ec2
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS EC2
AWS EC2
Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the cloud. Launch virtual servers, configure networking and security, and manage storage.
亚马逊弹性计算云(EC2)在云中提供可弹性调整大小的计算容量,可用于启动虚拟服务器、配置网络与安全规则、管理存储资源。
Table of Contents
目录
Core Concepts
核心概念
Instance Types
实例类型
| Category | Example | Use Case |
|---|---|---|
| General Purpose | t3, m6i | Web servers, dev environments |
| Compute Optimized | c6i | Batch processing, gaming |
| Memory Optimized | r6i | Databases, caching |
| Storage Optimized | i3, d3 | Data warehousing |
| Accelerated | p4d, g5 | ML, graphics |
| 类别 | 示例 | 适用场景 |
|---|---|---|
| 通用型 | t3, m6i | Web 服务器、开发环境 |
| 计算优化型 | c6i | 批处理、游戏服务 |
| 内存优化型 | r6i | 数据库、缓存服务 |
| 存储优化型 | i3, d3 | 数据仓库 |
| 加速计算型 | p4d, g5 | 机器学习、图形处理 |
Purchasing Options
购买选项
| Option | Description |
|---|---|
| On-Demand | Pay by the hour/second |
| Reserved | 1-3 year commitment, up to 72% discount |
| Spot | Unused capacity, up to 90% discount |
| Savings Plans | Flexible commitment-based discount |
| 选项 | 说明 |
|---|---|
| 按需实例 | 按小时/秒付费 |
| 预留实例 | 1-3年使用承诺,最高享受72%折扣 |
| 竞价实例 | 使用闲置算力,最高享受90%折扣 |
| 节省计划 | 基于灵活使用承诺的折扣方案 |
AMI (Amazon Machine Image)
AMI (Amazon Machine Image)
Template containing OS, software, and configuration for launching instances.
包含操作系统、预装软件和配置的模板,用于快速启动实例。
Security Groups
安全组
Virtual firewalls controlling inbound and outbound traffic.
控制入站和出站流量的虚拟防火墙。
Common Patterns
常见使用场景
Launch an Instance
启动实例
AWS CLI:
bash
undefinedAWS CLI:
bash
undefinedCreate key pair
Create key pair
aws ec2 create-key-pair
--key-name my-key
--query 'KeyMaterial'
--output text > my-key.pem chmod 400 my-key.pem
--key-name my-key
--query 'KeyMaterial'
--output text > my-key.pem chmod 400 my-key.pem
aws ec2 create-key-pair
--key-name my-key
--query 'KeyMaterial'
--output text > my-key.pem chmod 400 my-key.pem
--key-name my-key
--query 'KeyMaterial'
--output text > my-key.pem chmod 400 my-key.pem
Create security group
Create security group
aws ec2 create-security-group
--group-name web-server-sg
--description "Web server security group"
--vpc-id vpc-12345678
--group-name web-server-sg
--description "Web server security group"
--vpc-id vpc-12345678
aws ec2 create-security-group
--group-name web-server-sg
--description "Web server security group"
--vpc-id vpc-12345678
--group-name web-server-sg
--description "Web server security group"
--vpc-id vpc-12345678
Allow SSH and HTTP
Allow SSH and HTTP
aws ec2 authorize-security-group-ingress
--group-id sg-12345678
--protocol tcp
--port 22
--cidr 10.0.0.0/8
--group-id sg-12345678
--protocol tcp
--port 22
--cidr 10.0.0.0/8
aws ec2 authorize-security-group-ingress
--group-id sg-12345678
--protocol tcp
--port 80
--cidr 0.0.0.0/0
--group-id sg-12345678
--protocol tcp
--port 80
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress
--group-id sg-12345678
--protocol tcp
--port 22
--cidr 10.0.0.0/8
--group-id sg-12345678
--protocol tcp
--port 22
--cidr 10.0.0.0/8
aws ec2 authorize-security-group-ingress
--group-id sg-12345678
--protocol tcp
--port 80
--cidr 0.0.0.0/0
--group-id sg-12345678
--protocol tcp
--port 80
--cidr 0.0.0.0/0
Launch instance
Launch instance
aws ec2 run-instances
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--key-name my-key
--security-group-ids sg-12345678
--subnet-id subnet-12345678
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--key-name my-key
--security-group-ids sg-12345678
--subnet-id subnet-12345678
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'
**boto3:**
```python
import boto3
ec2 = boto3.resource('ec2')
instances = ec2.create_instances(
ImageId='ami-0123456789abcdef0',
InstanceType='t3.micro',
KeyName='my-key',
SecurityGroupIds=['sg-12345678'],
SubnetId='subnet-12345678',
MinCount=1,
MaxCount=1,
TagSpecifications=[{
'ResourceType': 'instance',
'Tags': [{'Key': 'Name', 'Value': 'web-server'}]
}]
)
instance = instances[0]
instance.wait_until_running()
instance.reload()
print(f"Instance ID: {instance.id}")
print(f"Public IP: {instance.public_ip_address}")aws ec2 run-instances
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--key-name my-key
--security-group-ids sg-12345678
--subnet-id subnet-12345678
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--key-name my-key
--security-group-ids sg-12345678
--subnet-id subnet-12345678
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'
**boto3:**
```python
import boto3
ec2 = boto3.resource('ec2')
instances = ec2.create_instances(
ImageId='ami-0123456789abcdef0',
InstanceType='t3.micro',
KeyName='my-key',
SecurityGroupIds=['sg-12345678'],
SubnetId='subnet-12345678',
MinCount=1,
MaxCount=1,
TagSpecifications=[{
'ResourceType': 'instance',
'Tags': [{'Key': 'Name', 'Value': 'web-server'}]
}]
)
instance = instances[0]
instance.wait_until_running()
instance.reload()
print(f"Instance ID: {instance.id}")
print(f"Public IP: {instance.public_ip_address}")User Data Script
用户数据脚本
bash
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--user-data '#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from $(hostname)</h1>" > /var/www/html/index.html
'bash
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--user-data '#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from $(hostname)</h1>" > /var/www/html/index.html
'Attach IAM Role
挂载 IAM 角色
bash
undefinedbash
undefinedCreate instance profile
Create instance profile
aws iam create-instance-profile
--instance-profile-name web-server-profile
--instance-profile-name web-server-profile
aws iam add-role-to-instance-profile
--instance-profile-name web-server-profile
--role-name web-server-role
--instance-profile-name web-server-profile
--role-name web-server-role
aws iam create-instance-profile
--instance-profile-name web-server-profile
--instance-profile-name web-server-profile
aws iam add-role-to-instance-profile
--instance-profile-name web-server-profile
--role-name web-server-role
--instance-profile-name web-server-profile
--role-name web-server-role
Launch with profile
Launch with profile
aws ec2 run-instances
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--iam-instance-profile Name=web-server-profile
...
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--iam-instance-profile Name=web-server-profile
...
undefinedaws ec2 run-instances
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--iam-instance-profile Name=web-server-profile
...
--image-id ami-0123456789abcdef0
--instance-type t3.micro
--iam-instance-profile Name=web-server-profile
...
undefinedCreate AMI from Instance
从实例创建 AMI
bash
aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-custom-ami-$(date +%Y%m%d)" \
--description "Custom AMI with web server" \
--no-rebootbash
aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-custom-ami-$(date +%Y%m%d)" \
--description "Custom AMI with web server" \
--no-rebootSpot Instance Request
竞价实例请求
bash
aws ec2 request-spot-instances \
--instance-count 1 \
--type "one-time" \
--launch-specification '{
"ImageId": "ami-0123456789abcdef0",
"InstanceType": "c5.large",
"KeyName": "my-key",
"SecurityGroupIds": ["sg-12345678"],
"SubnetId": "subnet-12345678"
}' \
--spot-price "0.05"bash
aws ec2 request-spot-instances \
--instance-count 1 \
--type "one-time" \
--launch-specification '{
"ImageId": "ami-0123456789abcdef0",
"InstanceType": "c5.large",
"KeyName": "my-key",
"SecurityGroupIds": ["sg-12345678"],
"SubnetId": "subnet-12345678"
}' \
--spot-price "0.05"EBS Volume Management
EBS 卷管理
bash
undefinedbash
undefinedCreate volume
Create volume
aws ec2 create-volume
--availability-zone us-east-1a
--size 100
--volume-type gp3
--iops 3000
--throughput 125
--encrypted
--availability-zone us-east-1a
--size 100
--volume-type gp3
--iops 3000
--throughput 125
--encrypted
aws ec2 create-volume
--availability-zone us-east-1a
--size 100
--volume-type gp3
--iops 3000
--throughput 125
--encrypted
--availability-zone us-east-1a
--size 100
--volume-type gp3
--iops 3000
--throughput 125
--encrypted
Attach to instance
Attach to instance
aws ec2 attach-volume
--volume-id vol-12345678
--instance-id i-1234567890abcdef0
--device /dev/sdf
--volume-id vol-12345678
--instance-id i-1234567890abcdef0
--device /dev/sdf
aws ec2 attach-volume
--volume-id vol-12345678
--instance-id i-1234567890abcdef0
--device /dev/sdf
--volume-id vol-12345678
--instance-id i-1234567890abcdef0
--device /dev/sdf
Create snapshot
Create snapshot
aws ec2 create-snapshot
--volume-id vol-12345678
--description "Daily backup"
--volume-id vol-12345678
--description "Daily backup"
undefinedaws ec2 create-snapshot
--volume-id vol-12345678
--description "Daily backup"
--volume-id vol-12345678
--description "Daily backup"
undefinedCLI Reference
CLI 参考
Instance Management
实例管理
| Command | Description |
|---|---|
| Launch instances |
| List instances |
| Start stopped instances |
| Stop running instances |
| Reboot instances |
| Terminate instances |
| Modify instance settings |
| 命令 | 说明 |
|---|---|
| 启动实例 |
| 查询实例列表 |
| 启动已停止的实例 |
| 停止运行中的实例 |
| 重启实例 |
| 销毁实例 |
| 修改实例配置 |
Security Groups
安全组
| Command | Description |
|---|---|
| Create security group |
| List security groups |
| Add inbound rule |
| Remove inbound rule |
| Add outbound rule |
| 命令 | 说明 |
|---|---|
| 创建安全组 |
| 查询安全组列表 |
| 添加入站规则 |
| 移除入站规则 |
| 添加出站规则 |
AMIs
AMIs
| Command | Description |
|---|---|
| List AMIs |
| Create AMI from instance |
| Copy AMI to another region |
| Delete AMI |
| 命令 | 说明 |
|---|---|
| 查询 AMI 列表 |
| 从实例创建 AMI |
| 复制 AMI 到其他区域 |
| 删除 AMI |
EBS Volumes
EBS 卷
| Command | Description |
|---|---|
| Create EBS volume |
| Attach to instance |
| Detach from instance |
| Create snapshot |
| Resize/modify volume |
| 命令 | 说明 |
|---|---|
| 创建 EBS 卷 |
| 挂载到实例 |
| 从实例卸载 |
| 创建快照 |
| 调整容量/修改卷配置 |
Best Practices
最佳实践
Security
安全
- Use IAM roles instead of access keys on instances
- Restrict security groups — principle of least privilege
- Use private subnets for backend instances
- Enable IMDSv2 to prevent SSRF attacks
- Encrypt EBS volumes at rest
bash
undefined- 优先使用 IAM 角色,不要在实例中存储访问密钥
- 严格限制安全组权限,遵循最小权限原则
- 后端实例部署在私有子网中
- 启用 IMDSv2 防范 SSRF 攻击
- 开启 EBS 卷静态加密
bash
undefinedRequire IMDSv2
Require IMDSv2
aws ec2 modify-instance-metadata-options
--instance-id i-1234567890abcdef0
--http-tokens required
--http-endpoint enabled
--instance-id i-1234567890abcdef0
--http-tokens required
--http-endpoint enabled
undefinedaws ec2 modify-instance-metadata-options
--instance-id i-1234567890abcdef0
--http-tokens required
--http-endpoint enabled
--instance-id i-1234567890abcdef0
--http-tokens required
--http-endpoint enabled
undefinedPerformance
性能
- Right-size instances — monitor and adjust
- Use EBS-optimized instances
- Choose appropriate EBS volume type
- Use placement groups for low-latency networking
- 合理匹配实例规格,持续监控并调整配置
- 使用 EBS 优化实例
- 选择匹配业务场景的 EBS 卷类型
- 使用置放群组实现低延迟网络通信
Cost Optimization
成本优化
- Use Spot Instances for fault-tolerant workloads
- Stop/terminate unused instances
- Use Reserved Instances for steady-state workloads
- Delete unused EBS volumes and snapshots
- 容错型工作负载使用竞价实例
- 及时停止/销毁闲置实例
- 稳态负载使用预留实例
- 删除闲置的 EBS 卷和快照
Reliability
可靠性
- Use Auto Scaling Groups for high availability
- Deploy across multiple AZs
- Use Elastic Load Balancer for traffic distribution
- Implement health checks
- 使用自动伸缩组保障高可用
- 跨多个可用区部署
- 使用弹性负载均衡器分发流量
- 配置健康检查机制
Troubleshooting
问题排查
Cannot SSH to Instance
无法 SSH 连接实例
Checklist:
- Security group allows SSH (port 22) from your IP
- Instance has public IP or use bastion/SSM
- Key pair matches instance
- Instance is running
- Network ACL allows traffic
bash
undefined检查清单:
- 安全组放行了你的IP对22端口的访问权限
- 实例有公网IP,或通过堡垒机/SSM访问
- 使用的密钥对和实例匹配
- 实例处于运行状态
- 网络ACL允许对应流量通行
bash
undefinedCheck security group
Check security group
aws ec2 describe-security-groups --group-ids sg-12345678
aws ec2 describe-security-groups --group-ids sg-12345678
Check instance state
Check instance state
aws ec2 describe-instances
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"
**Use Session Manager instead:**
```bash
aws ssm start-session --target i-1234567890abcdef0aws ec2 describe-instances
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"
**可使用会话管理器替代SSH:**
```bash
aws ssm start-session --target i-1234567890abcdef0Instance Won't Start
实例无法启动
Causes:
- Reached instance limits
- Insufficient capacity in AZ
- EBS volume issue
- Invalid AMI
bash
undefined常见原因:
- 达到实例配额上限
- 可用区算力不足
- EBS 卷异常
- AMI 无效
bash
undefinedCheck instance state reason
Check instance state reason
aws ec2 describe-instances
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].StateReason"
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].StateReason"
undefinedaws ec2 describe-instances
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].StateReason"
--instance-ids i-1234567890abcdef0
--query "Reservations[].Instances[].StateReason"
undefinedInstance Unreachable
实例不可访问
Debug:
bash
undefined调试步骤:
bash
undefinedCheck instance status
Check instance status
aws ec2 describe-instance-status
--instance-ids i-1234567890abcdef0
--instance-ids i-1234567890abcdef0
aws ec2 describe-instance-status
--instance-ids i-1234567890abcdef0
--instance-ids i-1234567890abcdef0
Get console output
Get console output
aws ec2 get-console-output
--instance-id i-1234567890abcdef0
--instance-id i-1234567890abcdef0
aws ec2 get-console-output
--instance-id i-1234567890abcdef0
--instance-id i-1234567890abcdef0
Get screenshot (for Windows/GUI issues)
Get screenshot (for Windows/GUI issues)
aws ec2 get-console-screenshot
--instance-id i-1234567890abcdef0
--instance-id i-1234567890abcdef0
undefinedaws ec2 get-console-screenshot
--instance-id i-1234567890abcdef0
--instance-id i-1234567890abcdef0
undefinedHigh CPU/Memory
CPU/内存使用率过高
bash
undefinedbash
undefinedEnable detailed monitoring
Enable detailed monitoring
aws ec2 monitor-instances
--instance-ids i-1234567890abcdef0
--instance-ids i-1234567890abcdef0
aws ec2 monitor-instances
--instance-ids i-1234567890abcdef0
--instance-ids i-1234567890abcdef0
Check CloudWatch metrics
Check CloudWatch metrics
aws cloudwatch get-metric-statistics
--namespace AWS/EC2
--metric-name CPUUtilization
--dimensions Name=InstanceId,Value=i-1234567890abcdef0
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ)
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
--period 300
--statistics Average
--namespace AWS/EC2
--metric-name CPUUtilization
--dimensions Name=InstanceId,Value=i-1234567890abcdef0
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ)
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
--period 300
--statistics Average
undefinedaws cloudwatch get-metric-statistics
--namespace AWS/EC2
--metric-name CPUUtilization
--dimensions Name=InstanceId,Value=i-1234567890abcdef0
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ)
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
--period 300
--statistics Average
--namespace AWS/EC2
--metric-name CPUUtilization
--dimensions Name=InstanceId,Value=i-1234567890abcdef0
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ)
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
--period 300
--statistics Average
undefined