Amazon Cloud Servers For Beginners: Console VS Command-Line

2017-03-20 - By Robert Elder

Introduction

     In this article, we'll focus on giving you an introduction to launching servers in Amazon's cloud service known as 'Amazon Web Services' or AWS for short.  We will explore how to launch servers using the AWS console, as well as how to launch them through the 'Command Line Interface' (CLI) from the Linux command-line.  This guide is mainly targeted at people who use Linux as their primary operating system.  Once we launch the amazon server, we'll connect to it using ssh from the Linux command-line.  If you are using Windows, you'll be able to do something similar using a program called 'Putty', but some of your steps will be different.

     This article will cover the following topics:

• Launching an Amazon server through the Console
• Launching an Amazon server through the Linux command-line
• Creating an IAM user to allow command-line access to your AWS account
• Connecting to a server with SSH for first-time users
• How to install and verify a simple Apache Web Server on your new instance
• Common beginner issues related to security groups and networking
• Important security tips that beginners need to be aware of

Launching An Amazon Server Via The Console

     We're going to start by assuming that you've already signed up for an AWS account.  Once you're logged into your AWS account, you'll see a link near the top that says 'Services'.  Click that, and you'll see a number of different services that AWS offers.  Today, we're only going to focus on EC2 which is a service that allows you to launch general-purpose servers on demand.

     Once you've entered the EC2 console, you'll see an overview of what resources you currently have running.  Also, take note of the region drop-down in the top right:

     Amazon allows you to select the geographic region you want to list a server in.  Make sure you take note of what region you launch your servers into, so you can find them in the console later.

     Once you've selected the geographic region that you want to launch your server into, go ahead and click the 'Launch Instance' button.  Once you do that you'll see the following screen:

     The above screen will ask you what type of OS you want to have your server provisioned with.  The cost for each server type with Windows servers being more expensive.  In order to match the rest of this demo, you should select a Linux server running Ubuntu.  Once you do so, you'll see this screen:

     Different instance types cost different amounts of money and you can find out more about how much each type costs on the EC2 Pricing Page.  In our case, we're just going to go with a micro instance, so you can just click 'Review and Launch'.  There are other details we can specify here, but we're going to skip them because this a tutorial for beginners.

     In the above image, when you click the 'Launch' button, you'll be asked to download the private key of a key pair.  This 'key pair' is a public and private key pair for use with SSH, and the private key that you are downloading will allow you to log into the instance you're launching.  Everyone else will be prevented from being able to log in because they do not have this private key.  In our case, we're going to create a new key pair, but you can use an existing one if you have any:

     Here is an example of what the key file looks like:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAkihasWhwYBx3123u4yFaNtbO48fFslg6HTV77o1UApo+dowzsnYqr/DDw5m5
JmaimVc7soazkyRzdjBgGKxOn2S+ZN+cSqPmYmSS+KHSAl/xDFLL2NfN2WXgTmieYxe8aPoFL/bF
l1ihG8fIOhXoEWiauZSxMOahcdDWzd1bk3D9uNWmAzrDtuLL0B9kNhtjuemfPaz4mEmEZshZw+k5
QNRhSjlkPQwxqUSX5tqBCsKb2wc5pZ3yObUhEOtsrsvLV2HFIbzVemIu/P+IZVl/mPpVM1h3lStd
6AU+/C/PIuzj1uqcrQygXr5MUXwaqZPXm2kUit8vYQOVvk2kI6BtLwIDAQABAoIBABkhsT6SK8iK
/JxhfdM2V/HYC+kk37yj6RI+sRm62Xg9F4KA5x7HrN1l8/N9SlXtDgZ59nzjJpulh+kJtmxnrHlB
9G8Z+CDgf+LpUlBIWvknkCZDUmPt76pzFxfEa3+0hCQ04ZF2yFEW31UMjERYoffkWb6Rb8ptzdLp
SxZI+scmQwlwwiJ6EIMAcWizeQeuEuz7bF+wskbZWIka94pNfbBbkba22KYjnLUweWlT/yxTUPs7
4mzh5bafoXmP45m/nm1ArAtJPKxCctgqtJbqHcoOh923IIrkqK1Btw7ZWS6rP7uP8v36VtQhglfw
EMumTeEJWi4SBbx37M9ou3alhmECgYEAzLZGPLMcwSW6I399lPLo3zvXh2+g2ypOEXWtFH95D+sC
pgsdcJLGG56mzrxbJSOFuy34UpiW6BhrLYK5Kyp0LEN7kbhXF5pn+3ZZcFJg3oQuRaFDxhZFhvXG
RQQ6HMweAAIabJHwFrel05FmxWpoWYeSmkMf6icMI5JqjoxsIb8CgYEAtsaLyUmpOKHnBKg1ovAS
oa7KhpgR1ycomh5kp7euhTT8sCGh3IRDEXUE/8KgD4shllsHjMcwAgIXIXw3/+r/CwhhHeZEdkJR
Onx1gewQN2WeGw9X8/0KslnOBPk+0pMLWp+vWVbZo9W/wBJ4ItgCRYEC6FXfZZwocM0B+4xSsJEC
gYByC84ffO21ES6dHia5d4aS70TIuEDWOMBba8KsG8Q3QQctuB2DnNFvi7iEjlz82MhlGlwwr7/K
t+fl5+D/Ely8WDAcY6VpieUKK8nyEILVFLCurAQU9E1xvbTiuFMjvfesq39LIxatoUxqDKRDsV9H
GYdsF59NFMnne2eP2N1ZAwKBgEfhgawh6gk5sw8j0CRKYilwAno4aBvDbLZf6ZoEJQCCPDZQo8WD
xpSg/txPAH/cadMl7awx0fGYPNyQa72b/72pB/ioTJhtsGBd/iCgZChFMI7X0/FCvOgzZVCTbV+H
MNntHxr1iiZhw82X9eNOLGaFPE1/KCJf7Y+fMH5rS0HhAoGBAKSiGdleLK9DytrxGKhNSA6ENhYs
AbdirNfsV0IZZVM2scfilV9UVOcOJhRCs0qlXve7rVMO18jJgA/YdNy4W/B9XvoPSlygOyOelE6o
rkAN48PjtkHaoQ64rPVe4qxHWuhXi9cTH9SPFEjchmWpNb/hsePk99CI6OP2uZyiHUl1
-----END RSA PRIVATE KEY-----

     This file should be kept secret.  Hackers constantly scan the internet looking for valid SSH keys and if they find yours they can log into your server and do anything with it.  If you lose the key file, you will never be able to log back into the instance again because you're only allowed to download it once from the console.

     Once you select or create a keypair and give it a name, you can click the 'Launch' button.  Then you'll see a screen like this:

     Once your instance has launched, go to the EC2 overview, and you'll see your new instance that you just launched:

     Congratulations!  You've just launched your first Amazon cloud server!  To get prepared to connect to the server and host a web site on this server, we're going to modify the security group settings.  You can do this by clicking on the security group link as shown in the above image.

     You should make sure that there are 2 rules:  One for port 80 (HTTP) and one for port 22 (ssh).  The '0.0.0.0/0' address means 'traffic from any IP address':

     Once you've added this, click save.

     Now that you've got a server launched you can jump to the section titled 'Connecting To Your Server With SSH', or if you want to launch a second server via the command-line, you can follow through with the next section.

Launching An Amazon Server Via The Command Line

     Before we can launch a server directly from the command-line, we need to create an IAM user that has programmatic access to launch instances in EC2.  Let's do that now:

     Once you go into the IAM dashboard, you'll something like the image below.  To create a new user, click on 'Users':

     On the users page, click the 'Add User' button:

     Now create a name for the new user.  Make sure you select 'Programmatic Access', since we want to be able to act on behalf of this user automatically from the command-line:

     There are several ways that you can attach priviledges to a user, and for this tutorial, we'll just attach them directly:

     The final step is to give fine grained permissions to the user.  This allows us to create very specific roles for whatever type of access you want to give.  In this case, we'll grant full access to EC2, and S3 which is another useful service:

     The final step lets you review what permissions you are adding and the type of user you are creating.  The permission for S3 full access is not necessary for this tutorial, but it is meant to show you that you can add other types of fine grained access to other services.

     Once you finish creating the new user, you'll get access to the credentials that you can use to act of behalf of that user from the command-line:

     The secret access key should be kept extremely secret.  Hackers routinely scan the internet for valid credentials of this type and use them to launch many servers and run up AWS bills of tens of thousands of dollars at the owner's expense.

The AWS Command Line Interface

     Now that we've got the credentials for your command-line user, let's review how to set up the AWS command-line interface.  This tutorial assumes that you're using Linux, so if you're on Windows these instructions will be different for you.  Official documentation on installing the AWS command-line interface can be found here.

     If you're on Ubuntu, you can probably just use

sudo apt-get install awscli

     to install the CLI.  Once it's installed you should be able to do

aws --version

     and see some kind of version number.  If you get an error, then the command-line interface is probably not installed, or you may need to set your PATH variable.

     To set up the CLI for first-time use, you can use this command

aws configure

     which will ask you for 4 pieces of information:

• 1)  Your AWS Access Key ID:  This is the Access Key ID from the 'example-cli-user' that we just set up above.
• 2)  Your AWS Secret Access Key:  This is the Secret Access Key from the 'example-cli-user' that we just set up above.
• 3)  Default region name:  This is the default geographic region you want to be interacting with when you launch servers or modify anything in your AWS account.  AWS effectively has a mirror version of all of its services in each region, so you could launch a different server in every region if you wanted, but you would have to specify a different region for each one.  You can check this list of AWS regions for more information.
• 4)  Default output format:  This is the output format of responses you get on the command-line.  If you're building a command-line application to do things automatically, you'll want to be able to parse the responses easily, so you'll have to specify whatever output format is easiest to parse for you.  For this example we'll choose JSON.

     If you've got the AWS CLI correctly set up, you should be able to run

aws ec2 describe-instances

     and see output that looks something like this:

{
    "Reservations": []
}

     The above output is telling us that we currently don't have any instances launched yet.  If you see more output that this, such as various ids and IP addresses, then you are looking at information related to instances you've already launched in the past.

     Before we actually launch our instance, we need to collect a few pieces of information first, and also create a security group.  Run the command

aws ec2 describe-vpcs

     the result should be something like this:

{
    "Vpcs": [
        {
            "VpcId": "vpc-11fa",
            "IsDefault": true,
            "State": "available",
            "CidrBlock": "172.31.0.0/16",
            "InstanceTenancy": "default",
            "DhcpOptionsId": "dopt-eec6"
        }
    ]
}

     Your output should contain at least one record of a VPC since one is usually created for you automatically by default.  If there are no result, you may need to create a VPC first and configure is as well.  Take note of the VPC ID from above:  vpc-11fa.  This id will be different for you.

     Now that we have a VPC ID, we can create a security group.  Use the following command to create a new security group:

aws ec2 create-security-group --group-name my-sg --description "My security group" --vpc-id vpc-11fa

     Which should output something similar to this:

{
    "GroupId": "sg-6e5ef407"
}

     Take note of the security group id sg-6e5ef407.  This id will be different for you.

     By default, the security group of an instance is set up to block traffic from the outside world.  For our example, we will open up all inbound traffic for SSH and HTTP.  This will allow us to log into the server with SSH, and view a web page later in the browser.

aws ec2 authorize-security-group-ingress --group-id sg-6e5ef407 --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-6e5ef407 --protocol tcp --port 80 --cidr 0.0.0.0/0

     We also need to set up a key pair just like we did through the console.  Creating a key pair can be done with the following command:

aws ec2 create-key-pair --key-name example-cli-keypair

     The output will look something like this:

{
    "KeyMaterial": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAngg2nv0arxb+9ag5mMEdAGGL4zXFSuqGPyGTLJsEuD9Aphghq1wYcpJrpl2X\nLi43H44+QronlzHWYg+MYCafCBLn4wwkBGcWwpiFwYf9mphW1BALMGygGxZEV0k935wOVoqdsfr3\nNRblbQ/R5XR63jsCCbqRKfWdYnzhz/6Aainawq2lL/dkKK/RcR+4afEjY/AVaYjxPTbPgpdMvQqg\nHazhrr/WhkqVd1FHvcBNkqOWPxnyMtcuZUCtceJWf7tF2mDj+J76PxOTQrGuMPj2SO1xMqXPpO2I\n9yEfI37p1Arf83SU25Riuz+HPRvQ5PC3ojO5/LfvYBjfft1y0RCPJwIDAQABAoIBAQCVI5kwuBqr\nrJ8XBRi+IVmWV3imB8PWrLfe8nere+ybWQ5Q8assxfBIiAhR7DdVnMXm4N2/KWFdnen9h0DqKOii\nvPzcWEPRZ9yh70Ej4Iwkjqo63Z1BqPH8Pipm2bcrxWH+qDikk/0ivCXupCRpUGD4Q2Xr+ocuux45\nqTOOkFduV+XvKEBNwxqZaSPvbMSB6ZjILZ72sQeTZVNApEKcCGm8ew+4lz8bsOgCrOmKSSE2v9zA\n9zMO19B80bTWM9M8d9XwFjed04DXraPrKifC26qnji1fsU4kDBqMcbDwhw01rxtFA30xLcNtiPTd\nxJOU08h0l8hsAeBeXk59ZH8jMCrpAoGTAP0CbMBFq7FLtsV3GyPlImEzX53bCofRnzZYy54ik0x+\n6Orb0kpbBgIj9KBQGzfevPGvefQ/r1fOexmR0shut9VS+Lv2tv1nwQM+uc3O/JnSfEN/xZpk7I+5\nbLqcEYEVBc1+k5DqIBxHGopKzuiSYI49jTUJvwPWR4ZOPKhmXYsbAoGBAJ/mZhcrCsqwnoKyS+wU\nMtGYrppysx4/gtNWsMKdYlRyzPhT75j/ExKr20Kj3D6iiouj4LpFYS8s/va2p4ul44VsakGLrAR1\n4KS3TJZ/4X341UiDL7AdLjDhgDN2i0HktqHH9/Dr0z+wa7lOZeK3a10ieSzfsO1K1ZAGsu0UO2Dl\nAoGAX23dtPvSUZIcQwi0rOpM+FqXMwQeSbIwGiCN1Hx4EH9BvOviunbwojgLmbf9PCqAG6yzFAQ9\nT6Iq3i8ZUM4p+oVMGiFpTdUngODU1iK/NgmlIxR7ZMuySleHAi/Bjm1ufd7DLAKSz/eltAmZVzF2\nx8/BhgLCEGFvIuI5kM7jc4cCgYBlzg1l5tOiJT1mvRo1ns6UP/+6+hgsxAcJg4JbBlVaqxTxbo93\n+78q/hxFm4pYnqhTK+2i6xVrMdzLO5QFB4OKqXIldUX6OQrkFIhAsf7hc5Jn7o5oNMv59zjmiy0y\nsOnOq0CjNaJ0RGDxxIZ+CIXk8FPyTCGbky/R2VIGPAFqOQKBgD6ZANJP35zBK31svxmPix2wa7ti\nd3I/I5Lf//f9bj1gQkNoPccsIVcwPLcOElG9UjyGXAmo70FmuAKfZq43HWHG/gNTbftt4t+ebEei\niNlQqBWkVmwGGsY5y7KD6b+VU49dmYCDpilvSoz4swVQ/ocj51gUSK38a5khlwoQyMFo\n-----END RSA PRIVATE KEY-----",
    "KeyName": "example-cli-keypair",
    "KeyFingerprint": "37:83:52:2b:3b:37:9e:99:e1:7b:a5:76:3c:c5:de:ea:33:d5:bc:c7"
}

     You can take the above key that gets output and use that to log into any server using it later.  You'll have to replace the '\n' characters with actual new lines so that the format matches the expected format of private key files.  Also, if you include any of the quotes or accidentally delete characters from they key, it won't work.  When you put the key into a file, it should look like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAngg2nv0arxb+9ag5mMEdAGGL4zXFSuqGPyGTLJsEuD9Aphghq1wYcpJrpl2X
Li43H44+QronlzHWYg+MYCafCBLn4wwkBGcWwpiFwYf9mphW1BALMGygGxZEV0k935wOVoqdsfr3
NRblbQ/R5XR63jsCCbqRKfWdYnzhz/6Aainawq2lL/dkKK/RcR+4afEjY/AVaYjxPTbPgpdMvQqg
Hazhrr/WhkqVd1FHvcBNkqOWPxnyMtcuZUCtceJWf7tF2mDj+J76PxOTQrGuMPj2SO1xMqXPpO2I
9yEfI37p1Arf83SU25Riuz+HPRvQ5PC3ojO5/LfvYBjfft1y0RCPJwIDAQABAoIBAQCVI5kwuBqr
rJ8XBRi+IVmWV3imB8PWrLfe8nere+ybWQ5Q8assxfBIiAhR7DdVnMXm4N2/KWFdnen9h0DqKOii
vPzcWEPRZ9yh70Ej4Iwkjqo63Z1BqPH8Pipm2bcrxWH+qDikk/0ivCXupCRpUGD4Q2Xr+ocuux45
qTOOkFduV+XvKEBNwxqZaSPvbMSB6ZjILZ72sQeTZVNApEKcCGm8ew+4lz8bsOgCrOmKSSE2v9zA
9zMO19B80bTWM9M8d9XwFjed04DXraPrKifC26qnji1fsU4kDBqMcbDwhw01rxtFA30xLcNtiPTd
xJOU08h0l8hsAeBeXk59ZH8jMCrpAoGTAP0CbMBFq7FLtsV3GyPlImEzX53bCofRnzZYy54ik0x+
6Orb0kpbBgIj9KBQGzfevPGvefQ/r1fOexmR0shut9VS+Lv2tv1nwQM+uc3O/JnSfEN/xZpk7I+5
bLqcEYEVBc1+k5DqIBxHGopKzuiSYI49jTUJvwPWR4ZOPKhmXYsbAoGBAJ/mZhcrCsqwnoKyS+wU
MtGYrppysx4/gtNWsMKdYlRyzPhT75j/ExKr20Kj3D6iiouj4LpFYS8s/va2p4ul44VsakGLrAR1
4KS3TJZ/4X341UiDL7AdLjDhgDN2i0HktqHH9/Dr0z+wa7lOZeK3a10ieSzfsO1K1ZAGsu0UO2Dl
AoGAX23dtPvSUZIcQwi0rOpM+FqXMwQeSbIwGiCN1Hx4EH9BvOviunbwojgLmbf9PCqAG6yzFAQ9
T6Iq3i8ZUM4p+oVMGiFpTdUngODU1iK/NgmlIxR7ZMuySleHAi/Bjm1ufd7DLAKSz/eltAmZVzF2
x8/BhgLCEGFvIuI5kM7jc4cCgYBlzg1l5tOiJT1mvRo1ns6UP/+6+hgsxAcJg4JbBlVaqxTxbo93
+78q/hxFm4pYnqhTK+2i6xVrMdzLO5QFB4OKqXIldUX6OQrkFIhAsf7hc5Jn7o5oNMv59zjmiy0y
sOnOq0CjNaJ0RGDxxIZ+CIXk8FPyTCGbky/R2VIGPAFqOQKBgD6ZANJP35zBK31svxmPix2wa7ti
d3I/I5Lf//f9bj1gQkNoPccsIVcwPLcOElG9UjyGXAmo70FmuAKfZq43HWHG/gNTbftt4t+ebEei
iNlQqBWkVmwGGsY5y7KD6b+VU49dmYCDpilvSoz4swVQ/ocj51gUSK38a5khlwoQyMFo
-----END RSA PRIVATE KEY-----

     This file should be kept secret.  Hackers constantly scan the internet looking for valid SSH keys and if they find yours they can log into your server and do anything with it.  If you lose the key file, you will never be able to log back into the instance again because you're only allowed to see it when creating the key pair.

     Now that we've got the security group and key pair set up, we can launch our instance.  You will need to use your own security group id and key name, but the count and instance type should be able to stay the same.  You'll have to choose an AMI id that applies to your region as explained below:

aws ec2 run-instances --image-id ami-7b74c91f --count 1 --instance-type t2.micro --key-name example-cli-keypair --security-group-id sg-6e5ef407

     To explain each parameter:

• --image-id:  This identifies the type of operating system and other instance related information.  Here is a list of Ubuntu AMI ids.  Also, see Finding A Linux AMI.
• --count:  This identifies how many servers of this type you want to launch.  You can make this number very large, and it would cost you lots of money.
• --instance-type:  This identifies how large the instance will be and how many resources it will have.  See EC2 Instance Types
• --key-name:  This identifies the key pair we created earlier.
• --security-group-id:  This identifies the security group we created earlier.

     Your output will look something like this:

{
    "ReservationId": "r-002",
    "Instances": [
        {
            "BlockDeviceMappings": [],
            "EbsOptimized": false,
            "InstanceType": "t2.micro",
            "SourceDestCheck": true,
            "StateReason": {
                "Message": "pending",
                "Code": "pending"
            },
            "ProductCodes": [],
            "LaunchTime": "2017-03-13T19:46:39.000Z",
            "PrivateIpAddress": "172.31.22.90",
            "SecurityGroups": [
                {
                    "GroupId": "sg-6e5e",
                    "GroupName": "launch-wizard-1"
                }
            ],
            "RootDeviceType": "ebs",
            "KeyName": "example-cli-keypair",
            "ClientToken": "",
            "Placement": {
                "GroupName": "",
                "AvailabilityZone": "ca-central-1a",
                "Tenancy": "default"
            },
            "Architecture": "x86_64",
            "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal",
            "AmiLaunchIndex": 0,
            "NetworkInterfaces": [
                {
                    "SubnetId": "subnet-d902",
                    "SourceDestCheck": true,
                    "Description": "",
                    "VpcId": "vpc-11fa",
                    "Groups": [
                        {
                            "GroupId": "sg-6e5e",
                            "GroupName": "launch-wizard-1"
                        }
                    ],
                    "PrivateIpAddresses": [
                        {
                            "Primary": true,
                            "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal",
                            "PrivateIpAddress": "172.31.22.90"
                        }
                    ],
                    "OwnerId": "0",
                    "Attachment": {
                        "DeleteOnTermination": true,
                        "AttachmentId": "eni-attach-c7",
                        "DeviceIndex": 0,
                        "Status": "attaching",
                        "AttachTime": "2017-03-13T19:46:39.000Z"
                    },
                    "MacAddress": "02:4a:7a:a3",
                    "NetworkInterfaceId": "eni-292",
                    "PrivateIpAddress": "172.31.22.90",
                    "Status": "in-use",
                    "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal"
                }
            ],
            "ImageId": "ami-7b74c91f",
            "SubnetId": "subnet-d902",
            "State": {
                "Name": "pending",
                "Code": 0
            },
            "PublicDnsName": "",
            "InstanceId": "i-00da52018",
            "VpcId": "vpc-11fa",
            "Monitoring": {
                "State": "disabled"
            },
            "RootDeviceName": "/dev/sda1",
            "Hypervisor": "xen",
            "StateTransitionReason": "",
            "VirtualizationType": "hvm"
        }
    ],
    "OwnerId": "0",
    "Groups": []
}

     After a while (it may take time), you should be able to run:

aws ec2 describe-instances

     And see an entry for 'PublicDnsName':

{
    "Reservations": [
        {
            "Groups": [],
            "OwnerId": "0",
            "Instances": [
                {
                    "StateTransitionReason": "",
                    "BlockDeviceMappings": [
                        {
                            "DeviceName": "/dev/sda1",
                            "Ebs": {
                                "DeleteOnTermination": true,
                                "AttachTime": "2017-03-13T19:46:39.000Z",
                                "Status": "attached",
                                "VolumeId": "vol-02824"
                            }
                        }
                    ],
                    "PublicDnsName": "ec2-52-60-101-83.ca-central-1.compute.amazonaws.com",
                    "SecurityGroups": [
                        {
                            "GroupId": "sg-6e5e",
                            "GroupName": "launch-wizard-1"
                        }
                    ],
                    "LaunchTime": "2017-03-13T19:46:39.000Z",
                    "EbsOptimized": false,
                    "RootDeviceName": "/dev/sda1",
                    "SourceDestCheck": true,
                    "NetworkInterfaces": [
                        {
                            "MacAddress": "02:4a:7a:a3",
                            "Attachment": {
                                "AttachmentId": "eni-attach-c7",
                                "AttachTime": "2017-03-13T19:46:39.000Z",
                                "DeviceIndex": 0,
                                "Status": "attached",
                                "DeleteOnTermination": true
                            },
                            "VpcId": "vpc-11fa",
                            "PrivateIpAddress": "172.31.22.90",
                            "PrivateIpAddresses": [
                                {
                                    "PrivateIpAddress": "172.31.22.90",
                                    "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal",
                                    "Association": {
                                        "IpOwnerId": "amazon",
                                        "PublicDnsName": "ec2-52-60-101-83.ca-central-1.compute.amazonaws.com",
                                        "PublicIp": "52.60.101.83"
                                    },
                                    "Primary": true
                                }
                            ],
                            "OwnerId": "0",
                            "SourceDestCheck": true,
                            "Description": "",
                            "Status": "in-use",
                            "NetworkInterfaceId": "eni-292",
                            "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal",
                            "Association": {
                                "IpOwnerId": "amazon",
                                "PublicDnsName": "ec2-52-60-101-83.ca-central-1.compute.amazonaws.com",
                                "PublicIp": "52.60.101.83"
                            },
                            "SubnetId": "subnet-d902",
                            "Groups": [
                                {
                                    "GroupId": "sg-6e5e",
                                    "GroupName": "launch-wizard-1"
                                }
                            ]
                        }
                    ],
                    "InstanceId": "00da52018",
                    "Hypervisor": "xen",
                    "Placement": {
                        "GroupName": "",
                        "Tenancy": "default",
                        "AvailabilityZone": "ca-central-1a"
                    },
                    "PublicIpAddress": "52.60.101.83",
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "InstanceType": "t2.micro",
                    "VirtualizationType": "hvm",
                    "VpcId": "vpc-11fa",
                    "ProductCodes": [],
                    "PrivateIpAddress": "172.31.22.90",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "RootDeviceType": "ebs",
                    "AmiLaunchIndex": 0,
                    "ImageId": "ami-7b74c91f",
                    "KeyName": "example-cli-keypair",
                    "ClientToken": "",
                    "SubnetId": "subnet-d902",
                    "Architecture": "x86_64",
                    "PrivateDnsName": "ip-172-31-22-90.ca-central-1.compute.internal"
                }
            ],
            "ReservationId": "r-002"
        }
    ]
}

     Take note of the 'PublicDnsName' because we will use it in a moment.

Connecting To Your Server With SSH

     This section takes over from where we left off in either section 'Launching An Amazon Server Via The Console' or 'Launching An Amazon Server Via The Command Line'.  Both methods give you a similar end result, but the advantage of the command-line version is that it can be easily automated.

     Regardless of which method you used above to launch a server, the way we're going to connect to it is the same.  You just need to make sure you have 2 things ready:

• Your SSH private key file.
• The public DNS or IP for the Amazon server you just launched.

     On Linux, this is the general command you can use to connect to your instance:

ssh ubuntu@<The Public DNS Or Public IP> -i <The Private Key File>

     Here is a specific example:

ssh ubuntu@ec2-52-60-146-131.ca-central-1.compute.amazonaws.com -i ~/Downloads/example-keypair.pem

     The 'ubuntu@' part specifiers that we want to connect as the user 'ubuntu'.  We need to do this because the default user is 'ubuntu' on these instances.  Other Linux operating systems may have different default usernames and you can probably find these out by searching on Google.

     Here is an example of what you might see the first time you try to connect:

The authenticity of host 'ec2-52-60-146-131.ca-central-1.compute.amazonaws.com (52.60.146.131)' can't be established.
ECDSA key fingerprint is SHA256:350zGyyEEhM+1af9GTEksKXqsspUYc/3ytfZ1qtFjRk.
Are you sure you want to continue connecting (yes/no)?

     This is because we haven't connected to this instance before and we don't have a saved record of its signature.  To keep this tutorial simple, we will simply type 'yes' to continue.  For more details on how to be more secure see Public Key Fingerprint.

     After you type 'yes', you'll see

Warning: Permanently added 'ec2-52-60-146-131.ca-central-1.compute.amazonaws.com,52.60.146.131' (ECDSA) to the list of known hosts.

     which will prevent the same confirmation step from appearing in the future.

     After this step, you may or may not get the following warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for '/home/robert/Downloads/example-keypair.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/robert/Downloads/example-keypair.pem": bad permissions
Permission denied (publickey).

     If you get this warning, it's probably because your permissions are too open on the private key file.  Since the private key is sensitive, SSH will prevent you from using it if your permissions are too loose.  If your key file is called 'example-keypair.pem', run this command to check its permissions:

ls -la example-keypair.pem

     If you see output that looks like this (with multipe 'r' or 'w' flags for the permissions), then your permissions are too open.  Asside:  See Linux file permissions for more details.

-rw-rw-r-- 1 robert robert 1692 Mar 12 17:41 /home/robert/example-keypair.pem

     To make the permissions more closed, run this command:.

chmod go-rw example-keypair.pem

     and re-run this command:

ls -la example-keypair.pem

     to observe that the permissions are more closed now:

-rw------- 1 robert robert 1692 Mar 12 17:41 /home/robert/example-keypair.pem

     Now when you try your ssh command, you'll see something like this:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@ip-172-31-30-242:~$

     If can see a prompt that looks similar to 'ubuntu@ip-172-31-30-242:~$', then you're now at the command prompt of your new server.  Any command you type gets executed on the server, and not your local machine.  To get back to the prompt of the computer you issued the ssh command from, type the 'exit' command.

Installing A Web Server

     If you got this far, installing a web server is easy!  You can do this with 2 commands on your remote server:

sudo apt-get update
sudo apt-get install -y apache2

     You should now be able to browse to the public DNS or ip of your server, and see the following web page:

     At this point, you can do just about anything on this server, but that's beyond the scope of this tutorial.  If you got this far, you're done.  Mission accomplished.

Common Problems

     If you're trying to browse (in a web browser) to the public dns of your server and you get this error:

This site can’t be reached

ec2-52-60-146-131.ca-central-1.compute.amazonaws.com refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

     you might not have actually installed (or started) the apache web server.

     If you get a really really long load time followed by an eventual error page you may need to open up port 80 in the security group rules associated with this instance.  The same can be said about using ssh.  If your ssh command takes a really really long time, and then gives up with an error, you probably forgot to open up the SSH port to allow you to ssh into the server.