AWS: EBS

Created: October 03, 2020

EBS volumes are virtual and are not located on the same hardware as instances.
Instances access EBS volumes over networking.
The scope of EBS volume is an AZ; EBS volumes cannot be attached to instances in a different AZ.
EBS Multi-Attach.
- Available for Nitro system-based EC2 instances only.
- Allows for up to 16 instances to be attached to a single volume.
- The volume must be a Provisioned IOPS io1 volume.
- All instances and the EBS volume must be in the same AZ.

Termination protection

If termination protection is off, the EBS volume for the root filesystem is deleted when the instance it is linked to is terminated.
Termination protection is off by default for root EBS volumes.
Termination protection is on default for additional EBS volumes.
The corresponding attribute is DeleteOnTermination.

Live scaling

Volume sizes and types can be changed without taking them offline (except for magnetic standard).
Volume sizes can be increased, performance adjusted, and volume types while the volume is in use.
Increasing the volume size does not increase the filesystem size.
To do this through the console, simply right click and choose “Modify Volume”. The performance changes might take some time.

Volume types

Amazon EBS volume types

See the link above for specifics on current specs.
There are instance-level limits on IOPS and throughput, in addition to volume-level limits.
Those limits are: 160,000 IOPS and 4750 MB/s throughput.
To reach max IOPS and throughput per instance, an instance that supports EBS optimization must be used.

SSDs

General Purpose SSD (gp2):

System root volumes, VDI, low-latency apps, and dev/testing environments.
Throughput and IOPS scale when volume capacity reaches certain levels.
1 GiB - 16 TiB.
Up to 16k IOPS and 250 MiB/s at the time of writing.
Older gp2 volumes might not reach full performance unless you modify the volume.
3 IOPS per GB.
Volumes under 1000 GiB can burst up to 3000 IOPS.
Minimum IOPS is 100.

Provisioned IOPS SSD (io1 and io2):

Critical applications that need high sustained IOPS and throughput.
Databases.
io2 offers higher durability (99.999%); all other types of SSD/HDD only offer 99.8% - 99.9%.
io1 is the only EBS volume type that supports Multi-Attach.
4 GiB - 16 TiB.
Up to 64k IOPS and 1000 MiB/s throughput guaranteed when using the instances built on the Nitro System with more than 32k IOPS provisioned.
Up to 32k IOPS and 500 MiB/s throughput guaranteed when using non-Nitro instances.
Older io1 volumes might not reach full performance unless you modify the volume.
Can provision up to 50 IOPS per GB.

HDDs

Throughput Optimized HDD (st1):

Streaming, big data, data warehouses, and log processing.
Cannot be a boot volume.
500 GiB - 16 TiB.
Up to 500 IOPS and 500 MiB/s throughput.

Cold HDD (sc1):

Large quantities of infrequently accessed data.
Scenarios where cost is imperative.
Cannot be a boot volume.
500 GiB - 16 TiB.
Up to 250 IOPS and 250 MiB/s throughput.

Snapshots

EBS snapshots are stored in S3.
Even though snapshots are incremental, only the most recent one needs to be retained to restore a volume.
Snapshots can be used to transfer an EBS volume to a different AZ (remember they are AZ specific). To do this create an AMI from the snapshot, then launch an instance using the new AMI.

AMIs

AMIs can be public, shared (selectively with another account), or private. Private by default.
Custom AMIs can be created using snapshots.
EBS-backed volumes must be stopped when creating AMIs, to create a consistant image.

Encryption

Encrypting an EBS volume enables both encryption at rest and encryption in transit. (Remember EBS volume are attached to instances via networking.)
Encrypted volumes have exactly the same performance as unencrypted volumes.
EBS encryption uses AES-256.
The EBS encryption key is stored on the same disk as the encrypted data and is encrypted with the account CMK. The encryption key is never stored as plain text.
The encryption key is shared by snapshots of the volume and volumes created from the snapshots.
Encrypted snapshots can only be shared if they use a custom CMK key.
AWS Config is an auditing tool that can be used to check that all EBS volumes are meeting company standards.

Snapshots to volumes and vice versa

When making a snapshot, encryption sate is retained, and snapshots stay in the same region.
An unencrypted snapshot can create an encrypted or unencrypted volume, (optionally) in a different AZ to the original volume.
An encrypted snapshot can be used to create an encrypted volume. AZ and keys can be (optionally) changed.

Copying snapshots

When copying an unencrypted snapshot, it can optionally be encrypted and can be copied to a different region.
An encrypted snapshot can be copied to create another encrypted snapshot. Keys and regions can be (optionally) changed.

Snapshots to AMIs

An unencrypted snapshot can be used to create an unencrypted AMI.
An encrypted snapshot created an encrypted AMI. Cannot be shared with other accounts if using AWS CMK. Cannot be shared publicly at all.

Copying AMIs

An encrypted AMI can be copied to create a new encrypted AMI. Encrypted AMIs can be copied across regions.

Using custom AMIs to create instances

Instances created with encrypted AMIs are also encrypted. Encryption keys and AZ can be (optionally) changed.
Instances created with unencrypted AMIs can (optionally) be encrypted. Instances can also be created in a different AZ than the AMI was originally created in.

RAID

RAID 0 and RAID 1 are ratified by AWS.
RAID is implemented at the instance OS-level rather than via AWS.
RAID 5 and RAID 6 are not recommended by AWS due to having a large IOPS cost.

CloudWatch

Default metrics:

VolumeReadOps.
VolumeWriteOps.
VolumeIdleTime.
VolumeQueueLength.
VolumeReadBytes.
VolumeTotalReadTime.
VolumeWriteBytes.
VolumeTotalWriteTime.
BurstBalance.

Disk usage is not available by default. The Unified CloudWatch Agent enables this metric.