Uly.me

cloud engineer

ec2

AWS Move Instance to Another Zone

Here’s how to move an AWS instance to another zone.

Stop the instance first.

aws ec2 stop-instances --instance-ids i-1234567890abcdef0

Create an AMI image.

aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-ami" \
--description "my-ami"

Create EC2 instance using Terraform. The contents of main.tf.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}
provider "aws" {
  profile = "default"
  region  = "us-east-1"
}
resource "aws_instance" "ulysses" {
  ami                           = "ami-1234567890abcdef0"
  key_name                      = "servers"
  iam_instance_profile          = "machine-role"
  instance_type                 = "t3.micro"
  subnet_id                     = "subnet-1234567890abcdef0"
  security_groups               = ["sg-1234567890abcdef0", "sg-1234567890abcdef1"]
  tags = {
    Name = "moving-instance"
    tag1 = "test1"
    tag2 = "test2"
  }
}

Launch it.

terraform init
terraform plan
terraform apply

AWS EC2 ENA Support

AWS has machine types that require ENA Support. You can run AWS CLI to find out if instance is ENA enabled.

aws ec2 describe-instances \
--instance-id i-xxxxxxxxxxxxxxxxx \
--profile default \
--region us-east-1 \
--query 'Reservations[].Instances[].EnaSupport'

Login to the instance and verify.

sudo lspci | grep -i Amazon

List driver details.

modinfo nvme

Verify modules loaded at startup.

lsmod | grep nvme
lsmod | grep ena

If ENA drivers are missing, install them.

yum install pciutils

AWS Copy AMI to another Region

Here’s how to copy an AMI to another region.

aws ec2 copy-image \
  --source-image-id ami-xxxxxxxxxxx \
  --source-region us-east-1 \
  --region us-east-2 \
  --name "My DR server"

Output:

{
    "ImageId": "ami-xxxxxxxxxxx"
}

AWS EC2 List Firewall Rules

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

AWS CLI Display Tags

This command lists the EC2 instance id and the tag name using query.

aws ec2 describe-instances \
--query 'Reservations[].Instances[].[InstanceId,Tags[?Key==Name]|[0].Value]' \
--profile tfc \
--region us-east-2 \
--output text

Output:

i-xxxxxxxxxxxxxxxxx     server-one
i-xxxxxxxxxxxxxxxxx     server-two
i-xxxxxxxxxxxxxxxxx     server-three

|[0].Value insures output is one instance record per line.

AWS Enable Enhance Network Support

When changing machine types, you may be asked to enable the latest ENA driver for Enhanced Network Support on an Amazon EC2 instance. There are several instructions depending on the Linux OS flavor. Here are the instructions to enable. In some cases, you may need to rebuild the kernel module. To verify that the ena module is installed, use the modinfo command as shown in the following example.

modinfo ena

You also may have to enable the enhanced networking attribute on the instance.

aws ec2 modify-instance-attribute --instance-id instance_id --ena-support

EC2 Password Authentication

When you stand up an AWS instance, it’s only accessible via SSH key using the default user, typically ec2-user.

Add password to ec2-user, then enable password authentication to ‘yes’ in SSH.

# Add password to ec2-user
sudo passwd ec2-user
# edit ssh config
vim /etc/ssh/sshd_config
# enable password authentication
PasswordAuthentication yes
# save file and exit

Restart SSH service.

systemctl restart sshd.service