4122. AWS-EC2-Elastic Block Store
AWS, EC2, and EBS

Learn about EBS, Volumes and Snapshots.

1. EBS

1.1 What Is EBS?

Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability.

1.2 EBS Types

There are 5 Different Types of EBS Storage:

  • General Purpose (SSD)
  • Provisioned lOPS (SSD)
  • Throughput Optimized Hard Disk Drive
  • Cold Hard Disk Drive
  • Magnetic

1.3 Comparison of EBS Types

Volume Type General Purpose SDD Provisioned IOPS SSD Throughput Optimized HDD Cold HDD EBS Magnetic
Description General purpose SSD volume that balances price and performance for a wide variety of transactional workloads Highest-performance SSD volume designed for mission-critical applications Low cost HDD volume designed for frequently accessed, throughput-intensive workloads Lowest cost HDD volume designed for less frequently accessed workloads Previous generation HDD
Use Cases Most Work Loads Databases Big Data & Data Warehouses File Servers Workloads where data is infrequently accessed Standard
API Name gp2 iol st1 sc1 Standard
Volume Size 1 GB - 16 TB 4 GB - 16 TB 500 GB - 16 TB 500 GB - 16 TB 1 GB-1 TB
Max. IOPS Volume 16,000 64,000 500 250 40-200

2. Lab - EBS

2.1 Volumes & Snapshots

When launching a new instance, one EBS volume is attached automatically and they are in the same Available Zone. image Go to Services->EC2->Elastic Block Store->Volumes image

2.2 Creating EC2 Instance with Additional EBS Volumes

Launch a new instance with adding three additional EBS volumes. image After the instance is started, we will see four volumes. image Here, we can change the size of volume. For example, change the size of HDD from 500GB to 1000GB. image We can also change the Volume type from “Standard SDD” to “Provisioned IOPS SSD” for root volume. image Save the change, after a while, we will see the change is go live. For the root volume, type is changed from gp2 to io1. image

2.3 Creating EC2 Instance in Another AZ

Select root volume, Actions->Create Snapshot. image Wait for a while, we will see the snapshot is ready. image Now we can create image with this snapshot. image The new image appears in the AMIs, and it is ready to use. image Let’s launch a new instance with this image, choose a different AZ. image After launch, notice it is in a different AZ(us-west-1a) from the original one(us-west-1c). image We can also move the EBS volume to another region by copying AMI image to another region and launch new instance with it. And we can choose any AZ in that region. image

2.4 Volumes after Instances are Terminated

What happens to volumes if instances are terminated, will they all be deleted as well? See below.

Now we have two instance running. image And we have 5 volumes for above two instances. image After the two instances are terminated, the addition volumes are still there, their states are changed to “available” though. Only the root volumes are deleted. image

2.5 Summary of Volumes & Snapshots

  • Volumes exist on EBS. Think of EBS as a virtual hard disk
  • Snapshots exist on S3. Think of snapshots as a photograph of the disk.
  • Snapshots are point in time copies of Volumes.
  • Snapshots are incremental — this means that only the blocks that have changed since your last snapshot are moved to S3.
  • If this is your first snapshot, it may take some time to create.
  • To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.
  • However you can take a snap while the instance is running.
  • You can create AMI’s from both Volumes and Snapshots.
  • You can change EBS volume sizes on the fly, including changing the size and storage type.
  • Volumes will ALWAYS be in the same availability zone as the EC2 instance.
  • To move an EC2 volume from one AZ to another, take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new AZ.
  • To move an EC2 volume from one region to another, take a snapshot of it, create an AMI from the snapshot and then copy the AMI from one region to the other. Then use the copied AMI to launch the new EC2 instance in the new region.

3. AMI Types

3.1 AMI Types

You can select your AMI based on:

  • Region (see Regions and Availability Zones)
  • Operating system
  • Architecture (32-bit or 64-bit)
  • Launch Permissions
  • Storage for the Root Device
    • Instance Store (EPHEMERAL STORAGE)
    • EBS Backed Volumes

3.2 EBS vs Instance Store

All AMIs are categorized as either backed by Amazon EBS or backed by instance store.

  • EBS Volumes: The root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot.
  • Instance Store Volumes: The root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.

3.3 Using Instance Store

Create EC2 instance with instance store. Launch instance, switch to “Community AMIs”. image Go through the AMIs list and select one. image Choose the first available instance type. image Keep the default settings. In step “Add Storage”, notice the volume type is Instance Store. image Continue with the default settings and reuse the security group created previously and launch. image Instance store can’t be stopped. Terminate it as it is not free in the free trial. image

3.4 Summary of EBS and Instance Store

  • Instance Store Volumes are sometimes called Ephemeral Storage.
  • Instance store volumes cannot be stopped. If the underlying host fails, you will lose your data.
  • EBS backed instances can be stopped. You will not lose the data on this instance if it is stopped.
  • You can reboot both, you will not lose your data.
  • By default, both ROOT volumes will be deleted on termination. However, with EBS volumes, you can tell AWS to keep the root device volume.

4. EBS Encryption

4.1 Amazon EBS encryption

Use Amazon EBS encryption as a straight-forward encryption solution for your EBS resources associated with your EC2 instances. With Amazon EBS encryption, you aren’t required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

You can attach both encrypted and unencrypted volumes to an instance simultaneously.

4.2 How EBS encryption works

You can encrypt both the boot and data volumes of an EC2 instance. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume
  • All data moving between the volume and the instance
  • All snapshots created from the volume
  • All volumes created from those snapshots

4.3 Steps to Create Encrypted Instances

  • Create a Snapshot of the unencrypted root device volume.
  • Create a copy of the Snapshot and select the encrypt option.
  • Create an AMI from the encrypted Snapshot.
  • Use that AMI to launch new encrypted instances.

4.4 Lab - Encrypted Instance

Volumes->Select one volume, Actions->Create Snapshot. image Set description, then “Create Snapshot”. image Switch to Snapshots view and wait until it’s finished. image Copy and choose encrypted. image The new instance is launched. image Select it and create image with it. image Switch to Images view and see the AMI. image Now, we can use this image to launch new instance, notice it is encrypted by default. image

4.5 Summary of EBS Encryption

  • Snapshots of encrypted volumes are encrypted automatically.
  • Volumes restored from encrypted snapshots are encrypted automatically.
  • You can share snapshots, but only if they are unencrypted.
  • These snapshots can be shared with other AWS accounts or made public.
  • You can now encrypt root device volumes upon creation of the EC2 instance.

5. References