Skip to content
AWS aws ec2 5 min read

Launching Your First EC2 Instance (Console)

Launching an EC2 instance is the moment cloud computing becomes real: in a few clicks you get a running virtual server (a computer you rent by the second) with its own IP address and operating system. EC2 stands for Elastic Compute Cloud, and the launch wizard is the most common way to create one. This page walks through every screen in the wizard, explains what each choice means in plain English, and points out the two mistakes that catch almost everyone: a security group that blocks all traffic (or lets the whole internet in), and losing the key pair you need to log in.

Before you start

You need an AWS account, a chosen Region (the geographic location where your server lives, like us-east-1 in Northern Virginia), and the right Region selected in the top-right of the console. Instances only exist in the Region you launched them in, so picking the one closest to you (or your users) keeps things fast and cheap.

Tip: A t3.micro or t4g.micro instance is Free Tier eligible for new accounts (750 hours per month for the first 12 months). Stay on those types while learning to avoid surprise bills.

Opening the Launch Instance wizard

  1. Sign in to the AWS Management Console.
  2. Confirm your Region in the top-right corner.
  3. Search for EC2 in the top search bar and open the EC2 console.
  4. Click the orange Launch instance button.

You’ll land on a single-page wizard. We’ll go through it top to bottom.

Step 1 — Name and tags

Give the instance a clear Name, for example web-server-dev. Behind the scenes this creates a tag with the key Name. Tags are simple key-value labels that help you find, group, and bill resources later. You can add more (like Environment=dev or Owner=jaswinder) by clicking Add additional tags.

Step 2 — Application and OS Image (AMI)

An AMI (Amazon Machine Image) is a template that contains the operating system and pre-installed software your instance boots from. Common free choices:

AMIWhen to use it
Amazon Linux 2023AWS-tuned, free, great default for general Linux workloads
Ubuntu Server (LTS)You want the familiar Ubuntu ecosystem and apt packages
Windows ServerYou need Windows-only software (note: not Free Tier, licensing costs apply)

Pick Amazon Linux 2023 unless you have a reason not to. Note the architecture: pick 64-bit (Arm) for Graviton instances or 64-bit (x86) for Intel/AMD. The AMI ID looks like ami-0abcdef1234567890.

Step 3 — Instance type

The instance type decides how much CPU and memory (RAM) you get. t3.micro gives 2 vCPUs and 1 GiB of memory, which is plenty for learning. Larger types cost more per hour. Choose t3.micro (x86) or t4g.micro (Arm, cheaper) to stay in the Free Tier.

Step 4 — Key pair (login)

A key pair is how you prove who you are when connecting over SSH (Secure Shell, an encrypted remote-login protocol). It has a public key AWS keeps and a private key file you download.

  1. Click Create new key pair.
  2. Name it, e.g. my-ec2-key.
  3. Choose RSA and the .pem format (use .ppk only for the older PuTTY client on Windows).
  4. Click Create key pair — the .pem file downloads immediately.

Gotcha: You can download the private key file only once. If you lose it, you cannot recover it and you’ll be locked out of the instance. Save it somewhere safe right now, and on Mac/Linux lock down its permissions with chmod 400 my-ec2-key.pem, or SSH will refuse to use it.

Step 5 — Network settings and security group

This is where most beginners get tripped up. A security group is a virtual firewall that controls which traffic can reach your instance. By default it allows nothing inbound, so you can’t even connect; the wizard helpfully offers to open SSH for you.

The dangerous default is “Allow SSH traffic from Anywhere (0.0.0.0/0)”, which exposes port 22 to the entire internet. Bots scan for this constantly.

  1. Leave VPC and Subnet at their defaults (a VPC is your private network in AWS; a subnet is a slice of it).
  2. Keep Auto-assign public IP enabled so you can reach the instance from the internet.
  3. Under Firewall (security groups), choose Create security group.
  4. Check Allow SSH traffic from and change the dropdown from Anywhere to My IP. This scopes port 22 to your current IP address (a /32 CIDR like 203.0.113.45/32).
  5. If it’s a web server, also check Allow HTTP and Allow HTTPS from Anywhere.

Warning: Scope SSH to My IP, never 0.0.0.0/0. Leaving SSH open to the world is one of the most common ways instances get compromised. If your home IP changes, just edit the rule later — or use Session Manager (no open ports needed).

Step 6 — Configure storage

Every instance needs a root EBS volume (Elastic Block Store, a network-attached virtual disk that persists when you stop the instance). The default is an 8 GiB gp3 (general-purpose SSD) volume, which is fine to start. The Free Tier covers up to 30 GiB of EBS per month. Bump the size if your AMI needs more.

Step 7 — Review and launch

The Summary panel on the right shows your choices and an estimated cost. Confirm everything, then click Launch instance. After a few seconds you’ll see a success screen with the instance ID, e.g. i-0a1b2c3d4e5f. Click it to watch the Instance state move from pending to running.

The CLI equivalent

Everything above maps to a single run-instances call with AWS CLI v2:

aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t3.micro \
  --key-name my-ec2-key \
  --security-group-ids sg-0a1b2c3d \
  --subnet-id subnet-0a1b2c3d \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server-dev}]'

Output:

{
    "Instances": [
        {
            "InstanceId": "i-0a1b2c3d4e5f",
            "ImageId": "ami-0abcdef1234567890",
            "InstanceType": "t3.micro",
            "KeyName": "my-ec2-key",
            "State": { "Code": 0, "Name": "pending" },
            "PrivateIpAddress": "10.0.1.23",
            "SubnetId": "subnet-0a1b2c3d",
            "VpcId": "vpc-0a1b2c3d"
        }
    ]
}

Best practices

  • Stay on t3.micro/t4g.micro while learning so you remain inside the Free Tier and avoid surprise charges.
  • Always scope SSH (port 22) to My IP, never 0.0.0.0/0; prefer Session Manager for keyless, port-free access.
  • Download and back up the key pair the moment you create it — you cannot download it twice.
  • Tag every instance with at least Name, Environment, and Owner so resources stay findable and billable.
  • Stop instances you aren’t using; you pay for compute while they run, though EBS storage still bills when stopped.
  • Once you’ve launched a few by hand, switch to a launch template so configurations are repeatable and consistent.
Last updated June 15, 2026
Was this helpful?