AWS EC2 | My Portfolio

Cloud Concepts: Scalability, Elasticity & Agility

Concept	Definition	Example
Scalability	Ability to handle increased load by adding resources — either vertically (bigger instance) or horizontally (more instances)	Upgrading from t3.medium → r5.2xlarge (vertical) or adding more EC2 instances behind an ALB (horizontal)
Elasticity	Ability to automatically scale resources up and down in real time based on actual demand — and release them when no longer needed	ASG adding instances when CPU > 70%, removing them when CPU < 30%
Agility	Cloud reduces time-to-resource from weeks (physical hardware) to minutes — enabling faster iteration and experimentation	Spinning up a test environment in minutes, tearing it down after use

Scalability ≠ Elasticity: Scalability is the capacity, elasticity is automatic, dynamic adjustment
Vertical scaling (scale up/down) = bigger instance; has limits (max instance size)
Horizontal scaling (scale out/in) = more instances; no real upper limit, fault-tolerant

What is EC2?

Elastic Compute Cloud — virtual servers (instances) in the cloud
Infrastructure as a Service (IaaS) — you manage the OS and above, AWS manages hardware
Fully configurable: OS, CPU, RAM, storage, networking, firewall
Elastic — scale up/down on demand; only pay for what you use

What you can configure:

OS: Linux, Windows, macOS
CPU + RAM: instance type
Storage: EBS (network), Instance Store (physical), EFS (shared)
Network: VPC, subnet, IP, security groups
Bootstrap script: EC2 User Data (runs once on first launch)

EC2 User Data

Bootstrap script that runs once on first launch (as root)
Used to: install packages, start services, pull config from S3
Runs as the root user — no sudo needed inside the script

#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from EC2</h1>" > /var/www/html/index.html

Exam tip: User Data only runs on the first boot by default. To re-run, you must stop the instance, modify User Data, and enable "run on every restart" (not default).

Instance Types

Instance type format: [family][generation][attributes].[size] Example: m5.xlarge → General Purpose, 5th gen, extra large

graph TD
    Types[EC2 Instance Types] --> GP[General Purpose<br/>T, M series]
    Types --> CO[Compute Optimized<br/>C series]
    Types --> MO[Memory Optimized<br/>R, X, z series]
    Types --> SO[Storage Optimized<br/>I, D, H series]
    Types --> AC[Accelerated Computing<br/>P, G, Inf series]

    style Types fill:#dbeafe,stroke:#3b82f6
    style GP fill:#dcfce7,stroke:#16a34a
    style CO fill:#fef9c3,stroke:#ca8a04
    style MO fill:#fed7aa,stroke:#ea580c
    style SO fill:#f3e8ff,stroke:#9333ea
    style AC fill:#fce7f3,stroke:#db2777

Family	Series	Best For	Examples
General Purpose	T, M	Balanced CPU/RAM — web servers, dev environments	t3.micro, m5.large
Compute Optimized	C	High CPU — batch processing, gaming servers, ML inference	c5.xlarge
Memory Optimized	R, X, z	Large in-memory datasets — databases, real-time big data, caches	r5.2xlarge
Storage Optimized	I, D, H	High sequential read/write — OLTP DBs, data warehousing, distributed FS	i3.large
Accelerated Computing	P, G, Inf	GPU workloads — ML training, video rendering, HPC	p3.2xlarge

T Series — Burstable Performance

Earns CPU credits when CPU usage is below baseline
Spends credits when CPU bursts above baseline
t2.micro / t3.micro — Free Tier eligible
T3 Unlimited mode — can sustain high CPU beyond credits, billed for extra usage
When credits run out in standard mode → CPU throttled back to baseline

Graviton (ARM-based)

AWS-designed ARM processors — up to 40% better price/performance than x86
Series: m6g, c6g, r6g (g = Graviton)
Requires software compiled for ARM — check compatibility before migrating

Bare Metal Instances

Direct access to physical hardware — no hypervisor
Use for: licensing requirements, performance-sensitive workloads, running your own hypervisor
Examples: m5.metal, i3.metal

Pricing Models

graph LR
    Pay[Pricing Models] --> OD[On-Demand<br/>Pay per hour/sec<br/>No commitment]
    Pay --> RI[Reserved<br/>1 or 3 year<br/>Up to 72% off]
    Pay --> SP[Savings Plans<br/>Flexible commitment<br/>Up to 72% off]
    Pay --> Spot[Spot<br/>Spare capacity<br/>Up to 90% off]
    Pay --> DH[Dedicated Host<br/>Physical server<br/>Compliance / BYOL]
    Pay --> CR[Capacity Reservation<br/>Reserve capacity<br/>No discount]

    style Pay fill:#dbeafe,stroke:#3b82f6
    style OD fill:#fef9c3,stroke:#ca8a04
    style RI fill:#dcfce7,stroke:#16a34a
    style SP fill:#dcfce7,stroke:#16a34a
    style Spot fill:#fed7aa,stroke:#ea580c
    style DH fill:#f3e8ff,stroke:#9333ea
    style CR fill:#fce7f3,stroke:#db2777

Model	Commitment	Discount	Use When
On-Demand	None	—	Short-term, unpredictable workloads, testing
Reserved Instance	1 or 3 years	Up to 72%	Steady-state apps, always-on workloads (e.g. prod DB)
Savings Plans	1 or 3 years ($/hr)	Up to 72%	Flexible — applies across instance families and regions
Spot	None	Up to 90%	Fault-tolerant batch jobs, ML training, CI pipelines
Dedicated Host	On-demand or reserved	—	Compliance, BYOL (bring your own license)
Dedicated Instance	On-demand	—	Hardware isolation without full host control
Capacity Reservation	None	—	Guarantee capacity in a specific AZ, combine with RI/SP for discount

Reserved Instances — Types

Type	Flexibility	Discount
Standard RI	Fixed instance type + region	Highest (up to 72%)
Convertible RI	Can change instance family, OS, tenancy	Lower (up to 66%)
Scheduled RI	Reserved for recurring time windows	Deprecated — use Savings Plans instead

Can be bought/sold on the Reserved Instance Marketplace if you no longer need them.

Spot Instances — Deep Dive

AWS reclaims with 2-minute warning (Spot interruption notice via metadata)
Spot Block (deprecated) — used to reserve 1–6 hours without interruption
Spot Fleet — mix of Spot + On-Demand, targets a capacity and price
EC2 Fleet — mix instance types across On-Demand, Spot, Reserved
Never use Spot for: databases, stateful critical workloads, anything that can't be interrupted

Dedicated Host vs Dedicated Instance

	Dedicated Host	Dedicated Instance
Physical server control	✅ Full control	❌ No
Visibility into sockets/cores	✅ Yes	❌ No
BYOL support	✅ Yes	❌ No
Cost	Higher	Lower

Security Groups

Virtual firewall for EC2 instances — controls inbound and outbound traffic
Operate at the instance level (NACLs operate at subnet level)
Stateful — allow inbound → response traffic is automatically allowed outbound
A group can be attached to multiple instances.
It's locked down to the region or VPC combination.

Rules:

Only Allow rules — no explicit deny (use NACL for denying)
Rules define: protocol, port range, source/destination (CIDR or another SG)
Multiple SGs can be attached to one instance (up to 5 by default)
Default: all inbound denied, all outbound allowed
Changes apply immediately

Common ports:
  22   — SSH (Linux)
  21   - FTP (File Transfer Protocol) - upload file into a file share
  22   - SFTP (Secure File Transfer Prootocol) - upload file using SSH
  3389 — RDP (Windows)
  80   — HTTP
  443  — HTTPS
  3306 — MySQL / Aurora
  5432 — PostgreSQL
  27017 — MongoDB
  6379 — Redis
  8080 — HTTP alternate

SG referencing: A security group can reference another SG as the source — all instances in SG-A can reach SG-B without managing IPs. Standard pattern for multi-tier apps (web tier → app tier → DB tier).

Security Groups vs NACLs

	Security Group	NACL
Level	Instance	Subnet
State	Stateful	Stateless
Rules	Allow only	Allow + Deny
Rule evaluation	All rules evaluated	Rules evaluated in order (lowest number first)
Default	Deny all inbound, allow all outbound	Allow all inbound + outbound
Applies to	ENI / instance	All instances in subnet

Exam trap: NACLs are stateless — return traffic must be explicitly allowed. Security Groups are stateful — return traffic is always allowed.

EC2 Instance Connect & Access

Key Pairs

Public key stored on EC2 (in ~/.ssh/authorized_keys), private key stored by you
Linux: SSH with .pem file (chmod 400)
Windows: decrypt Administrator password using private key
Lost private key → cannot recover. Must: create AMI → launch new instance with new key pair

EC2 Instance Connect

Browser-based SSH via AWS Console — no key pair needed
Works only on Amazon Linux 2 and Ubuntu 20.04+
Requires security group to allow port 22 from AWS IP ranges (not 0.0.0.0/0)
Pushes a temporary one-time-use key, connects, key expires

SSM Session Manager

Access instances without SSH, no port 22, no key pair, no bastion host
Works even in private subnets (agent calls out to SSM endpoint)
Requires: SSM Agent installed (pre-installed on Amazon Linux 2) + IAM role with AmazonSSMManagedInstanceCore policy
Audit trail: all sessions logged to S3 or CloudWatch
Best practice for production — no inbound ports needed

IAM Roles for EC2

EC2 instances need IAM Roles (not access keys!) to call AWS services
Role is attached as an instance profile — only one role per instance
Credentials are automatically rotated by AWS
Application code uses the Instance Metadata Service (IMDS) to get temporary credentials

Never hardcode AWS access keys in EC2 instances or user data. Always use IAM Roles.

AMI (Amazon Machine Image)

A template for launching EC2 instances — includes OS, pre-installed software, configuration
Region-specific — can be copied across regions
Types:
- AWS-provided — Amazon Linux 2, Ubuntu, Windows Server
- AWS Marketplace — third-party pre-configured AMIs (NGINX, databases, etc.)
- Custom AMI — snapshot of your configured instance (bake your own stack)
- Community AMIs — public AMIs from other AWS users

Why use a custom AMI?

Faster launch — no install/configure on boot
Consistent environments across all instances
Golden image pattern — snapshot a known-good state

Launch EC2 → Configure + install → Stop instance → Create AMI → Launch new instances from AMI

Exam tip: Always stop the instance before creating an AMI to ensure data consistency. You can create from a running instance but there may be data integrity issues.

AMI Lifecycle

graph LR
    L[Launch EC2] --> C[Configure]
    C --> S[Stop Instance]
    S --> A[Create AMI]
    A --> CP[Copy to other regions]
    A --> SH[Share with other accounts]
    A --> MK[Make Public]
    A --> D[Deregister when done]

AMI Sharing & Encryption

Can share AMI with specific AWS accounts or make public
Encrypted AMI → can share the underlying snapshot KMS key with another account
Cannot copy an encrypted AMI without access to the KMS key

EC2 Image Builder

Automates creation, maintenance, validation, and distribution of AMIs
Define a pipeline: base image → build steps → test → distribute to regions
Runs on a temporary EC2 instance, creates AMI, terminates instance
Free to use (pay only for EC2 instances + storage during build)

EC2 Instance Lifecycle

graph LR
    Pending --> Running
    Running --> Stopping
    Stopping --> Stopped
    Stopped --> Pending
    Running --> ShuttingDown[Shutting-down]
    ShuttingDown --> Terminated
    Stopped --> Terminated
    Running --> Rebooting[Rebooting]
    Rebooting --> Running

State	Billing	Notes
Pending	Not billed	Booting up
Running	Billed	Normal operation
Stopping	Not billed	Transitioning to stopped
Stopped	Not billed for compute	EBS still billed
Terminated	Not billed	Instance deleted, root EBS deleted by default
Rebooting	Billed	OS reboot, equivalent to `reboot` command

Exam trap: Stopping and starting an instance may change the Public IP unless you use an Elastic IP. Private IP stays the same.

EC2 Hibernate

Saves in-memory (RAM) state to the EBS root volume — instance resumes where it left off
Faster startup than a cold start (RAM doesn't need to reload)
Requirements: EBS root volume must be encrypted, RAM must be < 150 GB, not bare metal
Max hibernate duration: 60 days
Use for: long-running processes, pre-warming services that take time to load

Storage Options

graph TD
    Storage[EC2 Storage] --> EBS[EBS<br/>Network block storage<br/>Persistent, AZ-bound]
    Storage --> IS[Instance Store<br/>Local physical disk<br/>Ephemeral, very fast]
    Storage --> EFS[EFS<br/>Network file system<br/>Multi-instance, shared]
    Storage --> FSx[FSx<br/>Managed file systems<br/>Windows, Lustre, ONTAP]
    Storage --> S3[S3<br/>Object storage<br/>Not mounted, API-based]

    style Storage fill:#dbeafe,stroke:#3b82f6
    style EBS fill:#dcfce7,stroke:#16a34a
    style IS fill:#fef9c3,stroke:#ca8a04
    style EFS fill:#fed7aa,stroke:#ea580c
    style FSx fill:#e0e7ff,stroke:#4f46e5
    style S3 fill:#f3e8ff,stroke:#9333ea

EBS (Elastic Block Store)

Network-attached block storage — like plugging a USB drive into an instance
Persists independently of the instance (survives stop/terminate if not set to delete)
Bound to a single AZ — to move across AZs, take a snapshot → restore in target AZ
One EBS → one instance (by default). Exception: io1/io2 Multi-Attach

Volume Types

Type	Category	Max IOPS	Max Throughput	Use Case
gp3	SSD — General Purpose	16,000	1,000 MB/s	Default for most workloads, boot volumes
gp2	SSD — General Purpose	16,000	250 MB/s	Older default, avoid for new workloads
io2 Block Express	SSD — Provisioned IOPS	256,000	4,000 MB/s	Mission-critical DBs, SAP HANA
io1 / io2	SSD — Provisioned IOPS	64,000	1,000 MB/s	High-performance DBs, low latency
st1	HDD — Throughput Optimized	500	500 MB/s	Big data, log processing, sequential reads
sc1	HDD — Cold	250	250 MB/s	Infrequent access, lowest cost

gp3 vs gp2: gp3 is always preferred — IOPS and throughput are configurable independently of volume size. gp2 IOPS are tied to size (3 IOPS/GB). Cannot use HDD (st1/sc1) as boot volume — only SSD types.

EBS Multi-Attach (io1/io2 only)

Attach one EBS volume to multiple EC2 instances in the same AZ
Up to 16 instances simultaneously
Each instance has full read/write permissions
Must use a cluster-aware file system (not standard ext4/xfs)
Use for: high-availability applications that manage concurrent writes

EBS Encryption

Encrypts data at rest, in transit between instance and volume, and in snapshots
Uses KMS keys (aws/ebs default key or customer-managed)
Encryption is transparent — no application changes needed
Encrypt an unencrypted volume: snapshot → copy snapshot with encryption → create volume from encrypted snapshot
Snapshots of encrypted volumes are automatically encrypted
Volumes created from encrypted snapshots are automatically encrypted

EBS Snapshots

Point-in-time backup stored in S3 (managed by AWS, not in your S3 bucket)
Incremental — only changed blocks after first full snapshot
Can copy across regions → use for Disaster Recovery or data migration
EBS Snapshot Archive — move to archive tier (75% cheaper), restore takes 24–72 hrs
Recycle Bin — protect snapshots from accidental deletion, retention 1 day–1 year
Fast Snapshot Restore (FSR) — eliminates latency on first restore (extra cost)

Instance Store

Physically attached local disk — much faster than EBS (millions of IOPS)
Ephemeral — data lost when instance stops, terminates, or hardware fails
Persists through reboots only
Cannot be detached and re-attached
Use for: temp files, caches, buffers, scratch space where loss is acceptable

EFS (Elastic File System)

Managed NFS — can be mounted on multiple EC2 instances simultaneously, even across AZs
Linux only (NFSv4 protocol)
Scales automatically (no capacity planning needed)
3× more expensive than EBS but shared access
Storage classes: Standard (frequent access) and Infrequent Access (IA) — lifecycle policies auto-move files
EFS vs EBS: EFS = shared file system across instances; EBS = dedicated block storage per instance

FSx (Amazon FSx)

Managed third-party file systems — high-performance file storage for specialized workloads
Unlike EFS (NFS/Linux-only), FSx supports Windows-native and high-performance compute file systems

Type	Protocol	Use Case
FSx for Windows File Server	SMB (CIFS)	Windows workloads, Active Directory integration, lift-and-shift Windows apps
FSx for Lustre	Lustre	HPC(High performance computing), ML training, video processing — millions of IOPS, sub-ms latency
FSx for NetApp ONTAP	NFS, SMB, iSCSI	Multi-protocol, snapshots, replication, compatible with on-prem NetApp
FSx for OpenZFS	NFS	Linux workloads needing ZFS features (snapshots, clones)

FSx for Lustre — Key Details:

Designed for fast, distributed high performance compute — scratch (ephemeral) or persistent storage
Can be backed by S3 — lazy-loads data from S3 on first access, writes back to S3 on completion
Scratch: temporary, no replication, maximum throughput (e.g. short batch jobs)
Persistent: replicated within AZ, survives failures (e.g. long-running HPC)

FSx for Windows — Key Details:

Integrated with Microsoft Active Directory — supports user auth, ACLs
Supports DFS (Distributed File System) namespaces for spanning multiple file systems
Supports SMB protocol and Window NTFS
Multi-AZ deployment option for HA

Exam tip: Use EFS for Linux shared storage; use FSx for Windows for SMB/AD workloads; use FSx for Lustre for HPC/ML with S3 integration.

Networking

Elastic IP (EIP)

Static public IPv4 address — yours until you release it
Remaps to another instance in seconds during failure (failover)
Billed when not associated with a running instance (waste = cost)
Max 5 Elastic IPs per account (can request increase)
Best practice: Use DNS (Route 53) or Load Balancers instead of Elastic IPs

ENI (Elastic Network Interface)

Virtual network card — can have: primary private IP, secondary private IPs, Elastic IP, public IP, MAC address, security groups
Can be detached and re-attached to another instance in the same AZ
Use for: failover (move ENI to standby instance), dual-homed instances (two subnets), network appliances
Each instance has a primary ENI (eth0) that cannot be detached

Placement Groups

Control how instances are placed across underlying hardware:

graph LR
    PG[Placement Groups] --> C[Cluster<br/>Same rack, same AZ<br/>Low latency, 10Gbps]
    PG --> S[Spread<br/>Different racks<br/>Max 7 per AZ]
    PG --> P[Partition<br/>Different racks per partition<br/>Hadoop, Kafka, Cassandra]

    style PG fill:#dbeafe,stroke:#3b82f6
    style C fill:#fce7f3,stroke:#db2777
    style S fill:#dcfce7,stroke:#16a34a
    style P fill:#fef9c3,stroke:#ca8a04

Type	Placement	Max Instances	Use Case	Risk
Cluster	Same rack, same AZ	No limit	HPC, low-latency, 10Gbps networking	Entire group fails if rack fails
Spread	Different physical racks	7 per AZ	Critical instances, max isolation	Limited to 7 per AZ
Partition	Different racks per partition	7 partitions per AZ	Distributed systems (HDFS, Kafka)	Partition failure = partial impact

Cluster PG exam trap: All instances in same AZ → if you start more instances later, may get "insufficient capacity" error. Launch all instances at once to maximize success.

EC2 Instance Metadata Service (IMDS)

Internal endpoint: http://169.254.169.254/latest/meta-data/
Only accessible from within the instance
Provides: instance ID, AMI ID, IAM credentials, public IP, hostname, etc.

# Get instance ID
curl http://169.254.169.254/latest/meta-data/instance-id

# Get IAM role credentials (temporary)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole

# Get user data
curl http://169.254.169.254/latest/user-data

IMDSv1 vs IMDSv2

	IMDSv1	IMDSv2
Method	Simple GET request	Session-oriented (requires PUT first to get token)
Security	Less secure (SSRF vulnerability)	More secure
Default (new instances)	Disabled by default	Enabled by default

Exam tip: AWS recommends requiring IMDSv2. Can enforce via instance settings or SCP.

Auto Scaling Groups (ASG)

Automatically add or remove instances based on load or schedule
Maintains min / max / desired instance count
Replaces unhealthy instances automatically using health checks
Configured via a Launch Template (defines: AMI, instance type, SG, user data, key pair)

graph LR
    LB[Load Balancer] --> ASG

    subgraph ASG[Auto Scaling Group]
        I1[Instance 1]
        I2[Instance 2]
        I3[Instance 3]
    end

    CW[CloudWatch Alarm<br/>CPU > 70%] -->|Scale Out| ASG
    CW2[CloudWatch Alarm<br/>CPU < 30%] -->|Scale In| ASG

    style ASG fill:#dcfce7,stroke:#16a34a,stroke-width:1.5px
    style LB fill:#dbeafe,stroke:#3b82f6
    style CW fill:#fef9c3,stroke:#ca8a04
    style CW2 fill:#fef9c3,stroke:#ca8a04

Scaling Policies

Policy	How it works	Use When
Target Tracking	Keep a metric at a target (e.g. CPU = 50%)	Simplest, most common
Step Scaling	Scale by N instances when alarm threshold crossed	More control over scale amount
Scheduled Scaling	Scale at a set time (e.g. +5 instances at 9am Mon)	Predictable traffic spikes
Predictive Scaling	ML-based forecast, pre-scales ahead of demand	Cyclical traffic patterns

Cooldown period — after a scaling event, ASG waits before triggering another (default 300s). Prevents rapid thrashing.
Scale-in protection — protect specific instances from being terminated during scale-in

ASG Lifecycle Hooks

Pause instance at specific states to run custom actions:

Launch: Pending → Pending:Wait → [your action] → Pending:Proceed → InService
Terminate: Terminating → Terminating:Wait → [your action] → Terminating:Proceed → Terminated

Use for: install software before instance goes live, drain connections before termination, send logs before termination
Default timeout: 1 hour

ASG Termination Policy (Scale-In)

Default termination order:

AZ with most instances
Oldest launch template/config
Instance closest to next billing hour

ASG Warm Pools

Pre-initialized instances waiting in Stopped or Running state
Dramatically reduces launch latency (already initialized)
Useful when app has long startup/initialization time

Health Checks

EC2 health check (default) — checks instance state (running vs stopped/terminated)
ELB health check — checks if app is responding (HTTP 200)
Always enable ELB health checks when ASG is behind a load balancer — EC2 check alone won't catch app failures

Launch Template vs Launch Configuration

	Launch Template	Launch Configuration
Versioning	✅ Supports versions	❌ No versioning
Spot support	✅ Mixed instances	❌ Limited
AWS recommendation	✅ Use this	Deprecated

Load Balancers (ELB)

Distribute incoming traffic across multiple targets (EC2, Lambda, containers).

graph TD
    Internet([Internet]) --> LB[Load Balancer]
    LB --> I1[Instance 1]
    LB --> I2[Instance 2]
    LB --> I3[Instance 3]

    style Internet fill:#dbeafe,stroke:#3b82f6
    style LB fill:#d0bfff,stroke:#7c3aed
    style I1 fill:#dcfce7,stroke:#16a34a
    style I2 fill:#dcfce7,stroke:#16a34a
    style I3 fill:#dcfce7,stroke:#16a34a

Type	Layer	Protocol	Use Case
ALB (Application)	L7	HTTP/HTTPS/WebSocket	Path/host routing, microservices, containers
NLB (Network)	L4	TCP/UDP/TLS	Ultra-low latency, static IP, millions req/sec
GLB (Gateway)	L3	IP	Inline security appliances (firewalls, IDS/IPS)
CLB (Classic)	L4/L7	HTTP/HTTPS/TCP	Legacy — do not use for new workloads

ALB (Most Common in Exams)

Routes by URL path: /api/* → Target Group A, /web/* → Target Group B
Routes by hostname: api.example.com vs app.example.com
Routes by HTTP headers, query strings, source IP
Targets: EC2, Lambda, IPs, ECS containers
Sticky sessions — same client always routes to same instance (app-based or duration-based cookie)
X-Forwarded-For header — contains original client IP (LB IP reaches EC2, not client IP)
Can return fixed response (200/404/503) directly without forwarding to target
Can redirect (e.g. HTTP → HTTPS) at the LB level
Static DNS

NLB

Handles millions of requests per second with microsecond latency
Static IP per AZ — can assign Elastic IPs
No security group on the NLB itself — configure on targets
Preserves client IP address (no need for X-Forwarded-For)
Supports: TCP, UDP, TLS termination

GLB

GENEVE Protocol on IP Packets (L3)
Route Traffic to Firewalls that you manage on Ec2 Instances
Intrusion detection

Target Groups

ALB/NLB route to Target Groups, not directly to instances
Target types: EC2 instances, IP addresses, Lambda functions, ALB (ALB → NLB → ALB chaining)
Health checks configured at target group level

Cross-Zone Load Balancing

	Default	Cost
ALB	Enabled	Free
NLB/GLB	Disabled	Paid if enabled

Enabled: traffic distributed evenly across all instances in all AZs
Disabled: traffic distributed evenly across AZs only (AZ with fewer instances gets less per-instance traffic)

Connection Draining (Deregistration Delay)

Time to complete in-flight requests before instance is deregistered or unhealthy
Default: 300 seconds (range: 1–3600s, 0 = disabled)
Set low for short-lived requests, higher for long-running (file uploads, etc.)

SSL/TLS Termination

LB decrypts HTTPS, forwards HTTP to backend (or re-encrypts with HTTPS)
Uses ACM (Certificate Manager) to manage SSL certs
SNI (Server Name Indication) — ALB/NLB can serve multiple SSL certs for multiple domains on the same listener

EC2 Exam Cheat Sheet — Common Scenario Questions

Scenario	Answer
Need lowest cost for interruptible batch jobs	Spot Instances
Need guaranteed capacity, no discount needed	On-Demand + Capacity Reservation
Running production database 24/7 for 3 years	Reserved Instance (Standard, 3yr, All Upfront)
Need static IP that survives instance stop/start	Elastic IP
App needs sub-ms latency between instances	Cluster Placement Group
7 critical instances must never share hardware	Spread Placement Group
Hadoop cluster, fault-tolerant per rack	Partition Placement Group
SSH without opening port 22	SSM Session Manager
Share EBS across multiple instances	io1/io2 with Multi-Attach
Shared file system across multiple instances	EFS
Instance keeps same IP after stop/start	Private IP stays (Public IP changes — use Elastic IP)
Fastest possible storage, loss acceptable	Instance Store
App won't start on new instances immediately	Custom AMI (pre-baked) or ASG Lifecycle Hooks
Scale based on SQS queue depth	ASG with Custom CloudWatch Metric
LB needs to route based on URL path	ALB
LB needs static IP	NLB + Elastic IP
Access AWS services from EC2 securely	IAM Role attached as Instance Profile
Encrypt existing unencrypted EBS volume	Snapshot → Copy with encryption → New volume
Move EBS to different AZ	Snapshot → Restore in target AZ

Summary

Concept	One-liner
AMI	Template to launch instances — OS + software baked in
EBS	Persistent network block storage, AZ-bound, one instance (except io1/io2)
Instance Store	Fast ephemeral storage, lost on stop/terminate
EFS	Shared NFS file system, multi-instance, Linux only
FSx for Windows	Managed SMB file system, AD integration, Windows workloads
FSx for Lustre	High-performance parallel FS for HPC/ML, optional S3 backend
Security Group	Stateful virtual firewall at instance level, allow rules only
NACL	Stateless firewall at subnet level, allow + deny rules
User Data	Bootstrap script, runs once on first launch
Placement Group Cluster	Same rack, low latency, risk of simultaneous failure
Placement Group Spread	Different racks, max isolation, 7 per AZ
Placement Group Partition	Different racks per partition, distributed systems
Elastic IP	Static public IP, billed when not associated
ENI	Virtual NIC, movable between instances in same AZ
ASG	Auto add/remove instances based on load or schedule
ASG Lifecycle Hook	Pause instance at launch/terminate to run custom logic
ALB	L7 load balancer — path/host/header routing
NLB	L4 load balancer — ultra-low latency, static IP
SSM Session Manager	Shell access without SSH, no port 22 needed
Instance Profile	Container for IAM role attached to EC2
Hibernate	Save RAM to EBS, faster resume, max 60 days
IMDSv2	Secure metadata access, session-oriented, recommended over v1