# Set up Microsoft SQL Server on Amazon EC2
<a name="setting-up"></a>

Describes the prerequisites, permissions, and configurations that you should consider when preparing to use Microsoft SQL Server on Amazon EC2 instances for your SQL Server workloads.

**Topics**
+ [Prerequisites](#sql-server-on-ec2-prereqs)
+ [Permissions](#sql-server-on-ec2-permissions)

## Prerequisites for using SQL Server on Amazon EC2
<a name="sql-server-on-ec2-prereqs"></a>

Complete the tasks in this section to start using SQL Server on Amazon EC2 instances for the first time: 

1. [Sign up for an Amazon Web Services account](#sign-up-for-aws)

1. [Create a key pair](#create-a-key-pair)

1. [Create a security group](#create-a-base-security-group)

### Sign up for an Amazon Web Services account
<a name="sign-up-for-aws"></a>

If you do not have an Amazon Web Services account, use the following procedure to create one.

**To sign up for Amazon Web Services**

1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**.

1. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**.

### Secure IAM users
<a name="secure-an-admin"></a>

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*: 
+ [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html)
+ [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html)
+ [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html)

### Create a key pair
<a name="create-a-key-pair"></a>

Amazon uses public-key cryptography to secure the login information for your instance. You specify the name of the key pair when you launch your instance, then provide the private key to obtain the administrator password for your Windows instance so you can log in using RDP.

If you haven't created a key pair already, you can create one by using the Amazon EC2 console. Note that if you plan to launch instances in multiple Regions, you'll need to create a key pair in each Region. For more information about Regions, see [Regions and Zones](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/using-regions-availability-zones.html) in the *User Guide for Windows Instances*.

**To create your key pair**

1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. In the navigation pane, choose **Key Pairs**.

1. Choose **Create key pair**.

1. For **Name**, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces.

1. For **Key pair type**, choose either **RSA** or **ED25519**. Note that **ED25519** keys are not supported for Windows instances.

1. For **Private key file format**, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose **pem**. To save the private key in a format that can be used with PuTTY, choose **ppk**.

   If you chose **ED25519** in the previous step, the **Private key file format** options do not appear, and the private key format defaults to **pem**.

1. Choose **Create key pair**.

1. The private key file is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is determined by the file format you chose. Save the private key file in a safe place.
**Important**  
This is the only chance for you to save the private key file.

For more information, see [ Amazon EC2 key pairs and Windows instances](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html) in the *User Guide for Windows Instances*.

### Create a security group
<a name="create-a-base-security-group"></a>

Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using RDP. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.

Note that if you plan to launch instances in multiple Regions, you'll need to create a security group in each Region. For more information about Regions, see [Regions and Zones](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/using-regions-availability-zones.html) in the *User Guide for Windows Instances*.

**Prerequisites**  
You'll need the public IPv4 address of your local computer. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address for you. Alternatively, you can use the search phrase "what is my IP address" in an Internet browser, or use the following service: [Check IP](http://checkip.amazonaws.com.cn/). If you are connecting through an Internet service provider (ISP) or from behind a firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

You can create a custom security group using one of the following methods.

------
#### [ New Amazon EC2 console ]

**To create a security group with least privilege**

1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. From the top navigation bar, select a Region for the security group. Security groups are specific to a Region, so you should select the same Region in which you created your key pair.

1. In the left navigation pane, choose **Security Groups**.

1. Choose **Create security group**.

1. For **Basic details**, do the following:

   1. Enter a name for the new security group and a description. Use a name that is easy for you to remember, such as your user name, followed by \_SG\_, plus the Region name. For example, *me*\_SG\_*uswest2*.

   1. In the **VPC** list, select your default VPC for the Region.

1. For **Inbound rules**, create rules that allow specific traffic to reach your instance. For example, use the following rules for a web server that accepts HTTP and HTTPS traffic. For more examples, see [Security group rules for different use cases](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/security-group-rules-reference.html) in the *User Guide for Windows Instances*.

   1. Choose **Add rule**. For **Type**, choose **HTTP**. For **Source**, choose **Anywhere**.

   1. Choose **Add rule**. For **Type**, choose **HTTPS**. For **Source**, choose **Anywhere**.

   1. Choose **Add rule**. For **Type**, choose **RDP**. For **Source**, do one of the following:
      + Choose **My IP** to automatically add the public IPv4 address of your local computer.
      + Choose **Custom** and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suffix `/32`, for example, `203.0.113.25/32`. If your company or your router allocates addresses from a range, specify the entire range, such as `203.0.113.0/24`.
**Warning**  
For security reasons, do not choose **Anywhere** for **Source** with a rule for RDP. This would allow access to your instance from all IP addresses on the internet. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

1. For **Outbound rules**, keep the default rule, which allows all outbound traffic.

1. Choose **Create security group**.

------
#### [ Old Amazon EC2 console ]

**To create a security group with least privilege**

1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. In the left navigation pane, choose **Security Groups**.

1. Choose **Create Security Group**.

1. Enter a name for the new security group and a description. Use a name that is easy for you to remember, such as your user name, followed by \_SG\_, plus the Region name. For example, *me*\_SG\_*uswest2*.

1. In the **VPC** list, select your default VPC for the Region.

1. On the **Inbound rules** tab, create the following rules (choose **Add rule** for each new rule):
   + Choose **HTTP** from the **Type** list, and make sure that **Source** is set to **Anywhere** (`0.0.0.0/0`).
   + Choose **HTTPS** from the **Type** list, and make sure that **Source** is set to **Anywhere** (`0.0.0.0/0`).
   + Choose **RDP** from the **Type** list. In the **Source** box, choose **My IP** to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose **Custom** and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suffix `/32`, for example, `203.0.113.25/32`. If your company allocates addresses from a range, specify the entire range, such as `203.0.113.0/24`.
**Warning**  
For security reasons, do not allow RDP access from all IP addresses to your instance. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

1. On the **Outbound rules** tab, keep the default rule, which allows all outbound traffic.

1. Choose **Create security group**.

------
#### [ Command line ]

**To create a security group with least privilege**

Use one of the following commands:
+ [create-security-group](https://docs.amazonaws.cn/cli/latest/reference/ec2/create-security-group.html) (Amazon CLI)
+ [New-EC2SecurityGroup](https://docs.amazonaws.cn/powershell/latest/reference/items/New-EC2SecurityGroup.html) (Amazon Tools for Windows PowerShell)

------

For more information, see [Amazon EC2 security groups for Windows instances](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*.

## Permissions required to use SQL Server on Amazon EC2
<a name="sql-server-on-ec2-permissions"></a>

For information about the permissions required to create or modify Amazon EC2 resources, or to perform tasks using the Amazon EC2 API, see [IAM policies for Amazon EC2](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/iam-policies-for-amazon-ec2.html) in the *User Guide for Windows Instances*.