Logical Enigma
AWS Notes



  • On Demand - by hour/second
  • Windows instances billed by hour/partial hour
  • Reserved - 1 or 3 yrs. predictable usage
    • Standard RI - up to 75% - can’t move across regions
    • Convertible RI - up to 54% - change type
    • Scheduled RI - schedule that only requires only fraction of day - NOT AVAILABLE
  • Spot - bid. Flexible start/end times. Charged for partial hour if you stop. NOT charged for partial hour if AWS terminates
  • Dedicated - license/regulatory restrictions
  • Termination Protection is turned off by default
  • EBS backed instances - default is to terminate volume on termination
  • EBS Root Vols can be encrypted
  • Hypervisors : Xen (originally) and Nitro
  • Hibernate - saves the instance ram to EBS root volume. data volumes reattached and instance id is retained. Root volume must be encrypted. RAM less than 150GB. Win/AML2/Ubuntu. Not more than 60 days of hibernation
  • Instance metadata - curl
  • Placement Groups
    • Clustered - single AZ close together - low net latency, hi throughput - only certain instances - recommend homogeneous instances
    • Spread - multiple AZ - placed on distinct underlying hardware (rack) - small number of critical instances that should be kept separate from each other - THINK INDIVIDUAL INSTANCES - protect from HW failure. 7 Running Instances per availability zone
    • Partitioned - Similar to spread but can be multiple instances - each partition in the group has it’s own set of racks - THINK MULTIPLE INSTANCES - HDFS, HBase, Cassandra
    • Name of placement group must be unique to your account
      • Can move instance into Placement Group via CLI/SDK but must be in stopped (not console yet)

High Performance Compute (HPC)

  • Data Transfer
    • snowball, snowmobile (tb/pb of data)
    • AWS DataSync
    • Direct Connect
  • Compute / Network
    • GPU or CPU optimized
    • Fleets
    • Placement groups (cluster placement groups)
    • Enhanced networking - ENI, ENA, EFA
  • Storage
    • EBS / Instance Store
    • S3 / EFS
    • FSx for lustre
  • Orchestration / Automation
    • AWS Batch - multi node parallel jobs that span multiple EC2
    • AWS ParallelCluster - Open source - automation

AWS WAF - Layer 7 aware firewall

  • web application firewall to monitor http(s) to CloudFront, ALB, Api Gateway
  • Behaviors:
    • Allow all except specified
    • Block all except specified
    • Passive - count requests that match properties
  • IP address / Country origination / Values (regex) / SQL Code / malicious scripts
  • One way to bock malicious IP addresses (along w/ network ACLs)

Security Groups

  • All inbound traffic is blocked by default. All Outbound traffic is allowed.
  • Rules take effect immediately
  • Security groups are stateful (inbound rule for http in, automatically creates outbound)
  • Can’t block individual IP addresses or ports (will be able to in network ACL vpc) - no deny rules
  • Can add more than 1 security group to EC2 instances


  • Elastic block store - virtual HD in cloud
  • General Purpose SSD - gp2
  • Provisioned IOPS SSD - io1
  • Throughput Optimised HDD - st1
  • Cold HDD - sc1
  • Magnetic - Standard
  • HDD based options are cheaper
  • Volumes will be in same AZ as the instance
  • Volumes exist on EBS, Snapshots exist on S3
  • To move a VM -> Snapshot EBS vol; Create Image; Launch Instance
  • Can move a AMI to another region
  • Snapshots are incremental (only parts that change)
  • Stop snapshot for root device while stopped

EFS - Elastic File System

  • Automatically grow/shrink - only pay for what you use
  • Share across instances, etc
  • Uses default VPC security group
  • NFSv4
  • Scales to Petabytes; thousands of concurrent NFS conx
  • Multi AZ in a region. Read after write consistency
  • Linux only (EC2 windows can’t connect)

Amazon FSx

  • For Windows File Server
    • SMB based
    • Supports AD users, ACL, groups, security pols, along w/ Distributed File System namespaces and replication
  • For Lustre
    • Compute intensive workloads for HPC, ML, Media, financial modeling, EDA
    • Up to hundreds of GB per second throughput, millions IOPS, sub-millisecond latencies


  • Backed by EBS or instance store
  • EBS Snapshot to load it - can’t delete the EBS Snapshot w/o first deleting the AMI it uses
  • Instance store -> template stored in S3. Ephemeral storage
    • Can only add add’l ones at launch - not after.
    • Can’t stop the instance - only reboot
    • If underlying host fails, you lose your data
  • Encrypted Root Device
    • Can be done at creation time
    • To convert unencrypted volume to encrypted -> Take Snapshot; Copy snapshot select encrypted + key; Create Image (AMI) from encrypted snap; launch;
    • Can share snapshots only if unencrypted

ENI vs. ENA vs. EFA

  • Elastic network interface - virtual nic
    • Create management network
    • Network security appliances
    • Low budget HA
  • Enhanced Networking - single root i/o virtualization SR-IOV for hi perf on supported instances
    • Higher IO and lower CPU
    • No additional charge, but instance must support it
    • ENA - up to 100Gbps (ENA is better than VF if given the option)
    • Intel 82599 Virtual Function (VF) up to 10Gbs on older instances
  • Elastic Fabric Adapter - accelerate HPC and ML
    • lower and more consistent latency and higher throughput
    • can use OS-bypass - apps can communicate direct to adapter at lot lower latency (linux only)

Spot Instances & Spot Fleets

  • Up to 90% savings. Provisioned as long as below your spot price
  • No more bidding
  • If goes above, have 2 minutes to decide
  • Spot blocks - hold for several hours
  • Useful for following workloads:
    • Big data and analytics
    • Containerized workloads
    • CI/CD and testing
    • Web services
    • Image and media processing
    • HPC
  • Request: Max price, num instances, launch specification, request type (1 time or persistent), valid from/to
  • Spot Fleets - spot instances and on-demand instances to meet target capacity
    • Different/multiple pools
    • Strategies for pools: capacityOptimized, lowestPrice (default), diversified, InstancePoolsToUse

AWS Config

  • Create rules on configurations
  • E.g. if tagged then make sure using a specific ami