DEV Community

Cover image for EC2: Your First Server in the Cloud πŸ–₯️

EC2: Your First Server in the Cloud πŸ–₯️

Chapter 5 of the AWS Learning Journey. The IAM arc is done. The team is set up. Now Pixel & Spoon needs a server β€” and two people are about to work together to make it happen.


Monday Morning at Pixel & Spoon

It's been a productive week.

The AWS account is locked down. Root account sitting in a vault with MFA. Aarav, Meera, and Rohit each have their own IAM users β€” their own badges, their own permissions, nothing more than what their jobs require.

Aarav is ready to build the ordering backend.

But he needs somewhere to run it.

He messages Rohit:

"Hey β€” can you spin up a server for me? I need something to deploy the ordering system on."

Rohit: "On it."

This is how real teams work. Aarav writes code. Rohit builds infrastructure. The separation isn't just cultural β€” it's enforced by the very IAM policies we set up in Chapter 4.3. Aarav's PixelSpoon-Developer-EC2 policy doesn't include ec2:CreateKeyPair, ec2:CreateSecurityGroup, or ec2:RunInstances. He literally cannot provision a server even if he wanted to.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:GetConsoleOutput",
        "ec2-instance-connect:SendSSHPublicKey"
      ],
      "Resource": "*"
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode

That's Least Privilege doing its job.

So today β€” we follow Rohit first. Then we hand the server to Aarav.

Devop Vs Dev


πŸ”‘ The IAM Sign-In URL β€” How the Team Logs In

Before anything gets built, let's fix something we glossed over in earlier chapters.

Every time we've opened the AWS console so far β€” we used the root account. That stops today permanently.

Each team member has their own IAM user and logs in through a dedicated URL that's specific to Pixel & Spoon's AWS account:

https://YOUR-ACCOUNT-ID.signin.aws.amazon.com/console
Enter fullscreen mode Exit fullscreen mode

To find your account ID β€” log in to root one last time β†’ click your account name top right β†’ Account. The 12-digit Account ID is shown there.

Share that URL with your team. That's their front door. Not aws.amazon.com. That's for root only.

πŸ’‘ You can make this URL friendlier by setting an account alias in the IAM dashboard. Instead of a 12-digit number, it becomes something like https://pixelspoon.signin.aws.amazon.com/console. Go to IAM β†’ Dashboard β†’ create alias on the right side.

For this chapter:

  • Rohit logs in as rohit-devops to provision the server
  • Aarav logs in as aarav-dev to connect and deploy the code
  • Root stays locked

πŸ–₯️ What Is EC2?

Before Rohit launches anything β€” let's make sure we know what he's actually about to create.

EC2 stands for Elastic Compute Cloud.

Elastic   β†’  Scales up or down based on demand
Compute   β†’  CPU, RAM β€” actual processing power
Cloud     β†’  Available over the internet, on AWS hardware
Enter fullscreen mode Exit fullscreen mode

Remember Chapter 2 β€” virtualization? One physical server, sliced into many virtual machines by a hypervisor?

EC2 is that virtual machine. The one you rent. Running on AWS's physical hardware, in the Region you chose, isolated and yours alone.

In 1999, getting a server for Pixel & Spoon's ordering system would have taken weeks and cost lakhs before a single line of code ran on it. We covered that pain in Chapter 1.

Rohit will have one ready in under 10 minutes.


🧱 Three Decisions Rohit Makes Before Launching


Decision 1 β€” The AMI: What OS Does the Server Run?

An AMI (Amazon Machine Image) is the operating system template β€” the base layer everything runs on.

Rohit picks Amazon Linux 2023.

Why?

  • Built and optimised specifically for AWS
  • Free β€” no licensing cost
  • Pre-installed with the SSM agent (useful for secure connections later)
  • Most AWS documentation uses it β€” easier to troubleshoot

Decision 2 β€” The Instance Type: How Powerful?

t-series   β†’  General purpose, burstable performance
               Like a reliable everyday car β€” handles most tasks well,
               won't win a race but never lets you down
               Best for: web servers, APIs, small apps, learning
               ⭐ Rohit's choice: t3.micro β€” Free tier eligible βœ…

c-series   β†’  Compute optimised, high CPU power
               Like a sports car β€” built for speed, not storage
               Best for: video processing, ML inference, game servers
               Example: c7g.large

r-series   β†’  Memory optimised, high RAM
               Like a moving truck β€” massive capacity, built to carry
               Best for: in-memory databases, large caches, analytics
               Example: r6g.large

m-series   β†’  Balanced CPU and memory, the production workhorse
               Like a reliable delivery van β€” good at everything,
               specialised at nothing
               Best for: production app servers, mid-size databases
               Example: m6i.large
Enter fullscreen mode Exit fullscreen mode

Pixel & Spoon has zero users today. t3.micro is more than enough. When the app grows β€” Rohit can resize it. That's the elastic part.

InstanceTypes


Decision 3 β€” The Security Group: Which Ports Are Open?

A Security Group is the firewall around the EC2 instance. Every request that reaches the server passes through it first.

Least Privilege at the network level β€” only open what's actually needed.

Pixel & Spoon's backend needs exactly two ports:

Port 22    β†’  SSH access (for connecting to the server)
Port 3000  β†’  Node.js app (for users reaching the ordering system)
Enter fullscreen mode Exit fullscreen mode

Not port 8080. Not port 443 "just in case." Not anything else.

Two ports. That's it.

The same principle from IAM policies applies here. Every unnecessary open port is an attack surface. Bots scan every public IP on the internet constantly β€” the smaller the surface, the safer the server.


πŸš€ Rohit Launches the Instance

Rohit logs in as rohit-devops.


Step 1 β€” Open EC2

Search EC2 in the console β†’ check Region is ap-south-1 (Mumbai) β†’ click orange Launch instance.

alt text


Step 2 β€” Name the Instance

pixel-spoon-backend
Enter fullscreen mode Exit fullscreen mode

Lowercase, hyphens, descriptive. When Rohit is managing six instances at 2am, names matter.


Step 3 β€” Choose the AMI

Search Amazon Linux 2023 β†’ select it β†’ confirm the Free tier eligible badge.

alt text

Step 4 β€” Choose Instance Type

Select t3.micro β€” confirm Free tier eligible.


Step 5 β€” Create the Key Pair

Click Create new key pair.

Key pair name:  pixelspoon-key
Key pair type:  RSA
Format:         .pem
Enter fullscreen mode Exit fullscreen mode

Click Create key pair β€” the .pem file downloads immediately.

alt text

⚠️ This file is shown once. There is no recovery. Rohit moves it to a secure location immediately β€” not Downloads, not the Desktop. A dedicated credentials folder, or better yet, an encrypted vault.

Rohit will share this with Aarav through a secure channel β€” a password manager or encrypted file share. Not Slack. Not email.

πŸ’‘ Notice this step is done by Rohit, not Aarav. aarav-dev doesn't have ec2:CreateKeyPair in his policy β€” by design. Infrastructure credentials are DevOps territory. Aarav will use this key to connect, but he never created it. That's the separation working correctly.


Step 6 β€” Configure the Security Group

Under Network settings β†’ click Edit.

Keep the default SSH rule (port 22). Add one more:

Type:        Custom TCP
Port:        3000
Source:      Anywhere (0.0.0.0/0)
Description: Pixel & Spoon Node.js ordering system
Enter fullscreen mode Exit fullscreen mode

Two rules total. Done.

alt text


Step 7 β€” Launch

Leave storage at default 8GB β†’ scroll down β†’ Launch instance.

60–90 seconds. When Instance state shows Running β€” Pixel & Spoon's server is live.

AWS EC2 instance state running green console screenshot


🀝 The Handoff

Rohit's work is done.

He sends Aarav two things:

πŸ“‹ Public IPv4 address:  (copy from EC2 console instance details)
πŸ”‘ pixelspoon-key.pem:   (shared via secure channel)
Enter fullscreen mode Exit fullscreen mode

Now it's Aarav's turn.


πŸ’» Aarav Connects β€” Browser First

Aarav logs in as aarav-dev.

He opens EC2, finds pixel-spoon-backend in the instances list, selects it, and clicks the orange Connect button.
alt text

He stays on the EC2 Instance Connect tab β€” username is ec2-user β€” clicks Connect.

A terminal opens in the browser.

alt text

A machine running in a data center in Mumbai, responding to commands from Aarav's laptop.

That blinking cursor is the moment cloud computing stops being a concept and becomes real.

πŸ’‘ EC2 Instance Connect is the quickest way in β€” no key file needed,
works straight from the browser. But there are actually four ways
to connect to an EC2 instance β€” including SSH from terminal on
Mac, Linux, and Windows. We cover all of them in the companion post:

πŸ‘‰ Ch 5.1 β€” All Four Ways to Connect to EC2 β†’ (Read it here)


πŸ“¦ Aarav Deploys Pixel & Spoon's Code

The server is empty. The ordering system needs to get on it.

The right way β€” the way real teams do it β€” is Git. Code lives in
a repository, versioned and safe. The server pulls it with one
command. When the code changes, pull again.

First, install the dependencies:

sudo dnf update -y
sudo dnf install git nodejs -y
Enter fullscreen mode Exit fullscreen mode

Then clone, checkout the Chapter 5 version, and run:

git clone https://github.com/srsoumyax11/pixel-and-spoon.git
cd pixel-and-spoon
git checkout ch05-start
npm install
npm start
Enter fullscreen mode Exit fullscreen mode

alt text

Open a browser and go to:

http://YOUR_PUBLIC_IP:3000
Enter fullscreen mode Exit fullscreen mode

In my case it is 65.2.130.72:3000

Screenshot of the Website I built

alt text
alt text
alt text

Pixel & Spoon's ordering system is live. On a real server.
On the real internet.

πŸ’‘ Why git checkout ch05-start?

The repo grows alongside this series β€” by Chapter 12 it will
have auth, by Chapter 16 it will have Secrets Manager
integration. The ch05-start tag freezes the codebase at
exactly what Aarav deployed today β€” so this tutorial works
correctly no matter when you're reading it.

Each future chapter will have its own tag. You'll always know
exactly which version to run.

⭐ The Repo Behind This Series

The code Aarav just cloned is real β€” and you can use it yourself.

github.com/srsoumyax11/pixel-and-spoon

A fullstack Node.js server with two endpoints:

GET /        β†’  Pixel & Spoon's dynamic Server Side Rendered (SSR) ordering system
GET /health  β†’  Returns 
                {
                  "status": "ok",
                  "service": "pixel-spoon-backend",
                  "timestamp": "2026-07-06T08:10:24.199Z",
                  "uptime": 268.874721923,
                  "totalOrders": 0,
                  "version": "1.0.0"
                }
Enter fullscreen mode Exit fullscreen mode

β€” confirms the server is alive

To use it:

  1. Fork the repo to your own GitHub
  2. Clone your fork onto your EC2 instance
  3. Runs on port 3000 β€” no config needed

🌟 If this series has been useful β€” a star on the repo goes a long way.
It helps other learners find it and keeps the series going.

⭐ Star it here β†’ github.com/srsoumyax11/pixel-and-spoon


πŸ’° What Is This Costing?

t3.micro β€” 750 free hours per month for 12 months.

1 instance running 24/7   =  ~730 hrs/month  βœ… within free tier
2 instances running 24/7  =  ~1,460 hrs/month ❌ you pay for ~730
Enter fullscreen mode Exit fullscreen mode

The habit to build now:

When done for the day β€” stop the instance. Not terminate. Stop.

EC2 console β†’ select instance β†’ Instance state β†’ Stop instance.

Data preserved. Config saved. Compute cost: zero.


⚠️ The Problem Nobody Wants to Say Out Loud

Pixel & Spoon is live. The health check returns green. Aarav is proud.

But Rohit is quiet.

Because right now, everything runs on one server.

One EC2 instance. One point of failure. If it crashes at 12:30pm during the lunch rush β€” every order fails. Every user sees an error. Every minute costs real trust.

And if a food blogger features Pixel & Spoon tomorrow and ten thousand users hit the app at once? One t3.micro will buckle.

This isn't Aarav's problem to fix. It's an infrastructure problem. And it's exactly what Rohit is going to solve in Chapter 6 β€” persistent storage that survives crashes, AMIs to clone servers in minutes, and Auto Scaling to handle any traffic spike without anyone losing sleep.


πŸ—ΊοΈ Where We Go From Here

Ch 00 β€” βœ… The origin story

Ch 01 β€” βœ… The world before AWS

Ch 02 β€” βœ… Virtualization & Cloud Models

Ch 03 β€” βœ… Welcome to AWS

Ch 04 β€” βœ… IAM: The Gatekeeper of AWS

Ch 04.1 β€” βœ… Creating IAM Users

Ch 04.2 β€” βœ… Creating IAM Groups

Ch 04.3 β€” βœ… Writing and Attaching IAM Policies

Ch 04.4 β€” βœ… Creating IAM Roles

Ch 05 β€” βœ… EC2: Your First Server (you are here)

Ch 05.1 β€” All Four Ways to Connect to EC2

Ch 06 β€” EBS, AMI & Auto Scaling: The Complete Compute Picture

Ch 07 β€” AWS CLI: Stop Clicking, Start Typing

Ch 08 β€” S3: Store Anything, Forever

Ch 09 β€” Databases on AWS: RDS & DynamoDB

Ch 10 β€” Serverless: Lambda, SNS & SQS

Ch 11 β€” Monitoring & Secrets: CloudWatch + Secrets Manager

Ch 12 β€” Networking: Route 53, CloudFront & VPC

Ch 13 β€” Infrastructure as Code: CloudFormation & Terraform

Ch 14 β€” Containers: ECS & EKS

Ch 15 β€” Billing & Pricing: Never Get a Surprise Bill

Ch 16 β€” Capstone: Build a Full Stack App on AWS

Ch 17 β€” AWS vs Azure vs GCP: An Honest Comparison

Ch 18 β€” What's Next: The AWS Certifications Roadmap


Before You Click Away.

Pixel & Spoon's server is running. The code is live. The health check is green.

But Rohit hasn't slept well since the launch.

One server. No redundancy. No way to survive a surge.

In Chapter 6, he fixes all of it.

πŸ‘‰ Chapter 6: EBS, AMI & Auto Scaling β†’ (Read it here)


Resources I'm learning from:


Top comments (0)