# Part 3: Launching Servers with CloudWatch

Welcome back to the final installment of this series!

Today we will be launching our servers, configuring CloudWatch & adding resilience to our instances.

* Part 1: Manually Configure a VPC  
    Part 2: Secure the Network Environment  
    **Part 3: Launching Servers, CloudWatch/Resilience**
    

### Create IAM Role for CloudWatch Agent

> IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

Before we launch our App server in the private subnet, let's create an IAM role that our Web Server instance will utilize for CloudWatch.

* In the services search bar in the AWS Console
    
    * Enter IAM
        
        * Hover over IAM in the results field and click Roles:
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690911693342/b2d4ad37-1f77-4cb7-a139-345c56175fe1.png align="center")

* In the Create Role screen:
    
    * Select AWS service as the Trusted entity type
        
        * Select Ec2 Instance
            
            * Click Next
                

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913510552/bc06b147-fb5e-4cae-8909-88d8b715a6e7.png align="center")

* Under Add Permissions
    
    * Type "cloudwatchagent" and press enter
        
        * Select the second policy - CloudWatchAgentServer Policy
            
            * Click next
                
                ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913534310/6323b321-688c-4fec-8098-301ec039199f.png align="center")
                
    * Under Name, Review, and Create:
        
        * Enter: SmallProjectACWAgent as the name
            
            * Scroll down and click Create role
                
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914771430/4bfd83f9-72ad-4fd2-a312-0e3961809dd3.png align="center")
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913560062/2f83c6ac-e58c-4c20-b206-006f4d3ce574.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913588266/02977dea-77b3-43f4-850e-66a359ec7635.png align="center")

---

### Launch App Server Instance in the Private Subnet of the SmallProjectA VPC

> *Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware upfront, so you can develop and deploy applications faster*

* In the services search at the top left of the AWS console:
    
    * Type Ec2
        
        * Click EC2
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914837921/027f26da-03a4-4932-ba46-cf7cbcb93441.png align="center")

* Click Launch Instance:
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913795764/d462b622-aaeb-41c7-a346-87dc03220ab1.png align="center")
    
* Enter the following in the Launch Instance screen:
    
    * AMI: Amazon Linux 2 AMI
        
    * Instance type: t2.micro
        
    * Key Pair: Proceed without Key Pair
        
* Network Settings
    
    * VPC: SmallProjectA
        
    * Subnet: Private Subnet 1
        
    * Auto Assign Ipv4: Disable
        
    * Security Group: Select Existing Group &gt; AppServerSPASG
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914884879/06d90ae0-c941-40c2-9a1f-9f15aa9ccf7d.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914890136/8ab22f4f-fc2b-4fca-ac0a-01cc90b855f8.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914909712/db56ee45-66c8-4618-9c3f-c2841aa5d4c0.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914921801/a4d23f8c-652d-41fc-b960-5f92eeb7e7af.png align="center")

* In the Advanced Details section under User Data:
    
    * Enter the following script:
        
        ```bash
        #!/bin/bash
          yum update -y
          amazon-linux-extras install epel -y
          yum install stress -y
          yum install -y httpd php
          systemctl start httpd
          systemctl enable httpd
          echo '<center><h1><?php echo $_SERVER["SERVER_ADDR"]; ?></h1></center><br><br><?php phpinfo(); ?>' > /var/www/html/index.php
        ```
        
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690915081865/a011e88f-e3cf-48c5-af02-b45db767a5ae.png align="center")
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690915085997/32938c4e-565c-4158-8b2d-9d14aa213622.png align="center")
    
* This script will perform the following upon instance launch:
    
    * Updates package manager
        
    * Install extra packages
        
    * Install Apache Web Server PHP
        
    * Starts Apache Web Server
        
    * Enables web server to start automatically on boot
        
    * Creates a home page that displays information regarding the site's PHP configuration.
        
* Click Launch Instance
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690915202805/1ee6b998-d9d1-4f8d-8a8f-5064dc2d62f3.png align="center")

* After launching, Click the instance ID in the banner
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690915232350/597baa1d-733e-4072-9360-2860ddeee71c.png align="center")

* On the Instance screen:
    
    * Select the AppServerSPA instance
        
        * In the details tab on the bottom, copy the Private IP address for the next step:
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913912367/1d29bf03-d550-4573-87b3-9740877d5001.png align="center")

---

### **Launch Web Server Instance in the Public Subnet of the SmallProjectA VPC**

* In this next task, you will create an ec2 instance for the web server that will run on the public subnet.
    
    * The web server will communicate with the application server through the PrivateSubnetACL network ACL and the APPSG security group.
        
* Launch Ec2 Instance in **Public Subnet 1** and enter the following:
    
    * Enter the following in the Launch Instance screen:
        
        * Name: WebServerSPA
            
        * AMI: Amazon Linux 2 AMI
            
        * Instance type: t2.micro
            
        * Key Pair: Proceed without Key Pair
            
    * Network Settings
        
        * VPC: SmallProjectA
            
        * Subnet: Public Subnet 1
            
        * Auto Assign Ipv4: Enable
            
        * Security Group: Select Existing Group &gt; WebServerSPASG
            
    * Advanced Details
        
        * IAM Instance Profile: SmallProjectACWAgent
            
        * User Data - Use script below but replace APPSERVERIP w/ AppServer Private IP.
            
* Launch Instance - Obtain Instance Public IP via Instance Dashboard &gt; Details
    

```bash
yum update -y
   amazon-linux-extras install epel -y
   yum install stress -y
   yum install -y httpd php
   systemctl start httpd
   systemctl enable httpd
   echo '<center><h1><?php echo $_SERVER["SERVER_ADDR"]; ?></h1></center><br><br><?php phpinfo(); ?>' > /var/www/html/index.php
   echo '<?php error_reporting(E_ERROR); $fp = fsockopen("APPSERVERIP", 80, $errno, $errstr, 1);    if (!$fp) {echo "<h1>Success</h1>";} else {echo "<h1>Fail</h1>"; fclose($fp);}Test Web Server
```

---

### **Test Web Server**

* Go to a new browser and enter the Web Server's Pubic Ip Address
    
    * WebServerIP/appservertest.php
        

Success! We can successfully connect to our instance which indicates we have a connection to the App server.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690913985139/fe5cc48f-51e2-44ba-b323-a69f90a316ba.png align="center")

### **SSH Into Web Server via Ec2 Instance Connect**

> *Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH).*

* In the service search bar at the top of the AWS console
    
    * Enter Ec2
        
        * Click Ec2
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914019523/73a2c459-ea88-4327-b7b2-d21d34fde2ba.png align="center")

* In the left-hand navigation pane of the Ec2 Dashboard
    
    * Click Instances
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914104046/076424cf-3cfe-4e7f-b804-6355c8a04bf9.png align="center")

* In the Instances dashboard
    
    * Select WebServerSPA
        
        * Click Connect
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914073995/b18235f9-94e5-4070-a978-48731c8e402c.png align="center")

* In the Connect to Instance dashboard
    
    * Keep all default settings
        
        * Click Connect
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914115712/1b7b6adf-222a-4aaa-8666-ab705c6ec67e.png align="center")

*!!!  We are unable to connect to our instance... lets find out why.*

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914142106/024076e4-3d83-43b4-aa4b-21d5d0973b0b.png align="center")

> *When using EC2 Instance Connect, an HTTPS connection is established between your computer and the EC2 Instance Connect Service inside AWS.  The Ec2 Connect Service then establishes an SSH connection to the EC2 instance.  We will need our security group to allow SSH traffic for IP range 18.206.107.24/29 for the EC2 Connect Service in us-east-1.*

The IP ranges for the EC2 Instance Connect service can be found here: [https://ip-ranges.amazonaws.com/ip-ranges.json](https://ip-ranges.amazonaws.com/ip-ranges.json)

---

### **Add SSH Traffic to WebServerSPASG Security Group**

* Navigate back to the Ec2 Dashboard
    
    * Click on Security Group
        
        * Select WebServerSPASG
            
            * Add inbound rule
                
            * Source: Custom, 18.206.107.24/59
                
            * Click Save rules
                

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914169165/dcf6e99c-576b-4931-8f65-0a9fa2f9ac7d.png align="center")

* In the left-hand navigation pane of the Ec2 Dashboard
    
    * Click Instances
        
        * Select WebServerSPA
            
            * Click Connect
                
    * Connect via Ec2 Instance Connect
        
* You should now see the Command Line Interface (CLI) for your instance
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914248906/0180e8e6-d41c-472f-ba64-bcfc93f81f48.png align="center")

---

### **Installing & Starting CloudWatch Agent**

> *CloudWatch Agent is a software package that autonomously and continuously runs on your servers. Using CloudWatch Agent, we can collect metrics and logs from Amazon Elastic Compute Cloud (Amazon EC2), hybrid, and on-premises servers running both Linux and Windows*

* Install and Configure CloudWatch Agent via CLI
    

```bash
sudo yum install amazon-cloudwatch-agent -y
```

* Initialize CloudWatch Config Wizard
    

```bash
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
```

* The Wizard will go through a variety of options, ensure the following config is set: *For any other parameter not specified, use default value*
    
    * CollectD Monitoring
        
        * No
            
    * Do you want to monitor any host metrics? e.g CPU,memor, etc.
        
        * Yes
            
    * Would you like to collect metrics at High Resolution?
        
        * 10 s
            
    * Which Default Metrics do you want?
        
        * Advanced
            
    * Do you want to Monitor Log Files?
        
        * Yes
            
    * Log File Path?
        
        * /var/log/httpd/access\_log
            
    * Monitor Additional Log Files
        
        * No
            
    * Store config in SSM Parameter Store?
        
        * No
            
    * Accept above content of config
        
        * Yes
            
* Start the CloudWatch Agent via snippet below
    

```bash
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
```

* Close CLI
    

---

### **Create CloudWatch Alarm for Memory Usage**

> *Amazon CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources.*

* In the services search bar in the aws console:
    
    * Type CloudWatch
        
        * Click Cloudwatch
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914330460/34c164ea-4024-46c1-b0bc-250fb6319c61.png align="center")

* In the CloudWatch dashboard navigation pane:
    
    * Click In Alarm
        
        * Click Create Alarm
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914345604/4ea477dd-5f47-4ae9-88bf-42e0bdbbef2c.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914350811/a9feb946-980d-41a3-ad19-87cc85073b49.png align="center")

* Select Metric & Conditions
    
    * Click CWAgent &gt; InstanceId
        
        * Select:mem\_used\_percent
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914403110/85694bde-6f33-4fd2-aa51-f4c47b99978c.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914424515/a6d3174d-0997-46f5-9d69-b47f512859bd.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914437688/7aec90b0-3796-4b03-bf99-37c881dc8706.png align="center")

* Click Period dropdown, keep all other default options
    
    * 1 Minute
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914498163/8d086e77-6815-4067-9dce-7d92e4ece025.png align="center")

* Conditions
    
    * Select Static
        
    * Select Greater/Equal &gt;= threshold
        
    * Enter 30
        
* Click Next
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914515588/40db2ee6-704f-4a77-91f4-b3c8b09f00a8.png align="center")

* Configure Actions
    
    * Remove Notification
        
    * Add Ec2 Action
        
        * Alarm State Trigger: In Alarm
            
        * Take the following action: Reboot Instance
            
* Click Next & Create Alarm
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914556806/b40801d0-7936-42f4-9571-02eb49c9343f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914561672/dd5fbb5f-16ef-40cb-b6f9-33ab1df74847.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914589277/2eba6c0b-7479-4aec-9da2-e2e0c12524c8.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914595761/0c6f2328-5f85-445e-b5da-d64b057f4973.png align="center")

---

### **Testing CloudWatch MemoryAlert alarm**

* Navigate to the Ec2 Dashboard
    
    * In the Navigation Pane: Click Instances
        
    * Select WebServerSPA
        
    * Click Connect
        
    * Connect via Ec2 Instance Connect
        
* Once connected: In the CLI, type:
    

```bash
stress -m 1 --vm-bytes 700M
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914615375/d4081af4-5e3d-4861-884f-a27cce26730f.png align="center")

* Navigate back to your CloudWatch dashboard tab
    
    * In the Navigation Pane select All Alarms:
        
        * The MemoryAlert Alarm should now be in state: "In Alarm"
            
        * If not, allow more time and refresh.
            

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914637311/ae7d46e8-c449-48a3-b972-977c0f589867.png align="center")

After some time, the alarm should revert back to an OK state.  Click on the Memory Alert alarm to review the alarm history.

We can see that our stress test spiked the utilization of memory in our instance and action was taken by our CloudWatch alarm to remedy over utilization.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914666842/693b5959-3098-449c-85d6-cc22e2772338.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914673135/6b9ca024-cf66-431f-b541-eaebd802339e.png align="center")

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1690914688143/d567d6f7-1ccb-4ef6-936b-fc14829e592a.png align="center")

Great Job!  Kudos to you if you've stuck through and completed this mini series.  Although we ran into an issue with connecting to our instance, overall we were successful in implementing our tasks without issue.

* We have completed the following:
    
    * Launched App Server in Private Subnet
        
    * Launched Web Server in Public Subnet
        
    * Created IAM Role for CloudWatch
        
    * Update Security Group to allow SSH for Ec2 Instance Connect in our region/az
        
    * SSH into Web Server via EC2 Instance Connect
        
    * Install/configure/start CloudWatch Agent via the command line
        
    * Create CloudWatch MemoryAlert Alarm
        
        * Added Resilience with CloudWatch action
            
    * Stress Test instance
        

Thank you for joining me on this three-part series...be sure to clean up any infrastructure that may have been provisioned so that you do not incur any charges.

Remove Infrastructure:

VPC Dashboard

* Delete NAT Gateway
    
* Release Elastic IP Address
    

Ec2 Dashboard

* Terminate Web Server / App Server
    

CloudWatch Dashboard

* Delete CloudWatch Alarm
    

Finally - Delete SmallProjectAVPC  
\* This will delete all resources associated with VPC

Till next time!
