Launching an EC2 Instance: AMI, Instance Type, Key Pair, VPC, Security Group, and EBS
A deep dive into the six key choices you make when launching an Amazon EC2 instance.
All services used in this lesson are covered by the AWS Free Tier.
AWS Services Used
Learning outcomes
By the end of this lesson, you will be able to:
- Name the main choices made when launching an EC2 instance.
- Explain what each launch component does: AMI, instance type, key pair, VPC/subnet, security group, and EBS.
- Describe the basic launch flow in the EC2 console.
- Explain why insecure network defaults can be acceptable for short demos but unsafe for production.
- Understand what happens after launch: pending, running, status checks, and connecting.
What you are doing
Launching an EC2 instance is not just clicking “create server.” You are choosing a machine template, a machine size, a login method, a network location, firewall rules, and storage. AWS’s getting-started guide presents these as the key components for a first instance: image, key pair, VPC/network, security group, and EBS volume.
1) Step-by-step launch flow
In the EC2 console, the standard launch flow is:
- Choose a Region.
- Choose Launch instance.
- Enter a name.
- Choose an AMI.
- Choose an instance type.
- Choose or create a key pair.
- Review network settings including VPC, subnet, and security group.
- Review storage.
- Launch the instance.
AWS says that after launch the instance starts in the pending state, then moves to running, and after it passes status checks it is ready to receive connection requests.
2) AMI: the machine template
An AMI (Amazon Machine Image) is the template used to launch the instance. It contains the software needed to run the instance, such as the operating system. In the launch wizard, AWS recommends choosing a Quick Start operating system and selecting an AMI that is marked Free Tier eligible when possible.
- AMI = what machine image am I starting from?
- Example: Amazon Linux, Ubuntu, Windows Server.
3) Instance type: the size of the machine
Instance types determine the compute resources, memory, storage, and network performance available to your EC2 instance.
- AMI = what the machine starts as
- Instance type = how powerful the machine is
So if the AMI is “which operating system,” the instance type is more like “how much CPU and memory does this server get?”
4) Key pair: how you prove your identity
A key pair is a set of security credentials used to prove your identity when connecting to the instance. The public key is placed on the instance and the private key stays on your computer.
Warning
If you proceed without a key pair in this tutorial path, you will not be able to connect using the methods shown there.
- Key pair = your login credential for connecting to the server
5) VPC and subnet: where the instance lives
A VPC (Virtual Private Cloud) is a virtual network dedicated to your account. To help you get started, each Region includes a default VPC and default subnets. When you launch an instance, you choose a VPC and subnet, and the instance receives a private IPv4 address from the subnet’s range.
- VPC = your cloud network
- Subnet = one segment inside that network
- Private IP = internal address inside that network
6) Security group: the instance firewall
A security group is a virtual firewall that controls inbound and outbound traffic for EC2 instances. Inbound rules control what can reach the instance; outbound rules control what the instance can send out. Security groups are stateful, so response traffic is automatically allowed for permitted connections.
Warning
The default first-launch path may configure a security group rule allowing access from anywhere (0.0.0.0/0). For SSH or RDP this might be acceptable briefly in a test environment, but it is unsafe for production, where access should be restricted to your specific IP address.
- Security group = who is allowed to talk to this server
7) EBS: the instance’s persistent disk
An Amazon EBS (Elastic Block Store) volume is a durable, block-level storage device that you attach to an EC2 instance. EBS is commonly used for the system drive (the root volume) of an instance or storage for applications like databases. EBS volumes persist independently from the running life of an EC2 instance.
- EBS = the server’s disk
- Root volume = the main disk the machine boots from
8) Public vs private access after launch
An instance gets a private IPv4 address from the subnet, which is not reachable over the internet. You can optionally configure public IPv4 or IPv6 addresses to make it accessible from outside the cloud.
This is why two launch choices matter together:
- The instance needs the right network placement (publicly accessible subnet).
- The instance needs the right security group rules (allow traffic from your computer).
9) What happens after you click Launch
The instance lifecycle follows this flow:
- pending (wait for resources to be ready)
- running (instance is powered on)
- status checks (wait for AWS to verify the system is healthy)
- connect (using SSH for Linux or RDP for Windows)
Micro-activity 1: Label the launch choices
EC2 Configuration Decisions
Match each launch choice to the specific problem it solves.
Examples
Choose one, then match it on the right
Characteristics
Select an example first
0 of 6 matched so far.
Micro-activity 2: Safe or unsafe?
Security Best Practices
Decide whether each choice is safe for production or okay only for short testing.
Examples
Choose one, then match it on the right
Characteristics
Select an example first
0 of 4 matched so far.
Summary
Launching an EC2 instance means making six important choices: AMI, instance type, key pair, VPC/subnet, security group, and EBS.
The key insight is that an EC2 instance is not just “a server.” It is also a machine image, a size choice, a network placement, a firewall policy, and a disk. That is why launching EC2 teaches more AWS architecture thinking than simply “click run.”
Knowledge Check
Next lesson
Lesson 4.3: Security Groups and Basic EC2 Access