## 11. AWS Part I

### What is Cloud Computing?

Cloud Computing consists of accessing virtualised resources over the network (e.g. a website online). 

AWS, Azure, Google Cloud are some of the big names in the Public Cloud Computing environment.

**Cloud Computing for AWS**:

"Cloud Computing is the on-demand delivery of IT resources over the internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS)"

*Benefits:*

* Agility: You can deploy technology services in a matter of minutes, and get from idea to implementation several orders of magnitude faster than before.

* Elasticity: You provision the amount of resources that you actually need. You can scale these resources up or down to instantly grow and shrink capacity as your business needs change.

* Cost savings: The cloud allows you to trade capital expenses (such as data centers and physical servers) for variable expenses, and only pay for IT as you consume it.

* Deploy globally in minutes: You can deploy your application in multiple physical locations with just a few clicks. 

*Types of cloud computing:*

* **Infrastructure as a Service (IaaS)**: Provides access to networking features, computers (virtual or on dedicated hardware), and data storage space. Similar to existing IT services. EC2 services of AWS are an example of IaaS.

* **Platform as a Service (PaaS)**: Removes the need for managing underlying infrastructure (usually hardware and operating systems), and allows to focus on the deployment and management of applications. AWS RDS services for Oracle Data Bases, for example.

* **Software as a Service (SaaS)**: Provides a complete product that is run and managed by the service provider. You don't have to think about maintaining the service or the underlying infrastructure but about how to use that particular service.

### AWS Free Tier

**AWS Regions and Zones:**

AWS has presence in so many regions, within which there are multiple zones:

* Region -> Country

* Zone -> Multiple (clustered) Data Centers

"The AWS Cloud spans 102 Availability Zones within 32 geographic regions around the world, with announced plans for 12 more Availability Zones and 4 more AWS Regions in Canada, Malaysia, New Zealand, and Thailand." October, 2023

-> https://aws.amazon.com/about-aws/global-infrastructure/

**AWS Global Infrastructure:**

* High availability through multiple Availability Zones

* Improving continuity with replication between Regions

* Meeting compliance and data residency requirements

* Geographic expansion 

**Availability Zones:**

![](https://docs.aws.amazon.com/images/whitepapers/latest/get-started-documentdb/images/regions-and-zones.png)

* When you launch a VM (instance), you can select an Availability Zone or let AWS choose for you.

* When designing your apps, you can distribute your instances across multiple Availability Zones, so in case one instance fails, an instance in another Availability Zone handles requests.

### Using AWS Platform

Connect to the AWS platform using your root account and check the available services. 

AWS has so many services, but we will focus on **sysops and devops** services and some **developer** services:

**Compute**:

* *EC2*: Virtual Servers in the cloud

* *Elastic Beanstalk*: Run and manage Web Apps

**Storage**:

* *S3*: Scalable Storage in the cloud

* *EFS*: Managed File Storage for EC2

* *S3 Glacier*: Archive Storage in the cloud

**Database**:

* *RDS*: Managed Relational Database Service

* *ElastiCache*: In-memory cache

**Networking & Content Delivery**:

* *VPC*: Isolated Cloud Resources

* *CloudFront*: Global Content Delivery Network

* *Route 53*: Scalable DNS and Domain Name Registration

**Developer Tools**:

* *CodeCommit*: Store code in private Gir repositories

* *CodeArtifact*: Secure, scalable and cost-effective artifact management for software development

* *CodeBuild*: Build and test code

* *CodeDeploy*: Automate code deployments

* *CodePipeline*: Release software using Continuous Delivery

**Management & Governance**:

* *CloudWatch*: Monitor resources and applications


### EC2 Services

**Features**:

* EC2 provides web services API for provisioning, managing and deprovisioning virtual servers inside Amazon cloud.

* Ease in scaling up/down: e.g., scale RAM from 8Gb to 16Gb or viceversa

* Pay only for what you use

* Can be integrated into several other services, e.g. S3

**Pricing**:

1. On Demand: Pay per hour or seconds

2. Reserved: Reserve capacity (for 1 or 3 years) for discounts

3. Spot: Bid your price for unused EC2 capacity; but if someone outbids you, your EC2 instance will be gone.

4. Dedicated Hosts: Dedicate a complete physical server for you (very expensive)

**Components**:

To launch an EC2 instance, you need:

* Amazon Machine Image (AMI): provides the information required to launch an instance, which is a virtual server in the cloud (similar to Vagrant boxes)

* Instance type: when you launch an instance, the instance type that you specify determines the hardware of the host computer used for your instance: size of the instance, computing resources: CPU, RAM, network, etc.

* Amazon Elastic Block Store (EBS): provides a flexible, cost effective and easy-to-use data storage options for your instances (virtual hard disks on which you can store your OS)

* Tags: simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for and filter resources

* Security Group: a security group acts as a virtual firewall that controls the traffic for one or more instances

* Key-pairs: EC2 uses public-key cryptography to encrypt and decrypt login information.

#### Steps to create an EC2 instance

1. Login to your AWS Console

2. Select the region: usually North Virginia (us-east1) since it is less costly

3. Search for the EC2 service

4. Click on Instances (in the left part) and the Launch Instances button

5. Give name and tags and select the Amazon Machine Image (AMI): browse for the OS you prefer, be careful with free-tier alternatives as they may charge you after some time.

6. Check the instance type: select t2.micro since it is included in the free tier version. Some documentation on the instance types: https://aws.amazon.com/ec2/instance-types/

7. Set a key pair login using "Create new key pair", give a name and keep in RSA and .pem formats

8. In Network settings, create a new security group by editing the current settings: change the name of the security group and the description. Also, in security group rule 1, change Source type for "My IP". Additional, in advanced settings, go to "User data" and add the provisioning for the instance:

```
#!/bin/bash

sudo yum install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
mkdir /tmp/test1
```

9. Click on Launch Instance

10. Check the status of the instance (Instance state and Status check). If you select the instance, you can check its public and private IP addresses. Also, you can connect to it by clicking on Connect.

11. In the Connect to instance page, select the "SSH client" tab and follow the steps. Use the key (.pem file) downloaded when setting the key pair login (`web-dev-key.pem`), the user (`ec2-user`) and the public DNS name (`ec2-50-17-123-122.compute-1.amazonaws.com`):

`ssh -i "web-dev-key.pem" ec2-user@ec2-50-17-123-122.compute-1.amazonaws.com`

12. Open Git Bash and go to the directory where the .pem file is dowloaded or stored. Then, copy and paste the complete command as shown in step 11. You should be able to connect to the instance.

#### Accessing the `httpd` service

* Provisioning was included in the creation of the instance, so the `httpd` service should be running. Check it by running the command `systemctl status httpd`

* Check connection through port 80 is related to httpd: `ss -tunlp | grep 80`

* You can try and connect through the public IP address to see if the connection is given. The problem is that the initial security rule for the instance only allowed connections through port 20.

* Go to the security tab in your instance and click the security group. Go to Inbound Rules and modify them by clicking on Edit Inbound Rules.

* Add a new rule to allow connections through port 80:

    Type: Custom TCP; Port range: 80; Source: My IP/Anywhere IPv4/Anywhere IPv6

* Save changes and try to connect again.

#### Terminate an instance

In the section "Instances", select the instance and click on Instance state button. Select "Terminate instance".

### Best Practices of EC2 Instance Creation

1. Gather the computing requirements:

    - OS to choose: CentOS, Ubuntu? -> AIM to go with

    - Size: RAM, CPU, Network -> Instance type

    - Storage: for OS and applications 

    - Project information -> Tagging

    - Services/Apps running: SSH, HTTPD, MySQL, etc.

    - Environment: Development, QA, Staging, preproduction, production, etc.

    - Login User/Owner -> Tagging and tracking

2. Create the key pairs

3. Create the security group (firewall)

4. Start launching the instance: select your security group, key-pair and make all the decisions based on your requirements

**IMPORTANT INFO ON SECURITY GROUPS**:

A security group acts as a virtual firewall that controls the traffic for one or more instances.

* Firewall is a network security system that monitors and controls incoming and outgoing network traffic. Think of it as the gatekeeper who has a register of who's allowed to come in and also who is allowed to go out.

You can *add rules* to each security group that **allow traffic to or from its associated instances**

Security groups are "stateful" -> Outbound rules are updated when inbound rules are added/modified.

Two types of rules:

* Inbound rules: Traffic coming from outside on the Instance

* Outbound rules: Traffic going from Instance to outside

Allowing every IP address to access every port of an Instance IS NOT A GOOD PRACTICE.

### Setting up a Website in EC2

First, enter the EC2 service:

1. Check the webpage you want to set up on Tooplate: https://www.tooplate.com/view/2128-tween-agency. So project name will be **Tween Website**

2. Create a key pair: Go to the menu on the left and search for Key Pairs in the *Network & Security* section. Create a key pair for development environment in North Virginia zone:

    - Name: tween-dev-nvir (very helpful to have proper naming convention)

    - Type: RSA (Rivest-Shamir-Adleman): 
    
        Assymetric encryption algorithm: Given a key pair, data that is encrypted with one key can only be decrypted by the other.

    - File format: .pem (container format for the key)

    It will download the **private key** and the **public key** will be "injected" in the instance (saved in the key-pairs menu). DO NOT SAVE THE PRIVATE KEY IN GITHUB OR A PUBLIC SPACE!

3. Create security group (firewall): Go to the menu on the left and search for Security Group again in the *Network & Security* section. Create a new security group:

    - Name: tween-web-dev-sg

    - Description: tween-web-dev-sg

    - Inbound rules: Add rules:

        * A rule to access SSH from My Corporate/Home IP only: 

            - Type: SSH, Source: My IP

        * We will come back later to add rules to allow the access to the webpage.

    - Outbound rules: DO NOT MODIFY!

4. Go to the *Instances* section on the left and, in Instances, click on Launch Instances:

    - In Name and Tags, click on Additional Values and add:

        - Key: Name, Value: web01, Resource types: Instances, Volumes (virtual hard disk) & Network Interface

    - Add additional tags:

        * Key: Project, Value: tween

        * Key: Environment, Value: prod

        * Key: Owner, Value: lead-devops

    - Select AMI: Ubuntu 22.04 (free tier eligible)

    - Select Instance type: t2.micro (free tier eligible)

    - Select Key pair: the one we created in step 2: tween-dev-nvir (creating it beforehand and selecting it here is a good practice!) 

        * **Important!**: One key can be used for all the instances or each and every instance can have their own keys

        * The best way is to divide your key **based on the ENVIRONMENT!** e.g., one key for development, another one for QA, another key for production, ...

    - Edit Network settings:

        * Firewall: Click on select existing security group and select the one created in step 3.

    - Go to advanced settings:

        * User data: Add provisioning if required

    - Go to Summary and Select the number of instances you want to create and click on Launch Instance.

5. Go and select the Instance: Click on connect and copy the command to access it:

    `ssh -i "tween-dev-nvir.pem" ubuntu@ec2-3-94-87-13.compute-1.amazonaws.com`

6. Go to the directory where the `.pem` file with the private key is located using Git Bash. Paste the command to access the Instance and run it. 

7. Once inside the instance, you need to run the following commands to set up the website:

    ```
        sudo apt update
        sudo apt install apache2 wget unzip -y
        wget https://www.tooplate.com/zip-templates/2128_tween_agency.zip
        unzip 2128_tween_agency.zip
        cp -r 2128_tween_agency/* /var/www/html/
        systemctl restart apache2
    ```

8. We need to access the website using port 80, so we need to add a new rule in the security group:

    - Go to the Instance, select the Security tab and click on Security Groups link.

    - Edit Inbound rules and add new rule:

        * Type: Custom TCP, Port: 80, Source: My IP

    - Save rules

9. Go to the Instance page and copy the public IP address. Go to a browser and go the IP address: http://3.94.87.13 and you will find the webpage.

### Getting a Static Public IP address

* Start the instance by clicking on the dropdown button Instance state and then Start instance

* Go to Network & Security in the side bar and search for **Elastic IPs** (5 for free, then you can purchase more)

* Click on Allocate Elastic IP address, keep the region and click on Allocate.

* Then, go to the dropdown button Actions and click on Associate Elastic IP address.

* Tick the Instance option and select the instance in the search box. Finally, click on Associate.

* Confirm the association by clicking on the instance.

## AWS Command Line Interface (CLI)

You have to install `awscli` using **chocolatey**: `choco install awscli -y`. The documentation is available here: https://docs.aws.amazon.com/cli/

Then, go to **Git Bash** and check the version of AWS CLI you've got installed:

`aws --version`

To use the AWS CLI, you need to create a new user:

* Go to **IAM services** > Users

* Click on *Create user*: add a name and don't tick the box to provide access to the AWS Management Console. Click on Next.

* In Permissions options, select *Attach policies directly*. We want to use this user for our entire AWS account, so we give (tick the following boxes):

    - AdministratorAccess

    - (For another user): Give access only to specific servers (S3 for example)

* Click on Next and Create user

* Click on the user name and go to *Security credentials*

* We need to create Access keys to use it for CLI: Go to Access keys section and click on *Create access key*

    - Select *Command Line Interface (CLI)*

    - Tick the confirmation box and click Next, and then Create access key

    - Download the .csv file with the Access keys

    - DO NOT REVEAL THIS ACCESS KEY AND THE SECRET ACCESS KEY TO ANYBODY ELSE! especially when the user has administrator access

* Go to Git Bash, execute `aws configure` and copy and paste the Access key and the Secret access key

* Enter the Default region name: `us-east-q` and Default output format: `json`. Click Enter.

* You can check this information running the command: `ls ~/.aws/`. You can check the `config` (`cat ~/.aws/config`) and `credentials` (`cat ~/.aws/credentials`) files.

**Important**: All commands to create and launch a new instance are given in the **Command Reference** menu in the CLI documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html

## Elastic Block Storage (EBS)

EBS provides two things:

* EBS volume (virtual hard disk)

* Snapshot (backup of the EBS volume)

EBS are:

* Block-based storage (like hard disks)

* Used to run EC2 OS, store data from database, file data, etc.

* Placed in specific Availability Zone. Automatically replicated within the same availability zone of the instance to protect from failures.

* Snapchot is used for backup of the entire volume


### EBS Types

* **General purpose (SSD)**: Used in most work loads (best combination of right price and speed)

* **Provisioned IOPS**: Used to run large databases (higher input-output per seconds)

* **Throughput Optimised HD**: Used for big data and data warehouses

* **Cold HDD**: Use for file servers (very low-cost)

* **Magnetic**: Recommended for backups and archives (the slowest!)

Some more information about EBS types in: https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html

### Configuring EBS

You can select the prefered storage configuration:

* When launching an instance: 

    - Go to the section Configuration Storage
    
    - Select the type of storage in the dropdown list: default is `gp2 (general purpose)`

* After launching an instance:

    - Select the instance and go to the Storage tab

    - In *Root device details* > *Block devices*, you find your current Volume ID and the size in GiB

    - Click on the Volume ID and edit its name, according to the instance-hierarchy: e.g., web01-ROOT-volume.

    **Important**: Always give proper names to your volumes for easy identification

    - Both instance and volume need to be in the same availability zone so they can connect!

    - To **add more storage**: Go to Elastic Block Store on the left menu > Volumes > Create Volume:

        * Select volume type: `gp2`

        * Size (GiB): `5`

            Volumes over 30GiBs are more than the Free Tier allowance: Over 30GiB, you would need to pay!

        * Availability zone: **Same as the instance you want to connect with!**

        * Encryption: Tick, in case you want it encrypted

        * Add Tag: 

            - Key: Name, Value: gymso-web01-Images (We want to create this storage for our website Image)

        * Finally, click on Create Volume

    - When it is created, select the volume you want to attach to an instance and click on Actions > Attach volume:

        * Select the instance you want to attach the volume in the zame Availability Zone

        * Click on Attach

* Connect to the instance:

    - `ssh -i {PATH_TO_KEY.pem} ec2-user@CURRENT.IP.0.0`

    - Switch to root user: `sudo -i`

    - Go to `cd /var/www/html` and find the `images` directory.

* We need to partition and mount this image in our recently attached storage:

    - List all the disks in the Linux instance: `fdisk -l`

        * Identify the name of the partition you want to use for mounting the webpage image.

        * Run `df -h`: It will show the name of the root disk with `/` in the column Mounted on.

        * Once identified (`/dev/xvdf`), create a partition for the attached disk:

            Run: `fdisk /dev/xvdf`

            Run `m` for help

            You will find that the command to add a new partition is `n`

            Run command `n` > type: `p` (primary or just enter) > number: (enter) > first sector: (enter) > +size: `+3G`
            (or just enter to create a partition of the entire disk)

            Run `p`to print the partition table.

            Run `w` to write and confirm!

        * Check the partition in `fdisk -l`

        * Format the disk using `mkfs`. 
        
            - First, check the available formats by running `mkfs` and two times the tab key.

            - Use the `.ext4` format: Run `mkfs.ext4 /dev/xvdf1`

    - Mount the webpage image: 

        - Go to `cd /var/www/html` and find the `images` directory.

        - Create a directory: `mkdir /tmp/img-backups`

        - Move from `images` to `img-backups`: Run `mv images/* /tmp/img-backups/`

        - Do a temporary mount: `mount /dev/xvdf1 /var/www/html/images/` (`images/` should be empty)

        - Run `df -h` to check where the partition was Mounted on.

        - To unmount, run: `umount /var/www/html/images`

        - Do a permanent mount: Opem file `vi /etc/fstab`:

            In the last line, add:

            ```
                /dev/xvdf1      /var/www/html/images        ext4    defaults    0   0
            ```

        - Run `mount -a` to mount all the entries from the `fstab` file.

        - Check by running `df -h`

        - Move data from the temp directory: `mv /tmp/img-backups/* /var/www/html/images/`

* Once finished, restart the `httpd` service: `systemctl restart httpd` and check status: `systemctl status httpd`

* See using the browser. If there's a problem with the webpage images, modify the file `vi /etc/selinux/config`:

    - Modify the line to: `SELINUX=disabled`

* Reboot the machine: `reboot`

### EBS Snapshots

Provides a backup mechanism for the EBS volumes: e.g., for databases.

Snapshot is mostly used to take backups and restore in the event of failures. When restoring a snapshot, you should:

* Unmount the partition (to prevent data from being overwritten)

* Detach the volume from your instance

* Create a new volume from snapshot

* Attach the newly created volume

* Mount it back (replace it!)

### Creating a Snapshot

In the Volumes section:

* Select the volume you want to create a backup

* Go to Actions > Create Snapshot

* Give a description and a tag: Key: Name, Value: db01-volume-db-SNAP

* Click on Create Snapshot

* Go to Snapshots section to see the snapshot

Inside the instance:

* Stop the service you want to recover/replace: e.g., `systemctl stop mariadb`

* Unmount the volume partition: `umount /var/lib/mysql/`

* Check using `df -h`

* To detach the volume partition, go to Volumes section in AWS, select the volume and click on Actions > Detach Volume

* Go to Snapshot section, select the snapshot you want to recover and click on Actions > Create Volume

* Apply the preferred settings: Volume Type, Size, Availability Zone, Tags, etc.

* Create volume, attach volume to the instance and mount it using `mount -a`

## Elastic Load Balancer (ELB)

When building a cluster of services (multiple servers), you need a single endpoint to access them and that's mostly provided through a **Load Balancer**.

AWS provides with a Load Balancer for these situations:

**Ports**:

* **Frontend Port**: Listens from the User Requests on this port aka "Listeners" (generally on port $443$ for https)

* **Backend Ports**: Services running on OS listening on this port. E.g., a Tomcat server which is running on port 8080

ELB distributes incoming application or network traffic accross multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in multiple availability zones.

ELB supports three types of load balancers:

1. Application Load Balancer: Popular for web traffic (websites, apps, http & https). It routes traffic based on advanced application level information that includes the content of the request. (Level 7)

2. Network Load Balancer: Functions at the 4th layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. It gets a static IP.

3. Classic Load Balancer: Simplest one. It routes traffic based on either application or network level information.

    * Ideal for simple load balancing where you don't need any other complications 

More information on Load Balancing in: https://docs.aws.amazon.com/elasticloadbalancing/