In this lesson, we show how to create AWS EC2 instance using platform as a service provided by AWS. We follow the workflow of seven step process to configure the instance based on the resource planning effort we discussed in the previous lesson. We know the size of the computing resource that we are going to use, and the storage resource requirement. We also know its network connectivity requirement, either using private LAN, private VPC, or the public, and how to configure its security groups, which is their firewall. What are the IP address which you enter to allow coming in and what are the port like SSH 22, or HTTP 480, and 443 secure HTTP, those service are open for outside access. After log in to AWS management console, click the second upper right tab to see the list of region available for our own AWS. And we select the region where you want to create your instance. Typically, this is a region close to you, if you are going to use it as a permanent environment. Or this should be very close to the customer, so that they can deliver the data faster to the customer. Since this will be the instance we're going to create for our cyber security study exercise, it's better to be close to you, so that they will be responsive. Know that the AWS remember which region you last accessed, but you always double check on the second tab on the upper right. After choosing the region, we click EC2. And here we show the EC2 window. The left side is EC2 panel, the dashboard, which including all the key resources such as occurring instance, smart instance, reserve instance, that can be clicked and accessed. And the image we can use to clone this, including public domains, private image you create, for cloning the instance. Also there is a snapshot we back up or we maintain, so that can be accessed anytime when we have a garbled kind of image or corruption, hacking cases, we can bring them back. The network security section shows the security group elastic IP we create and reserve, and the key pair name, file name so that we can go back up and using it to access. The middle canvas window shows a current statistic on the top, shows a current statistical resources, how many is in there, how many security group we create in our account. We click Launch Instance in the middle there to create EC2 instance. Step 1, Choose an Amazon Machine Image, here we choose the first images, which is provided by Amazon Linux AMI, this is the free one. It also show the release date of 2017, March. And this type of VM virtual machine architecture is hardware virtual machine architecture, not the peewee architecture. HVM stand for the hardware virtual machines, and SSD also indicate you use solid state drive storage. So it's much faster than other disk storage volumes. This image is maintained and supported by Amazon, and it is the cheapest one compared with Red Hat and Suse. Those two is the commercial version, you will be charged additional commercial license fee. So it will be more expensive, same price for the Ubuntu server. This Amazon AMI Linux, it support four different programming language already been installed within, it support Python, Ruby, Perl and Java. It indicates that it has set up link in their repository configuration to allow us to retrieve PHP, MySQL, PostgreSQL software package, which probably already is screened and checked by Amazon, their staff. That means those web scripts database package are not set up yet. We need to retrieve the package from the Amazon repository and install them using the Yum package manager. The version of this instance is created March 2017. HVMMI are presented with a fully virtualized set of hardware future and will be pulled by execute the master pull record of the root block device in our virtual instance image. This virtualization type provide us ability to run operating system directly on top of the virtual machine without any modifications. The other one you need to reconfigure and compile the operating system. It is run on the bare bones metal hardware. The Amazon EC2 host system emulates some and all the underlying software that is presented to the guest operating system. Unlike the PV, which stand for Paravirtualization guests, HVM guests can't take advantage of underlying hardware extensions that provide fast access to the underlying hardware, all on the host operating system. Step 2, Choose an Instance Type, here we choose the default t2, the second entry there, t2.micro is a free tier. And then we click Next Configure Instance on the bottom right here and don't choose the one which is highlighted, the Review and Launch. Because we like to add additional configuration choice, such as adding tag to the instance, so that we can identify this instance among list of running instance or supported instance. And configure the security group to configure the firewall, so we don't do the Review and Launch right away. Step 3, Configure Instance Details, we choose to put the instance on a specific subnet, in the second entry here, Subnet entry, we can pull down the drop down menu. Instead of let the Amazon managing console to select that for us, we can pick and choose specific subnet or specific zone. And especially important here when you try to set up what your instance and duplicate zone so that provide redundancy. Here we choose zone 2c. And know that we open Advanced Detail sections on the lower part of the dialogue window, there is a User data text box. This is very important for if you like to configure the specific package at the very top of when the instance got started. And you can actually write the script there that will try to bring in, for example, the web server, the database and maybe configure some security feature, even before we access the machine. So it's a nice feature to have. Click Next Add Storage. Step 4, Add Storage, chose the default here unless you would like to increase the ELB storage. Normally for our cyber security instance I prepare for you, or you configure it yourself. Normally, 8 gigabytes is enough to contain the new patch you're going to bring in over time and for running simple cyber security access site and web apps. Click Next Add Tags. Step 5, Add Tags, here we add two new attacks associated with our instance. The Name with capital N here is very important, otherwise it wont show up as a key and a type as a key. The Name, capital N Name tag, will be listed as the first column in the main EC2 instance window when you click the instance, in the EC2 main canvas window, making it easier for us to distinguish different instance, especially when you have many, many similar instance for different purpose. Or you have a big, for example, my cloud and security clouds, where all the student creates similar kind of instance or clone the send image I create for them. If we don't specify this name, they all show up with almost the same empty first column, and you cannot tell which one is belong to whom. And the other useful convention is we enter the value of the name tag with log ins followed by underscore, followed by instance type, followed by the number. And that kind of format, the tag, will tell them apart. Here I use cchow_ami, because Amazon Linux, and then I put a 1 there, so it is my first instance in this particular account. So that the students will know this instance belong to me, don't override, don't terminate it [LAUGH]. Click Next Configure Security Group. Step 6, Configure Security Group, click Add Rule twice. We'll then add two firewall rule to the security group. I then use a drop down menu to the left here to drop down all the possible choice can be customized. You enter the port number or the protocol number, or you can see any of the service already there in the list. We choose HTTP for the second one, we choose HTTPS for the third one. We then enter on the last current Source column, I will find out my IP address of my home machine by typing my ip in the Google search box. And it's so convenient, it actually report back to me what other IP address from the Google search site they find out what IP I use. So that's very useful for us to enter in the Source column. Original was 0.0.0, which allow anybody to come in, it match everybody, right? But with 75.71.209.54, I limited only me, from home, can access to the instance, that protect the instance. And we also need to put a /32, because this is specific machines. And this setting restricts access of the instance and only allow access from home. The reason is critical here and important here to do that is, we want to protect this infant instance, since it's not yet patched, right? We need to log in there and then initiate and bring and then configure with a service patch and create new services. So we don't want any hacker during this period of time to invade it and hacking it, it's vulnerable. We can relax the access restriction once we have it patched. Once this is done, we click Review and Launch. Step 7, Review Instance Launch, click Launch. We are going to see a dialogue pop-up window show up. And here is very critical steps. This pop-up box remind us to download the private key created by Amazon for us. The private key, which you download, and the other public key that will save it with Linux virtual machines in their share .ssh directory. So here we have in this pop-up dialogue box, we have two choice. We can use existing key pair, which we created from previous sections, and so that will save us time. Or, if this is the first time in your case, we choose the second entry, choose to use Create a New Key Pair from the drop down menu here. We enter the private key name. And even though say this is a key pair it's kind of misleading, we actually just download the private key, okay? And actually here we only download the private key, not the public key. The public key is saved in the .ssh/authorize key file as part of the content for verifying our future secure share access later. We must download this private key file right now, because they didn't provide you with a second chance. That is for security reasons. They don't want to maintain the private key for you. Save the downloaded private key to a safe place, maybe in your flash drive or encrypt it somehow, and duplicate that protected key somewhere else, so that if you lost one, you still have other to back it up. And if you lost this private key, there is no where for you to get access to the virtual instance again, you'll need to rebuild it. Click the launch instance in the pop-up dialogue box and click View Instance button and voila, the instance will show up. Here we show our instance is up and running. It is indicated by the green circle there and on the site it say running. And typically that goes through the process of yellow color to green color, and then for initialization label to running label. Here we see the entry with a cchow_ami1, the name in the first column there. And the next column shows the instance ID, which is a long hexadecimal number there that can be used as a parameter. Later on we'll show you easy to API call, using this IT as parameter for you to access and remote control the instance. We will demonstrate that later. The right side of the lower panel, in the lower part of the panel, shows a public IP address as a second entry there, and public domain names, Public DNS name, AWS create automatically for us. It's quite a long name, but you can see easy to as a prefix followed by actually four numbers. That actually is a public IP address you can configure yourself, and then followed by Amazon's their subdomain name. And later we can show how to create our own shorter domain name, if we obtain our own DNS domain through the Route 53 services. For now, we can use the public IP address, which is shorter, to access our instance.
