to
NTFS, Allocation unit size to
default and Volume label to
Data. Press Next again.
Verify the settings and press Create.
When connected to the instance through the remote desktop, we can open the Windows Firewall. We are going to open the ports for a remote connection to the MS SQL database.
Click on the "Windows flag" and type
firewall to search for it.
Click Advanced settings.
Click Inbound Rules on the left and than New Rule on the right. In the screen that pops up select Port as the rule type and click Next.
Select TCP and type
1433, 445 in the Specific local ports box.
In the action part choose Allow the connection.
Check if every box is checked and click next.
Type a name like
Remote MS SQL access and click Finish. A description is optional.
Now select the rule you just created and click on properties. Go to the Scope tab and change to These IP addresses for remote IP address. Then click Add.
Add the IP address of the office or your home address and press OK twice. Now close the firewall.
Just one more thing before we move on to the Linux instance. We are going to change the computer name and workgroup.
Right click on the "Windows flag" and click on System.
Now go to System info.
Now click Change settings and Change and in the new windows change your Computer name and Workgroup.
Now check for Windows updates, install them and restart Windows.
This part has gotten way longer than I thought, so I split it in two. The Linux instance will be configured in the next part.