Skip to content
AWS core 3 min read

EC2: Compute

Amazon Elastic Compute Cloud (EC2) provides resizable virtual servers in the cloud. It’s the foundational compute service - you choose the OS, instance size, networking, and storage, and you control the machine from the kernel up. EC2 is the right tool when you need full control of the runtime, long-running processes, or workloads that don’t fit a serverless model.

Instances and AMIs

An instance is a running virtual machine. It boots from an Amazon Machine Image (AMI) - a template containing the OS, pre-installed software, and configuration. You can use AWS-provided AMIs (Amazon Linux, Ubuntu, Windows), Marketplace AMIs, or build your own “golden image” so new instances launch fully baked.

aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t3.micro \
  --key-name devcraftly-key \
  --security-group-ids sg-0a1b2c3d \
  --subnet-id subnet-0e1f2a3b \
  --count 1

Output:

{
    "Instances": [
        {
            "InstanceId": "i-0123456789abcdef0",
            "InstanceType": "t3.micro",
            "State": { "Name": "pending" }
        }
    ]
}

Instance types and families

EC2 offers hundreds of instance types grouped into families optimized for different workloads. The naming encodes family, generation, and size (e.g. m6g.large = general-purpose, 6th gen, Graviton, large).

Family prefixOptimized forExample
t / mBurstable / general purposet3.micro, m7i.large
cCompute (high CPU)c7g.xlarge
r / xMemory (RAM-heavy)r7g.2xlarge
i / dStorage (high local disk/IO)i4i.large
p / gAccelerated (GPU/ML)p5.48xlarge

Graviton (ARM, the g suffix like m7g) instances are typically ~20% cheaper and more power-efficient than x86 equivalents. Prefer them when your software supports ARM.

Key pairs and security groups

  • Key pairs authenticate SSH access. AWS holds the public key; you keep the private .pem. Lose the private key and you lose SSH access - there’s no recovery.
  • Security groups are stateful virtual firewalls attached to an instance’s network interface. Rules are allow-only (no deny rules), and because they’re stateful, return traffic for an allowed inbound request is automatically permitted.
# Allow SSH only from your IP, and HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
  --group-id sg-0a1b2c3d \
  --protocol tcp --port 22 --cidr 203.0.113.10/32

Never open SSH (port 22) to 0.0.0.0/0. Restrict it to your IP, use a bastion host, or - better - use AWS Systems Manager Session Manager for keyless, port-less shell access.

User data

User data is a script that runs on first boot, ideal for bootstrapping (install packages, pull config, start services).

#!/bin/bash
dnf update -y
dnf install -y nginx
systemctl enable --now nginx

Pass it with --user-data file://bootstrap.sh. For anything beyond trivial setup, build an AMI or use configuration management instead.

EBS volumes

Elastic Block Store (EBS) provides durable, network-attached block storage that persists independently of the instance lifecycle. Volume types include gp3 (general-purpose SSD, the modern default), io2 (high-IOPS), and st1/sc1 (throughput/cold HDD).

By default the root EBS volume is deleted when the instance terminates, but data volumes are not. Take snapshots (incremental, stored in S3) for backups and to clone volumes across AZs.

Pricing models

Matching the pricing model to the workload is where real money is saved.

ModelDiscount vs on-demandBest for
On-DemandBaselineSpiky, unpredictable, short-lived workloads
Savings Plans / ReservedUp to ~72%Steady-state, predictable baseline usage (1-3 yr commit)
SpotUp to ~90%Fault-tolerant, interruptible batch/CI/big-data jobs
Dedicated HostsPremiumLicensing/compliance needing physical isolation

Spot instances can be reclaimed with a 2-minute warning when AWS needs the capacity. Use them only for stateless, checkpoint-able, or retryable workloads - never for a database.

Best Practices

  • Use Auto Scaling Groups across multiple AZs instead of pets; treat instances as disposable.
  • Attach IAM roles (instance profiles) rather than storing access keys on the box.
  • Right-size with CloudWatch metrics and Compute Optimizer; stop or schedule idle instances.
  • Blend pricing models: Savings Plans for baseline, Spot for elastic burst.
  • Patch via golden AMIs and immutable deployments rather than mutating live servers.
  • Restrict security groups to least-privilege ports and source ranges; never expose SSH/RDP to the internet.
Last updated June 1, 2026
Was this helpful?