Part 3: Launching Servers with CloudWatch

Part 3: Launching Servers with CloudWatch

·

8 min read

Welcome back to the final installment of this series!

Today we will be launching our servers, configuring CloudWatch & adding resilience to our instances.

  • Part 1: Manually Configure a VPC
    Part 2: Secure the Network Environment
    Part 3: Launching Servers, CloudWatch/Resilience

Create IAM Role for CloudWatch Agent

IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

Before we launch our App server in the private subnet, let's create an IAM role that our Web Server instance will utilize for CloudWatch.

  • In the services search bar in the AWS Console

    • Enter IAM

      • Hover over IAM in the results field and click Roles:

  • In the Create Role screen:

    • Select AWS service as the Trusted entity type

      • Select Ec2 Instance

        • Click Next

  • Under Add Permissions

    • Type "cloudwatchagent" and press enter

      • Select the second policy - CloudWatchAgentServer Policy

        • Click next

    • Under Name, Review, and Create:

      • Enter: SmallProjectACWAgent as the name

        • Scroll down and click Create role


Launch App Server Instance in the Private Subnet of the SmallProjectA VPC

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware upfront, so you can develop and deploy applications faster

  • In the services search at the top left of the AWS console:

    • Type Ec2

      • Click EC2

  • Click Launch Instance:

  • Enter the following in the Launch Instance screen:

    • AMI: Amazon Linux 2 AMI

    • Instance type: t2.micro

    • Key Pair: Proceed without Key Pair

  • Network Settings

    • VPC: SmallProjectA

    • Subnet: Private Subnet 1

    • Auto Assign Ipv4: Disable

    • Security Group: Select Existing Group > AppServerSPASG

  • In the Advanced Details section under User Data:

    • Enter the following script:

        #!/bin/bash
          yum update -y
          amazon-linux-extras install epel -y
          yum install stress -y
          yum install -y httpd php
          systemctl start httpd
          systemctl enable httpd
          echo '<center><h1><?php echo $_SERVER["SERVER_ADDR"]; ?></h1></center><br><br><?php phpinfo(); ?>' > /var/www/html/index.php
      

  • This script will perform the following upon instance launch:

    • Updates package manager

    • Install extra packages

    • Install Apache Web Server PHP

    • Starts Apache Web Server

    • Enables web server to start automatically on boot

    • Creates a home page that displays information regarding the site's PHP configuration.

  • Click Launch Instance

  • After launching, Click the instance ID in the banner

  • On the Instance screen:

    • Select the AppServerSPA instance

      • In the details tab on the bottom, copy the Private IP address for the next step:


Launch Web Server Instance in the Public Subnet of the SmallProjectA VPC

  • In this next task, you will create an ec2 instance for the web server that will run on the public subnet.

    • The web server will communicate with the application server through the PrivateSubnetACL network ACL and the APPSG security group.
  • Launch Ec2 Instance in Public Subnet 1 and enter the following:

    • Enter the following in the Launch Instance screen:

      • Name: WebServerSPA

      • AMI: Amazon Linux 2 AMI

      • Instance type: t2.micro

      • Key Pair: Proceed without Key Pair

    • Network Settings

      • VPC: SmallProjectA

      • Subnet: Public Subnet 1

      • Auto Assign Ipv4: Enable

      • Security Group: Select Existing Group > WebServerSPASG

    • Advanced Details

      • IAM Instance Profile: SmallProjectACWAgent

      • User Data - Use script below but replace APPSERVERIP w/ AppServer Private IP.

  • Launch Instance - Obtain Instance Public IP via Instance Dashboard > Details

yum update -y
   amazon-linux-extras install epel -y
   yum install stress -y
   yum install -y httpd php
   systemctl start httpd
   systemctl enable httpd
   echo '<center><h1><?php echo $_SERVER["SERVER_ADDR"]; ?></h1></center><br><br><?php phpinfo(); ?>' > /var/www/html/index.php
   echo '<?php error_reporting(E_ERROR); $fp = fsockopen("APPSERVERIP", 80, $errno, $errstr, 1);    if (!$fp) {echo "<h1>Success</h1>";} else {echo "<h1>Fail</h1>"; fclose($fp);}Test Web Server

Test Web Server

  • Go to a new browser and enter the Web Server's Pubic Ip Address

    • WebServerIP/appservertest.php

Success! We can successfully connect to our instance which indicates we have a connection to the App server.

SSH Into Web Server via Ec2 Instance Connect

Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH).

  • In the service search bar at the top of the AWS console

    • Enter Ec2

      • Click Ec2

  • In the left-hand navigation pane of the Ec2 Dashboard

    • Click Instances

  • In the Instances dashboard

    • Select WebServerSPA

      • Click Connect

  • In the Connect to Instance dashboard

    • Keep all default settings

      • Click Connect

!!! We are unable to connect to our instance... lets find out why.

When using EC2 Instance Connect, an HTTPS connection is established between your computer and the EC2 Instance Connect Service inside AWS. The Ec2 Connect Service then establishes an SSH connection to the EC2 instance. We will need our security group to allow SSH traffic for IP range 18.206.107.24/29 for the EC2 Connect Service in us-east-1.

The IP ranges for the EC2 Instance Connect service can be found here: https://ip-ranges.amazonaws.com/ip-ranges.json


Add SSH Traffic to WebServerSPASG Security Group

  • Navigate back to the Ec2 Dashboard

    • Click on Security Group

      • Select WebServerSPASG

        • Add inbound rule

        • Source: Custom, 18.206.107.24/59

        • Click Save rules

  • In the left-hand navigation pane of the Ec2 Dashboard

    • Click Instances

      • Select WebServerSPA

        • Click Connect
    • Connect via Ec2 Instance Connect

  • You should now see the Command Line Interface (CLI) for your instance


Installing & Starting CloudWatch Agent

CloudWatch Agent is a software package that autonomously and continuously runs on your servers. Using CloudWatch Agent, we can collect metrics and logs from Amazon Elastic Compute Cloud (Amazon EC2), hybrid, and on-premises servers running both Linux and Windows

  • Install and Configure CloudWatch Agent via CLI
sudo yum install amazon-cloudwatch-agent -y
  • Initialize CloudWatch Config Wizard
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
  • The Wizard will go through a variety of options, ensure the following config is set: For any other parameter not specified, use default value

    • CollectD Monitoring

      • No
    • Do you want to monitor any host metrics? e.g CPU,memor, etc.

      • Yes
    • Would you like to collect metrics at High Resolution?

      • 10 s
    • Which Default Metrics do you want?

      • Advanced
    • Do you want to Monitor Log Files?

      • Yes
    • Log File Path?

      • /var/log/httpd/access_log
    • Monitor Additional Log Files

      • No
    • Store config in SSM Parameter Store?

      • No
    • Accept above content of config

      • Yes
  • Start the CloudWatch Agent via snippet below

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
  • Close CLI

Create CloudWatch Alarm for Memory Usage

Amazon CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources.

  • In the services search bar in the aws console:

    • Type CloudWatch

      • Click Cloudwatch

  • In the CloudWatch dashboard navigation pane:

    • Click In Alarm

      • Click Create Alarm

  • Select Metric & Conditions

    • Click CWAgent > InstanceId

      • Select:mem_used_percent

  • Click Period dropdown, keep all other default options

    • 1 Minute

  • Conditions

    • Select Static

    • Select Greater/Equal >= threshold

    • Enter 30

  • Click Next

  • Configure Actions

    • Remove Notification

    • Add Ec2 Action

      • Alarm State Trigger: In Alarm

      • Take the following action: Reboot Instance

  • Click Next & Create Alarm


Testing CloudWatch MemoryAlert alarm

  • Navigate to the Ec2 Dashboard

    • In the Navigation Pane: Click Instances

    • Select WebServerSPA

    • Click Connect

    • Connect via Ec2 Instance Connect

  • Once connected: In the CLI, type:

stress -m 1 --vm-bytes 700M

  • Navigate back to your CloudWatch dashboard tab

    • In the Navigation Pane select All Alarms:

      • The MemoryAlert Alarm should now be in state: "In Alarm"

      • If not, allow more time and refresh.

After some time, the alarm should revert back to an OK state. Click on the Memory Alert alarm to review the alarm history.

We can see that our stress test spiked the utilization of memory in our instance and action was taken by our CloudWatch alarm to remedy over utilization.


Great Job! Kudos to you if you've stuck through and completed this mini series. Although we ran into an issue with connecting to our instance, overall we were successful in implementing our tasks without issue.

  • We have completed the following:

    • Launched App Server in Private Subnet

    • Launched Web Server in Public Subnet

    • Created IAM Role for CloudWatch

    • Update Security Group to allow SSH for Ec2 Instance Connect in our region/az

    • SSH into Web Server via EC2 Instance Connect

    • Install/configure/start CloudWatch Agent via the command line

    • Create CloudWatch MemoryAlert Alarm

      • Added Resilience with CloudWatch action
    • Stress Test instance

Thank you for joining me on this three-part series...be sure to clean up any infrastructure that may have been provisioned so that you do not incur any charges.

Remove Infrastructure:

VPC Dashboard

  • Delete NAT Gateway

  • Release Elastic IP Address

Ec2 Dashboard

  • Terminate Web Server / App Server

CloudWatch Dashboard

  • Delete CloudWatch Alarm

Finally - Delete SmallProjectAVPC
* This will delete all resources associated with VPC

Till next time!