After this lesson, you will be able to: Launch an EC2 instance with proper security groups + key pairs, pick an instance type, and use auto-scaling groups for production.
EC2 is the workhorse compute service. Knowing how to launch + secure + scale it is mandatory.
t3.micro is free-tier eligible for 750 hours/month.
EC2 console → Launch instance
Name: my-first-ec2
AMI: Ubuntu Server 24.04 (Free tier eligible)
Instance type: t3.micro
Key pair: create new (download the .pem; chmod 400 ~/Downloads/key.pem)
Network: default VPC, default subnet, public IP enabled
Security group: create new; allow SSH (port 22) from MY IP ONLY (not 0.0.0.0/0)
Storage: 8 GB gp3 (default)
Review + Launch
SSH in: ssh -i ~/Downloads/key.pem ubuntu@<public-ip>
When done LEARNING: Terminate the instance (not Stop, terminate deletes the EBS volume too)
A security group is a stateful firewall on the instance's ENI (network interface). Rules: protocol + port + source (CIDR or another SG). Outbound: all allowed by default. Inbound: default-deny. Best practice: SSH (22) from your office IP / VPN only, NEVER 0.0.0.0/0 in production. Use AWS Systems Manager Session Manager for keyless SSH alternatives. Multiple SGs can attach to one instance; rules are additive.
Format: <family><generation>.<size>. Example: t3.micro. Families: t = burstable (most apps); m = balanced; c = compute-heavy; r = memory-heavy; g/p = GPU. Sizes: nano, micro, small, medium, large, xlarge, 2xlarge, ... 96xlarge. Linear price scaling. For learning: t3.micro (free tier) or t4g.micro (ARM, cheaper). For production: start with t3.medium or m6i.large; right-size based on CloudWatch metrics. Spot instances: up to 90% cheaper but can be reclaimed with 2-min notice. Great for batch / stateless workloads.
An ASG manages a set of EC2 instances: 'I want between 2 and 10 instances of this type'. Pairs with a load balancer (ALB). ALB distributes traffic; ASG provides the targets. Scaling policies: target tracking ('keep CPU at 60%'), step scaling, scheduled. Launch template: the recipe for a new instance (AMI, type, SGs, IAM role, user-data script). ASG + ALB is the canonical 'horizontally-scaled web app' pattern on EC2.
Runs as root on first boot. Use to install + start your app.
#!/usr/bin/env bash# user-data.sh, runs as root on first bootset -euxo pipefailIFS=$'\n\t'apt-get updateapt-get install -y nginxsystemctl enable --now nginx# Pull config from S3, install your app, start the service...aws s3 cp s3://my-config-bucket/nginx.conf /etc/nginx/nginx.confsystemctl reload nginx# Tip: user-data output is logged to /var/log/cloud-init-output.log on the instance.# Debug there if it fails on boot.
SSH (22) open to the world. EC2 instances on public IP with port 22 are scanned + brute-forced within minutes. Always restrict by source IP. Long-lived access keys on the instance. Use an instance profile (IAM role) instead. Forgetting to terminate test instances. EBS volume + EIP costs accrue silently. Storing app state on the instance disk. Instances die; data dies with them. Use S3 / RDS / EFS for state. Snowflake instances (manually configured). Use launch templates + user-data so any instance is reproducible.
Pick the cleanest answer.
Sign in and purchase access to unlock this lesson.