How to use the Firefox Extension for Amazon EC2

The Firefox extension for manipulating EC2 instances is a great tool but the download page doesn’t offer any instructions on how to use it and more than a few people have had issues configuring it properly.   In general, it’s a very simple application but there are a couple gotchas to watch out for.   I’m pretty new to this extension myself, and there are a few questions that I still have about it, so hopefully those who know more about it than I do will also read through this howto/faq/tutorial/whatever and post corrections or embellishments as necessary.

The home page for the extension is http://developer.amazonwebservices.com/connect/entry.jspa?entryID=609.

Step 1: Download and Install the Firefox Extension for Amazon EC2

The Extension can be downloaded from http://s3.amazonaws.com/ec2-downloads/ec2ui.xpi.   If you use Firefox to download the file, Firefox will detect that it is an extension and install it for you automatically.

Step 2: Run the extension

Launch Firefox and click on the Tools/EC2 UI menu item.

Step 3: Register your Credentials with the plugin

Click on the “Credentials” button in the top left of the window.   Enter your Account Name.   Your Account Name needs to match your username on the AWS developer site.   You can find by logging into the forums, clicking on “Your Control Panel” and looking at the text to the right of “Developer Connection” in the breadcrumbs at the top of the page (I think that is a consistent way to find your username – some pages seem to list your user name in the upper right hand corner and some list your first name and last name in the upper right hand corner of the page).   Then enter your Access Key and Secret Key (these can be found when you log into the Amazon Web Services home page ( http://www.amazon.com/gp/browse.html?node=3435361).

Step 4: View the list of Available AMIs

If it is not already selected, click on the “AMIs and Instances” tab at the top of the plugin and if necessary click the blue refresh button for the Available AMIs window to see the list of publicly available AMIs (Amazon Machine Images) that you can use to launch EC2 instances.  

If you have any private AMIs of your own, you can add them to the list using the green “+” button.   I’m not sure what happens if you try to use the red “-“ button to remove a publicly available AMI from your list (presumably it doesn’t remove it from the global public list but I don’t know if it hides that AMI from you or if it generates an error).

Step 5: Configure the firewall settings for your default security group

EC2 wraps each machine instance in a configurable firewall.   You can open and close ports and control which IP addresses are allowed to connect to which machines.   The firewall is very powerful but if you configure it incorrectly you will not be able to access your machines other than to reboot them or shut them down.   If you don’t actively change your settings, you will not be able to connect to your machines (at least that was how my account was set up the first time that I used the Firefox EC2 UI).

At a minimum, you will probably want to open TCP port 22 (used by open SSH to allow you to log into the machine) and TCP port 80 (if you are running a web server on the machine) or port 443 (if you are serving up web pages over https).

Switch to the “Security Groups” tab.

Refresh the list of security groups by clicking the blue refresh button under “Your Groups”.

Select the default group.  

To open a port 22 (used by open SSH) in the default group, click on the green check mark in the “Group Permissions” pane and specify a source of CIDR 0.0.0.0/0 (which indicates that any port on any machine can connect to the specified port(s) on instances in the default security group.   Then set the Protocol Details to TCP/IP and the port range from 22 to 22 (since we only want to open a single port here).    Click “Add” to record the settings and then repeat the process to open port 80 (from port=80, to port=80).

For simplicity while you are learning you can of course open all TCP ports by specifying a port range from 0 to 65535 but you definitely would not want to do that on a production machine (and I’d be inclined to assume that any machine which spent time with all its ports open like that would had been compromised by some trolling botnet and should be thrown away as soon as you are done getting a feel for the service).

Step 6: Generate a key pair for identifying yourself to your instances

EC2 instances use key pairs.   Key pairs are cryptographically generated identifiers that are mathematically linked by what is called a “one-way function.”   One of the identifiers is called the “public” key and the other called the “private” key.   Messages that are encrypted using the private key can only be decrypted using the public key and messages that are encrypted using the public key can only be decrypted using the private key.   If you give your instance a copy of your public key, then you and your instance can exchange messages that allow each of you to trust the identity of one another (which is a fancy way of saying that EC2 can use key pairs to allow you to log into your instances automatically without needing to remember or type in passwords).

The Firefox EC2 extension allows you to generate key pairs and store them on your local hard disk.   You should protect these key pair files as if they were passwords to the accounts on your instances because that is effectively what they are.

In a later step, when you launch an instance you will indicate which of your key pairs to provide to that instance.   You will also need to provide the key pair to the open SSH terminal program that you use to log into the instance.

To generate a key pair, click on the “Key Pairs” tab at the top of the plugin.   You can use the green key button to generate a new key pair file.   You will be asked for the name of the file to create and then prompted for a location to store the file.   I *think* that the first popup (the one that asks for the key pair name may be somewhat poorly labeled.   Many key pair generators ask the user to provide a text string to seed the randomization process that is involved in the key generation and I suspect that the first popup is actually asking for this type of seed string because after you click OK you are immediately presented with a file browser dialog asking you what you want to call the file that you are generating and where you want to store the file.   (Perhaps someone who is more familiar with the inner workings of this extension could comment on that).

If you want to use PuTTY to connect to your instance from Windows, you will need to run a separate program to convert the key pair file from the format that EC2 can read into the format that PuTTY can read.   This is discussed in the Appendix on PuTTY in the Amazon EC2 Getting Started Guide (I’d post a link, but Amazon keeps updating their docs and I haven’t seen any way to post a link to “the newest version” of the docs).

Step 7: Start up an instance of an AMI

You can launch an instance of an AMI by selecting the AMI from the list of Available AMIs and clicking the green power button icon in the “Available AMIs” window.   Clicking on the green power button will bring up the “Launch new instance(s)” popup where you further configure the instance that you are about to launch.

Using the Launch new instance(s) popup you can specify whether to launch a small, large, or extra large instance.   More importantly, you can also specify the key pair to provide to the instance.   The key pair is what allows you to log into the machine once it is launched.   If you have already created your own private AMI files you may have baked your key pairs into those images (in which case you do not need to provide a key pair here) but if you are reading this tutorial then you are probably new to EC2 and are attempting to launch a public AMI.   When you launch a public AMI, the public portion of the key pair that you specify will be provided to the instance when it launches so that it can be used to authenticate you.   In general, I believe that most public AMIs are currently installing the credentials into the root account, so that you can be allowed to log into root over an SSH connection without the need for a password.

You will also want to select a security group to launch the image into.   Security groups control the settings of the EC2 firewall.   If your security group is not configured correctly, you may be unable to log into your instance (you will always be able to shut it down using the red power button in the “Your Instances” window).

The User Data panel allows you to enter additional parameters that can be provided to the instance on launch.   If the AMI that you are launching supports User Data it will hopefully have provided documentation on what text you should enter in the User Data panel.

The Launch button sends a request to EC2 to provision and activate your server instance.   You will need to refresh the list of “Your Instances” to find out when the new instance is up and running (hopefully only about a minute or so after you hit the Launch button).

Step 8: See your list of running instances, requests, and recent shutdowns

If necessary, click the blue refresh button in the “Your Instances” window.  

You can double-click on an instance to see more details about the instance (and more importantly to get a text field containing the public DNS address of your machine that you can copy the value out of for use in other programs).

The red starburst button reboots the selected instance (you will see the “State” field for the instance change if you refresh the list of instances during the reboot).

The red power button icon shuts down the selected instance.   This is obviously an important button as you will be charged for your instances until you shut them down (and, in general, you will actually be charged for longer than that as Amazon bills you for one-hour increments so an image that runs for one minute incurs the same charge as one that runs for 59 minutes).

The blue document button pops up a window to view the console output of the image.

Step 9: Log into your instance using an open SSH connection

In general, I believe that most public instances are currently being configured to allow you to log in as root.   If not, presumably the documentation on the AMI will tell you what account to use when you log in.  

For Windows users, there is an Appendix on how to use PuTTY to log into your instance at the end of the EC2 Getting Started Guide (as I mentioned earlier, I don’t want to embed links to the docs here because Amazon keeps updating them and there doesn’t seem to be any way to specify a link to “the newest version” of the document   The page on “Running an Instance” in the same EC2 Getting Started Guide has similar instructions on how to connect to an instance from a Unix machine.  

My unanswered Question: What does the “Account IDs” button do?

Hopefully someone who reads this posting can explain the purpose of   the Account IDs button.