cloud engineer
AWS has machine types that require ENA Support. You can run AWS CLI to find out if instance is ENA enabled.
aws ec2 describe-instances \ --instance-id i-xxxxxxxxxxxxxxxxx \ --profile default \ --region us-east-1 \ --query 'Reservations[].Instances[].EnaSupport' |
aws ec2 describe-instances \ --instance-id i-xxxxxxxxxxxxxxxxx \ --profile default \ --region us-east-1 \ --query 'Reservations[].Instances[].EnaSupport'
Login to the instance and verify.
sudo lspci | grep -i Amazon |
sudo lspci | grep -i Amazon
List driver details.
modinfo nvme |
modinfo nvme
Verify modules loaded at startup.
lsmod | grep nvme lsmod | grep ena |
lsmod | grep nvme lsmod | grep ena
If ENA drivers are missing, install them.
yum install pciutils |
yum install pciutils
Here’s how to copy an AMI to another region.
aws ec2 copy-image \ --source-image-id ami-xxxxxxxxxxx \ --source-region us-east-1 \ --region us-east-2 \ --name "My DR server" |
aws ec2 copy-image \ --source-image-id ami-xxxxxxxxxxx \ --source-region us-east-1 \ --region us-east-2 \ --name "My DR server"
Output:
{ "ImageId": "ami-xxxxxxxxxxx" } |
{ "ImageId": "ami-xxxxxxxxxxx" }
AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.
#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil |
#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil
Here’s a sample output.
============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32 |
============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32
This command lists the EC2 instance id and the tag name using query.
aws ec2 describe-instances \ --query 'Reservations[].Instances[].[InstanceId,Tags[?Key==Name]|[0].Value]' \ --profile tfc \ --region us-east-2 \ --output text |
aws ec2 describe-instances \ --query 'Reservations[].Instances[].[InstanceId,Tags[?Key==Name]|[0].Value]' \ --profile tfc \ --region us-east-2 \ --output text
Output:
i-xxxxxxxxxxxxxxxxx server-one i-xxxxxxxxxxxxxxxxx server-two i-xxxxxxxxxxxxxxxxx server-three |
i-xxxxxxxxxxxxxxxxx server-one i-xxxxxxxxxxxxxxxxx server-two i-xxxxxxxxxxxxxxxxx server-three
|[0].Value insures output is one instance record per line.
When changing machine types, you may be asked to enable the latest ENA driver for Enhanced Network Support on an Amazon EC2 instance. There are several instructions depending on the Linux OS flavor. Here are the instructions to enable. In some cases, you may need to rebuild the kernel module. To verify that the ena module is installed, use the modinfo command as shown in the following example.
modinfo ena |
modinfo ena
You also may have to enable the enhanced networking attribute on the instance.
aws ec2 modify-instance-attribute --instance-id instance_id --ena-support |
aws ec2 modify-instance-attribute --instance-id instance_id --ena-support