Sravya Yakkati's Blog

Lab 1: Operational Excellence

Sravya Yakkati's photo
Sravya Yakkati
·

22 min read

© 2023 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Objectives

In this lab, you create an AWS Resource Group consisting of two Amazon Elastic Compute Cloud (Amazon EC2) instances and use the “Run command” capability of AWS Systems Manager to install the Amazon CloudWatch agent for collecting logs and getting some additional metrics.

After completing this lab, you will be able to:

  • Add custom tags to Amazon EC2 instances.

  • Create an AWS Resource Group for specific Amazon EC2 instances.

  • Use AWS Systems Manager for configuration of Amazon EC2 instances.

  • Install and start Amazon CloudWatch agent with AWS Systems Manager.

  • Validate custom metrics and log groups for Amazon EC2 instances in Amazon CloudWatch.

PREREQUISITES

This lab requires:

  • Use of a personal computer or laptop with Wi-Fi. The lab is not accessible using an iPad or tablet device, but you can use these devices to access the student guide.

  • Access to the administrator account on your local the computer.

  • Access to an internet browser, such as Chrome or Firefox.

ICON KEY

Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon:

  • Note: A hint, tip, or important guidance.

  • Additional information: Where to find more information.

  • CAUTION: Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps).

  • File contents: A code block that displays the contents of a script or file you need to run that has been pre-created for you.

  • Copy edit: A time when copying a command, script, or other text to a text editor (to edit specific variables within it) might be easier than editing directly in the command line or terminal.

DURATION

This lab requires 60 minutes to complete.

CONTEXT

You are a Solutions Architect working for AnyCompany, a retail business. One of the main applications for the company is a product catalog; a web application recently migrated to the AWS Cloud from the on-premises environment. Even though the application is functional, it is crucial to have an architecture with best practices applied, because the business is growing. As part of the AnyCompany’s Well-Architected practitioners team, you want an architecture that meets the new performance requirements, mitigates risks, and saves money. Automation is also a fundamental part of the solution.

The following diagram shows the initial architecture. Your mission is to improve it by applying some of the AWS Well-Architected principles, according to the company’s needs.

drawing

The architecture contains a single Amazon VPC, which has an internet gateway and 2 subnets. The subnets are labelled: public subnet, and private subnet. Each subnet contains a single Amazon EC2 instance, one labelled web app instance and one labelled database instance.

Architecture Review

You proposed doing an AWS Well-Architected Framework Review to better understand the current status and needs. After that review, you identified some insights, the most relevant of which are as follows:

  • Automation: Most of the operational tasks are performed manually. AnyCompany wants to automate some of the operational tasks and provide visibility into important performance metrics, such as memory and disk use. Additionally, a centralized log monitoring for the database and application is needed.

  • Availability: A highly available architecture is required for the product catalog application.

  • Security: This is a top priority. The more insights available related to this topic, the better.

  • Rightsizing Amazon EC2 instances: AnyCompany is not sure about the initial decision to use a t3.micro EC2 instance to host the application. The company does not want to sacrifice performance. AnyCompany people want to do some stress tests for the application, especially because they are expecting an increase in the demand on the application in the near future.

  • Cost: Some applications are not using approved instance types in accordance with AnyCompany’s architecture standard. This has increased unnecessary cost due to over-provisioned resources in non-production environments.

The previous information is your starting point to enhance the architecture and achieve the organization objectives. You might identify more opportunities for improvement in this architecture but, for the purposes of the lab, focus on these findings.

Target Architecture

After an AWS Well-Architected Framework Review, you and AnyCompany defined a target architecture. This architecture helps achieve the initial objectives. You will use the five AWS Well-Architected Framework pillars to implement the architecture in the following diagram:

drawing

The architecture is an Amazon VPC containing 2 Availability Zones. There are 6 total subnets in the environment, with each Availability Zone having 3 of the subnets. The subnets are labelled and divided per Availability Zone as such: 1 public subnet, 1 private subnet, and 1 db private subnet. Each of the private subnets is part of an Auto Scaling group and contains 1 web server each. Each of the db private subnets contain 1 Amazon RDS instance each. Internet traffic flows into an internet gateway, to an application load balancer residing in the public subnets, then to the auto scaling group in the private subnets, and finally to the Amazon RDS primary instance in the db private subnet. Supporting management, automation & monitoring services for the environment are: Amazon CloudWatch, AWS CloudTrail, AWS CloudFormation, AWS Config, and AWS Systems Manager. Supporting security services for the environment are AWS Identity and Access Management, and AWS Secrets Manager.

Next, start the first lab to get to that architecture and ensure that AnyCompany implements the appropriate solution according to the AWS Well-Architected best practices.

SCENARIO

The Operational Excellence pillar includes the ability to support development and run workloads effectively, gain insight into their operations, and continuously improve supporting processes and procedures to deliver business value.

Remember that one of the insights found in the AWS Well-Architected Framework Review was the need to automate some of the operational tasks. AnyCompany people are performing a lot of operational tasks manually. One of the issues they mentioned was a lack of visibility into important metrics, such as memory and disk use for the Amazon EC2 instances. They want an automated process to get that information. Additionally, they need a centralized log monitoring for the database and application instances.

Start lab

  1. To launch the lab, at the top of the page, choose Start lab.

You must wait for the provisioned AWS services to be ready before you can continue.

  1. To open the lab, choose Open Console.

You are automatically signed in to the AWS Management Console in a new web browser tab.

Do not change the Region unless instructed.

COMMON SIGN-IN ERRORS

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

  • Choose the click here link.

  • Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.

  • Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

  • Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.

  • Refresh the page and try again.

Task 1: Check the Existing Architecture

The product catalog is a core web application that was recently migrated from on premises to the AWS Cloud. Because it was migrated using a simple lift and shift process into the AWS Cloud, this application consists of two Amazon EC2 instances, one for the web server and the other for the database (MariaDB). Users access the application through the internet.

Review the Amazon EC2 instances:

  1. At the top of the AWS Management Console, in the search bar, search for and choose .

Note: Make sure that your AWS console session is in the Region that matches the value of LabRegion to the left of these instructions. You must use the same Region throughout the lab.

  1. In the navigation menu at the left of the page, under Instances, choose Instances.

The browser displays the Instances page.

There are two Amazon EC2 instances listed. One is the web server and another one is the database:

Next, confirm the product catalog web application is running on the

instance.

  1. In the instances list, select the checkbox next to the wa-web-server instance only.

The instance should report an Instance state of Running. The instance receives a public DNS name that you can use to connect to the instance through the public internet.

  1. In the lower half of the screen, choose the Networking tab.

  2. In the Networking tab, locate the Public IPv4 DNS section and copy the DNS address.

  3. Open a new browser tab. In the address bar type

    , and then paste the public DNS address you copied in the previous step.

Caution: If you choose the open address link, your browser tries to browse the application using the prefix

. That will not work in this lab, because no SSL certificates are not provisioned for instances in this lab. The application can only be accessed usingon port.

An application like the following is displayed in the browser:

drawing

The application contains entry fields labelled as: Category, description and price. There is a button labelled update database. And there is a data table at the bottom of the page.

  1. To add a product to the database, perform the following steps:

  • Enter a value in the Category field.

  • Enter a value in the Description field.

  • Enter a value in the Price field.

  • Choose the Update database button to insert the item.

  1. Add at least three products to the list. When complete, leave this browser window open for future reference.

An example of adding items is displayed as follows:

drawing

The application contains entry fields labelled as: Category, description and price. There is a button labelled update database. And there is a data table at the bottom of the page. The data table contains 3 examples.

Congratulations! In this task, you verified that two Amazon EC2 instances for your application stack were launched. You then accessed the web application and made new entries to the database.

Next, you add custom resource tags to the Amazon EC2 instances.

Task 2: Tag the Amazon EC2 Instances

With Amazon Web Services (AWS), customers can assign metadata to their AWS resources in the form of tags.

Each tag is a simple label consisting of a customer-defined key and an optional value. Tags make it easier to manage, search for, and filter resources.

Tags are a great way to organize AWS resources, establish governance, and enforce permissions, and they are critical to cost attribution for cost optimization.

  1. Return to the AWS Management Console.

  2. On the instances list, select the checkbox next to the wa-web-server instance only.

  3. On the lower half of the screen, choose the Tags tab.

  4. Choose Manage tags.

The browser displays the Manage tags page for the instance.

  1. Choose Add new tag.

  2. Create the following tag:

  • For Key, input

    .

  • For Value - optional, input

    .

  1. Choose Add new tag.

  2. Create the following tag:

  • For Key, input

    .

  • For Value - optional, input

    .

  1. Choose Save when you are finished adding the tags.

The browser displays the Instances page.

A banner message like the following is displayed at the top of the page: Request to manage tags has succeeded.

  1. In the instances list, select the checkbox next to the instance only.

  2. Repeat the previous steps to add the same tags to the wa-db-server instance.

  3. Choose Save when you are finished adding the tags.

The browser displays the Instances page.

A banner message like the following is displayed at the top of the page: Request to manage tags has succeeded.

Congratulations! In this task, you added custom resource tags to Amazon EC2 instances.

Next, you create an AWS Resource Group.

Task 3: Create a Resource Group

A resource group is a collection of AWS resources in the same AWS Region that match a tag-based criteria provided in a search query.

A resource group can represent an application, a software component, a business unit, an environment, a team, or even an area of ownership.

You can use resource groups to perform bulk actions. For example, if you manage large numbers of related resources, such as Amazon EC2 instances that make up an application layer, you might need to perform bulk actions on these resources at one time.

Examples of bulk actions include the following:

  • Applying updates or security patches.

  • Upgrading an application version.

  • Installing new software. (This is the action you perform in this lab).

  • Opening or closing ports to network traffic.

  • Collecting specific log and monitoring data.

  1. At the top of the AWS Management Console, in the search bar, search for and choose

    .

  2. Choose Create a resource group.

The browser displays the Create query-based group page.

  1. On the Create query-based group page, in the Group Type section, select Tag based.

  2. On the Create query-based group page, in the Grouping criteria section:

  • For Resource types, select

    .

  • For Tags:

    • For Tag key, input

      .

    • For Optional tag value, input

      .

    • Choose Add.

    • For Tag key, input

      .

    • For Optional tag value, input

      .

    • Choose Add.

  • Choose Preview group resources.

In the Group resources section, both of your previously tagged, Amazon EC2 instances are listed.

  1. On the Create query-based group page, in the Group details section:

  • For Group name, input

    .

  • For Group description, input

    .

  1. Choose Create group.

The browser displays the rg-wa group details page.

A banner message like the following is displayed at the top of the page: The resource group “rg-wa” has been successfully created in the current region (us-east-2)..

Congratulations! In this task, you used custom tags applied to the Amazon EC2 instances to create a Resource Group.

Next, use AWS Systems Manager to manage your Amazon EC2 instances in you AWS Resource group .

Task 4: Turn on Systems Manager for Amazon EC2 Instances

AWS Systems Manager is a service you can use to view and control your infrastructure on AWS. AWS Systems Manager is the operations hub for your AWS environment. Systems Manager provides a unified user interface to track and resolve operational issues across your AWS applications and resources from a central place.

AWS Systems Manager Agent (SSM Agent) is Amazon software that can be installed and configured on an Amazon EC2 instance, an on-premises server, or a virtual machine (VM). The Systems Manager Agent makes it possible for Systems Manager service to update, manage, and configure these resources.

By default, SSM Agent is preinstalled on the following Amazon Machine Images (AMIs):

  • Amazon Linux

  • Amazon Linux 2

  • Amazon Linux 2 ECS-optimized base AMIs

  • Ubuntu Server 16.04, 18.04, and 20.04

In this lab, you use Amazon Linux 2 AMIs. For manual installation of the SSM Agent, review the following link: Working with SSM Agent

TASK 4.1: REVIEW THE AMAZON EC2 INSTANCE PROFILE

By default, AWS Systems Manager does not have permission to perform actions on your Amazon EC2 instances. The necessary permissions can be granted using an AWS Identity and Access Management (IAM) role. This IAM role can be attached to specific Amazon EC2 instances by using an instance profile.

More information about setting up an instance profile for use with the Systems Manager service can be found at the following documentation link: Create an IAM instance profile for Systems Manager

As part of this lab, an instance profile has been provisioned for you. You use this instance profile for the Amazon EC2 instances, but first review the permissions it provides.

  1. At the top of the AWS Management Console, in the search bar, search for and choose .

Note: There might be warnings or error messages displayed at the top of the screen. These can be safely ignored in this lab.

  1. In the navigation menu at the left of the page, under Access management, choose Roles.

  2. In the Roles search box, input

    .

The search returns a single result.

  1. Choose the wa-lab-ssm-ec2-role link from the results.

The browser displays the wa-lab-ssm-ec2-role summary page.

On the summary page, you can access different details about the role. Notice how in the Permissions tab, the role has two attached policies:

  • (AWS managed policy)

  • (AWS managed policy)

These two policies make it possible for AWS Systems Manager to communicate with the instances and run certain configuration commands in them. Feel free to expand them to review the details of the individual policies. You can do this by choosing the plus icon next to each policy name.

In this task, you examined the IAM policies attached to the wa-lab-ssm-ec2-role instance profile.

Next, update the Amazon EC2 instances to use this instance profile.

TASK 4.2: MODIFY AMAZON EC2 INSTANCE PROFILES

  1. At the top of the AWS Management Console, in the search bar, search for and choose

    .

  2. In the navigation menu at the left of the page, under Instances, choose Instances.

  3. In the instances list, select the checkbox next to the wa-web-server instance only.

  4. Choose Actions , Security , and then Modify IAM Role.

The browser displays the Modify IAM role page.

  1. On the Modify IAM role, for IAM role, choose

    .

  2. Choose Update IAM role.

  3. Repeat these steps for the

    instance.

Next, Reboot both Amazon EC2 instances.

  1. Select both Amazon EC2 instances:
  1. Choose Instance state , and then Reboot instance.

The Reboot instances? message box is displayed.

  1. Choose Reboot.

Note: By rebooting the Amazon EC2 instances, you ensure that your instances become available in Systems Manager.

In this task, you changed the instance profile in-use by both Amazon EC2 instance to one which allows Systems Manager access to the instances. You then rebooted the instances.

TASK 4.3: CHECK AMAZON EC2 INSTANCES IN SYSTEMS MANAGER

  1. At the top of the AWS Management Console, in the search bar, search for and choose

    .

  2. In the navigation menu at the left of the page, under Node Management, choose Inventory.

  3. Scroll down to the bottom page. Your Amazon EC2 instances are located in the Corresponding managed instances section.

Now, you can use Systems Manager to automate operational tasks on your Amazon EC2 instances.

Note: After modifying the instance profiles and restarting instances, it can take up to 5 minutes for the instances to appear in the managed instances inventory.

Make sure that both instances

andappear in your inventory before moving to the next task. If they are not listed, you should reboot them.

Congratulations! In this task, you confirmed that both of the Amazon EC2 instances are available to the AWS Systems Manager Node Management.

Task 5: Install Amazon CloudWatch Agent with the SSM Agent

The CloudWatch agent monitors activity on your Amazon EC2 instance to collect logs and metrics. The CloudWatch agent needs to be installed on the Amazon EC2 instance using AWS Systems Manager Run Command. Run Command allows you to perform actions on Amazon EC2 instances remotely. This tool is especially helpful at scale, where you can manage the configuration of many instances with a single command.

  1. In the navigation menu at the left of the page, under Node Management, choose Run Command.

  2. Choose Run a Command.

The browser displays the Run a command page.

  1. In the Command document search box, input

    , and then press Enter.

  2. Select AWS-ConfigureAWSPackage from the list of returned results.

Caution: Make sure that you select the radio switch and not the link for the command document itself.

  1. On the Run a command page, in the Command parameters section:

  • For Action, select Install.

  • For Name, input

    .

  1. On the Run a command page, in the Target selection section:

  • For Target selection, select Choose a resource group.

  • For Resource group, select

    . (This was the resource group you created earlier).

  1. Scroll to the bottom of the page, and choose Run.

The installation progress for the Amazon CloudWatch agent onto both Amazon EC2 instances is displayed.

  1. Wait a few seconds, and then use the refresh button to update the Overall status until it displays Success.

A banner message like the following is displayed at the top of the page: Command ID: a9601e52-24d7-4270-80f5-dafa6a1eec6e was successfully sent!.

Installing the CloudWatch agent on Amazon EC2 instances using your agent configuration.

Congratulations! In this task, you used command documents to install the Amazon CloudWatch agent onto the managed Amazon EC2 instances.

Task 6: Start Amazon CloudWatch Agent

In this task, you start the CloudWatch agent using the Systems Manager Run Command feature.

  1. In the navigation menu at the left of the page, under Node Management, choose Run Command.

  2. Choose Run command.

The browser displays the Run a command page.

  1. In the Command document search box, input

    , and then press Enter.

  2. Select AmazonCloudWatch-ManageAgent from the list of returned results.

Caution: Make sure that you select the radio switch and not the link for the command document itself.

  1. On the Run a command page, in the Command parameters section:

  • For Action, select configure.

  • For Optional Configuration Source, select ssm.

  • For Optional Configuration Location, enter the parameter name

    .

  • For Optional Restart, select yes.

For this task, the lab is provisioned with a configuration file saved in Parameter Store, a capability of AWS Systems Manager, named

.

For more information about the AWS Systems Manager Parameter Store, visit the following link: AWS Systems Manager Parameter Store

This is the JSON agent configuration file stored in Systems Manager Parameter store. Take a minute to review it, and then follow with the next step.

File contents:

{
  "agent": {
    "metrics_collection_interval": 60,
    "run_as_user": "root"
  },
  "logs": {
    "logs_collected": {
      "files": {
        "collect_list": [
          {
            "file_path": "/var/log/messages",
            "log_group_name": "messages",
            "log_stream_name": "{instance_id}"
          },
          {
            "file_path": "/var/log/httpd/access_log",
            "log_group_name": "httpd_access_log",
            "log_stream_name": "{instance_id}"
          },
          {
            "file_path": "/var/log/mariadb/wa-db-server.log",
            "log_group_name": "db_general_query_log",
            "log_stream_name": "{instance_id}"
          },
          {
            "file_path": "/var/log/mariadb/mariadb.log",
            "log_group_name": "mariadb_log",
            "log_stream_name": "{instance_id}"
          }
        ]
      }
    }
  },
  "metrics": {
    "append_dimensions": {
      "AutoScalingGroupName": "${aws:AutoScalingGroupName}",
      "ImageId": "${aws:ImageId}",
      "InstanceId": "${aws:InstanceId}",
      "InstanceType": "${aws:InstanceType}"
    },
    "metrics_collected": {
      "disk": {
        "measurement": ["used_percent"],
        "metrics_collection_interval": 60,
        "resources": ["*"]
      },
      "mem": {
        "measurement": ["mem_used_percent"],
        "metrics_collection_interval": 60
      },
      "statsd": {
        "metrics_aggregation_interval": 60,
        "metrics_collection_interval": 10,
        "service_address": ":8125"
      }
    }
  }
}
  1. On the Run a command page, in the Target selection section:

  • For Target selection, select Choose a resource group.

  • For Resource group, select

    . (This was the resource group that you created earlier.)

  1. Scroll to the bottom of the page, and then choose Run.

The Run Command result is displayed.

  1. Wait a few seconds, and then use the refresh button to update the Overall status until it displays Success.

A banner message like the following is displayed at the top of the page: Command ID: bc2a1064-0d0b-4c5b-8ef7-75bc6252e9b0 was successfully sent!.

You have now installed and started the CloudWatch agent on both Amazon EC2 instances using the “Perform Operations as Code” design principle.

Installing the CloudWatch agent on Amazon EC2 instances using your agent configuration.

Congratulations! In this task, you used command documents from AWS Systems Manager to start the installed Amazon CloudWatch agent and set up logging and metrics for the managed instances.

Task 7: Validate Custom Metrics and Log Groups

In this task, you validate that metrics are being reported from the Amazon EC2 instances to the Amazon CloudWatch service.

  1. At the top of the AWS Management Console, in the search bar, search for and choose

    .

  2. In the navigation menu at the left of the page, under Metrics, choose All Metrics.

The browser displays the CloudWatch Metrics page.

  1. In the bottom half of the page, choose the Browse tab.

  2. On the Browse tab, in the Metrics section, under Custom namespaces, choose .

Note: It can take up to 5 minutes for metrics to appear in the dashboard. Refresh your browser window if the CWAgent metric card is not displayed after a couple of minutes.

  1. Choose the first metrics group named (ImageId, InstanceId, InstanceType, device…).

  2. Select one of metrics listed for the instances.

CloudWatch starts graphing disk use in the dashboard metrics. It is normal for graphed metrics to be empty, because your environment is new and not yet collected data.

In this task, you validated that metrics are being reported from the Amazon EC2 instances to the Amazon CloudWatch service.

(OPTIONAL) TASK 7.1: VALIDATE CUSTOM METRICS AND LOG GROUPS

  1. In the navigation menu at the left of the page, under Logs, choose Log groups.

In this section, you can view the events happening in your instances’ operating system (OS) and applications (Apache and MariaDB).

  • db_general_query_log

  • httpd_access_log

  • mariadb_log

  • messages

  1. Access the application web server using the public Domain Name System (DNS) or IP you used on the first task in this lab.

  2. Using the application webpage, update new entries in the database as follows:

  • Enter a value in the Category field.

  • Enter a value in the Description field.

  • Enter a value in the Price field.

  • Choose the Update database button to insert the item.

  • Repeat these steps to insert as many items as you want.

drawing

The application contains entry fields labelled as: Category, description and price. There is a button labelled update database. And there is a data table at the bottom of the page. The data table contains 5 examples.

  1. Return to the Amazon CloudWatch console.

  2. Choose the httpd_access_log link, and then choose the available Log stream link.

Your public IP is listed in the logs.

To figure out your public IP, you can use What Is My IP?.

  1. Return to the Log groups list, and then choose the db_general_query_log link.

The newly made database entries are listed in the logs.

Congratulations! In this task, you made new entries to the database and validated that the actions are recorded in the log stream.

Lab Complete

Congratulations! You completed the lab.

In a traditional environment, you would need to set up the systems and software to perform administration activities. You would require a server to run your scripts. You would need to manage authentication credentials across all of your systems.

Perform operations as code reduces the resources, time, risk, and complexity of performing operations tasks and ensures consistent operation, so your organization can focus on delivering more value to customers vs reacting to emergencies. You can take operations as code and automate operations activities by using scheduling and event response. Through integration at the infrastructure level, you avoid processes that require multiple interfaces and systems to complete a single operations activity.

In this lab, you learned how to do the following:

  • Add custom tags to Amazon EC2 instances.

  • Create an AWS Resource Group for specific Amazon EC2 instances.

  • Use AWS Systems Manager for configuration of Amazon EC2 instances.

  • Install and start Amazon CloudWatch agent using AWS Systems Manager.

  • Validate custom metrics and log groups for Amazon EC2 instances in Amazon CloudWatch.

End lab

Follow these steps to close the console and end your lab.

  1. Return to the AWS Management Console.

  2. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.

  3. Choose End lab and then confirm that you want to end your lab.

For more information about AWS Training and Certification, see aws.amazon.com/training.

Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS Training and Certification Contact Form.