Nitro-based Instance Volumes

AWS introduced Nitro-based instances which are modular. They are meant for high performance, high availability, and high security systems. Nitro building blocks provide direct access to high-speed local storage over a PCI interface and transparently encrypts all data using dedicated hardware. It also provides hardware-level isolation between storage devices and EC2 instances so that bare metal instances can benefit from local NVMe storage. The following are Nitro-based instances: A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d. Bare metal: c5.metal, c5n.metal, i3.metal, i3en.metal, m5.metal, m5d.metal, r5.metal, r5d.metal, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, and z1d.metal.

Although Nitro-based instances looks like regular volumes (/dev/xvda) from the AWS Console, inside the operating system, they look (/dev/nvme6n1) completely different.

In AWS Console, the storage devices will look like this.

/dev/sda1
/dev/xvdb
/dev/xvdc
/dev/xvdd
/dev/xvde
/dev/xvdh
/dev/xvdf
/dev/xvdi
/dev/xvdg
/dev/xvdj

In the operating system, invoking df -h, results in this.

/dev/nvme0n1p2   30G  7.0G   24G  24% /
/dev/nvme4n1     50G   20G   31G  40% /vol1
/dev/nvme1n1     10G  753M  9.3G   8% /vol2
/dev/nvme8n1    500G   67G  433G  14% /backups
/dev/nvme2n1    400G   12G  388G   3% /vol3
/dev/nvme6n1    150G  150G  755M 100% /vol4
/dev/nvme7n1     10G   33M   10G   1% /vol5
/dev/nvme5n1     10G  553M  9.5G   6% /vol6
/dev/nvme9n1    100G   91G   10G  91% /vol7

The big question is, how can you tell which volume is associated with which. You’ll need nvme program to map out the volumes. Install nvme-cli first.

yum install nvme-cli

Then run the command below.

# run nvme
sudo nvme id-ctrl -v /dev/nvme6n1 | grep xv
# the result
0000: 2f 64 65 76 2f 73 64 6a 20 20 20 20 20 20 20 20 "/dev/xvdf..."

AWS Security Groups IP Cidr

Here’s how to search for AWS Security Groups containing this IP Cidr.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Search with ports.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
         Name=egress.ip-permission.from-port,Values='22' \
         Name=egress.ip-permission.to-port,Values='22' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Query will only display the Security Group name.

MySQL Backup To S3 Bucket

Here’s my MySQL backup script to the S3 Bucket.

Just a couple of things about the script. It’s using …

  1. AWS CLI
  2. Mysqldump

They must be setup and configured to work properly.

#!/bin/bash
cd /root/database
TIMESTAMP=$(date +%Y-%m-%d)
S3FILE="s3://bucketname/sqlbackup/backup-$TIMESTAMP.sql"
/usr/bin/mysqldump dbname > dbname.sql
/usr/local/bin/aws s3 cp dbname.sql $S3FILE
sleep 3s
rm dbname.sql

Finally, set the S3 bucket with a 7 day retention. Backups older than 7 days are automatically deleted.

AWS RDS Start and Stop Policy

Here’s a IAM policy that you can add to an IAM user or an IAM role so they are able to start and stop a specific RDS instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:db-tag/Application": "application-name"
                }
            },
            "Action": [
                "rds:DescribeDBInstances",
                "rds:StartDBInstance",
                "rds:StopDBInstance"
            ],
            "Resource": "arn:aws:rds:us-east-1:xxxxxxxxxxxx:db:db-instance-name",
            "Effect": "Allow"
        }
    ]
}