Creating EC2 Amazon Machine Images (AMIs)

The document contains following topics

  • Add software to an EC2 instance
  • Create a template image (AMI)
  • Learn how to share an AMI with other regions or accounts

Launch a New Instance

We will create a new instance using the Amazon Linux AMI and configure it for this lab:

Create and Configure the Instance

Navigate to EC2 Dashboard and use the Launch Instance button to create a new instance.

Select the Amazon Linux AMI at the top of the list (if you don’t see it immediately, click the Quick Start tab on the left).

Leave the default selection of t2.micro instance type and click the Next: Configure Instance Details button in the bottom right.

The Network setting should remain set as the default VPC, the Subnet setting may be set to any Availability Zone, and the Auto-assign Public IP setting should be set to Enable. All other settings can remain as their defaults. Once you’ve verified these details, click the Next: Add Storage button in the bottom right.

Add Storage

This page would allow us to automatically provision additional EBS volumes and connect them to our EC2 instance, which we could use to configure additional storage.

For this lab, however, we can leave the defaults and click the Next: Tag Instance button in the bottom right.

Tag Instance

We can use the default entry with the “Name” key to give our instance a fitting name. Since we will be using this instance to build an AMI to be used as a template for an autoscaling application, “web-build” seems to be an appropriate name.

In the “Value” column, type the name web-build. Click the Next: Configure Security Group button on the bottom right.

Create Security Group

Near the top of the page, you should see the Assign a security group label that lets you choose to create a new security group or select an existing one.

For this lab, we will choose the “Create a new security group” option. You should see a placeholder item in the list.

We will soon be connecting to this instance with SSH for further configuration. To allow this, we need to add a new incoming rule to the security group.

Change the Type dropdown on the placeholder list item to SSH. You may leave the defaults for this lab, but in practice you should restrict the Source for security.

When we build our application later on, we will use the Elastic Load Balancer. HTTP traffic to our application will arrive via port 80 and first hit the ELB, which does round robin load balancing to distribute the traffic evenly between instances. Additionally, the load balancer routes traffic to the EC2 instances, again on port 80. Therefore, the ELB and the EC2 instances need to belong to a security group that allows traffic on port 80 for this process to function properly.

Click the Add Rule button and choose HTTP from the Type dropdown. The default port is set to 80, so we can leave the default settings.

Click the Review and Launch button in the bottom right.

Review and Launch

Check that the settings are correct (if you’ve followed along, there should be nothing else to change), then click the Launch button in the bottom right. We will receive a prompt window for the key pair. Go ahead and create a new key pair. Feel free to name this key pair whatever you would like.

Finally, click the Launch Instances button to instruct AWS to launch an instance with the setting’s we’ve defined.

Connect to the Instance

Since our instance is assigned to a public subnet, has been set to auto-assign a public IP, and has the proper security group settings, we are now able to connect to it directly with SSH:

  • Navigate back to the list of EC2 instances (click the Instances link from the list on the left side of the page).
  • Ensure only the web-build instance is selected, then click the Connect button above the list to view connection details.
  • Copy the “Example” command near the bottom and paste it into a terminal window to connect.

Preparing the Image

When we create an AMI, we are essentially capturing a snapshot of the instance’s current state. Everything we do in this instance (installations, modifications, etc.) will be “captured” as an AMI. If we use that AMI to create new instances, they will all have the same configuration as the original instance when we created the image.

With that in mind, we want to prepare this fresh instance such that it matches our desired “starting point” for instances in our application. Once it has been set up correctly, we will use it to create a new AMI with all of the changes.

We can start by updating the packages in this instance. This way all future instances of the AMI we will create later will have the updated packages too.

yum update -y

Next, we can use yum to install httpd, then start the service. This ensures that future instances will be created with the service already install and started.

yum install httpd
service httpd start
chkconfig httpd on

You can test that the service is running correctly. Grab the IP address of the instance from AWS and navigate to it in your browser. You will see the “Amazon Linux AMI Test Page”.

2017-11-26 13_49_39-Cloud Assessments

In practice, we would consider what other packages our application requires. What type of application is this? Does it need to communicate with S3? Does the webserver need to communicate with the Amazon API? How can we ensure that the instance is prepared with everything it needs to function properly? Our application is very simple in this lab for the sake of instruction, so we are done configuring the instance.

Something important to remember when creating AMIs: Never store any API credentials on an image. This lets us avoid updating the image with credential changes, but more importantly it keeps those credentials out of the hands of others who have access to the image. Instead of storing the credentials on the image itself, it’s best practice to use an IAM EC2 role to give permissions to the instances that need to access the API.

We have completed setting up our base instance, so it’s time to use it to create a new AMI.

Creating the AMI

Our base instance has been fully configured as a starting point for our application requirements. We will now use it to create a new AMI with all of these configurations.

  • Navigate back to the list of Instances on AWS.
  • Right click on the web-build instance, mouse over Image, and select the Create Image option.
  • Type an appropriate Image Name of my-web-application.
  • For the Description, we can use my-web-application again.
  • Leave all of the other defaults and click the Create Image button.

Amazon will use the instance configuration to create a new AMI called my-web-application. Allow some time for this to complete.

Using the AMI

Once the AMI has creation has completed, we can remove the web-build instance that we’ve been working with. Navigate back to the list of instances in AWS, right click, mouse over Instance State, and choose Terminate.

We can use the AMI created a moment ago to launch a new instance that matches the configuration of the instance we just removed:

  • Navigate to the “AMIs” section (under the “Images” group in the list on the left side of the page).
  • Right click on the my-web-application AMI that we created and choose Launch.

You will be presented with instance type options, etc, and AWS will launch a matching instance upon completion.

Using the AMI in Another Region

The new AMI is only available in the region we created it in. If you want to use it in a different region, right click the AMI from the list and choose Copy. You will be presented with options for copying the AMI to a new region.

2017-11-26 13_37_57-Cloud Assessments

Modifying the AMI Permissions**

You can make AMIs public/private or share them with other AWS accounts by right clicking the AMI from the list and choosing Modify Image Permissions. You will be presented with relevant permission options.

2017-11-26 13_38_45-Cloud Assessments
2017-11-26 13_38_55-Cloud Assessments