Creating EC2 Amazon Machine Images (AMIs)
VP of Growth in Marketing
One of the most alluring features of AWS to enterprises is the ease of backing up mission critical services and applications. The ability to create a copy of your Amazon Machine Image (AMI) with just a few clicks of the mouse or a few commands in the API is excellent for ensuring your application is always able to be restored at a moment's notice. This also allows you to deploy mirrored servers in other availability zones or even regions if you copy them over. In this learning activity, we will deploy software to a machine and illustrate how AMIs can be used to distribute that image among your environment.
In this lab, we will complete the following objectives:
- Add software to an EC2 instance
- Create a template image (AMI)
- Learn how to share an AMI with other regions or accounts
Launch a New Instance
We will create a new instance using the Amazon Linux AMI and configure it for this lab:
Create and Configure the Instance
Navigate to EC2 Dashboard and use the Launch Instance button to create a new instance.
Amazon Linux AMI at the top of the list (if you don't see it immediately, click the Quick Start tab on the left).
Leave the default selection of
t2.micro instance type and click the Next: Configure Instance Details button in the bottom right.
The Network setting should remain set as the default VPC, the Subnet setting may be set to any Availability Zone, and the Auto-assign Public IP setting should be set to
Enable. All other settings can remain as their defaults. Once you've verified these details, click the Next: Add Storage button in the bottom right.
This page would allow us to automatically provision additional EBS volumes and connect them to our EC2 instance, which we could use to configure additional storage.
For this lab, however, we can leave the defaults and click the Next: Tag Instance button in the bottom right.
We can use the default entry with the "Name" key to give our instance a fitting name. Since we will be using this instance to build an AMI to be used as a template for an autoscaling application, "web-build" seems to be an appropriate name.
In the "Value" column, type the name
web-build. Click the Next: Configure Security Group button on the bottom right.
Create Security Group
Near the top of the page, you should see the Assign a security group label that lets you choose to create a new security group or select an existing one.
For this lab, we will choose the "Create a new security group" option. You should see a placeholder item in the list.
We will soon be connecting to this instance with SSH for further configuration. To allow this, we need to add a new incoming rule to the security group.
Change the Type dropdown on the placeholder list item to
SSH. You may leave the defaults for this lab, but in practice you should restrict the Source for security.
When we build our application later on, we will use the Elastic Load Balancer. HTTP traffic to our application will arrive via port 80 and first hit the ELB, which does round robin load balancing to distribute the traffic evenly between instances. Additionally, the load balancer routes traffic to the EC2 instances, again on port 80. Therefore, the ELB and the EC2 instances need to belong to a security group that allows traffic on port 80 for this process to function properly.
Click the Add Rule button and choose
HTTP from the Type dropdown. The default port is set to
80, so we can leave the default settings.
Click the Review and Launch button in the bottom right.
Review and Launch
Check that the settings are correct (if you've followed along, there should be nothing else to change), then click the Launch button in the bottom right. We will receive a prompt window for the key pair. Go ahead and create a new key pair. Feel free to name this key pair whatever you would like.
Finally, click the Launch Instances button to instruct AWS to launch an instance with the setting's we've defined.
Connect to the Instance
Since our instance is assigned to a public subnet, has been set to auto-assign a public IP, and has the proper security group settings, we are now able to connect to it directly with SSH:
- Navigate back to the list of EC2 instances (click the Instances link from the list on the left side of the page).
- Ensure only the
web-buildinstance is selected, then click the Connect button above the list to view connection details.
- Copy the "Example" command near the bottom and paste it into a terminal window to connect. (NOTE: Need to add more details that match up with the key pair note I made earlier.)
Preparing the Image
When we create an AMI, we are essentially capturing a snapshot of the instance's current state. Everything we do in this instance (installations, modifications, etc.) will be "captured" as an AMI. If we use that AMI to create new instances, they will all have the same configuration as the original instance when we created the image.
With that in mind, we want to prepare this fresh instance such that it matches our desired "starting point" for instances in our application. Once it has been set up correctly, we will use it to create a new AMI with all of the changes.
We can start by updating the packages in this instance. This way all future instances of the AMI we will create later will have the updated packages too.
yum update -y
Next, we can use
yum to install
httpd, then start the service. This ensures that future instances will be created with the service already install and started.
yum install httpd service httpd start chkconfig httpd on
You can test that the service is running correctly. Grab the IP address of the instance from AWS and navigate to it in your browser. You will see the "Amazon Linux AMI Test Page".
In practice, we would consider what other packages our application requires. What type of application is this? Does it need to communicate with S3? Does the webserver need to communicate with the Amazon API? How can we ensure that the instance is prepared with everything it needs to function properly? Our application is very simple in this lab for the sake of instruction, so we are done configuring the instance.
Something important to remember when creating AMIs: Never store any API credentials on an image. This lets us avoid updating the image with credential changes, but more importantly it keeps those credentials out of the hands of others who have access to the image. Instead of storing the credentials on the image itself, it's best practice to use an IAM EC2 role to give permissions to the instances that need to access the API.
We have completed setting up our base instance, so it's time to use it to create a new AMI.
Creating the AMI
Our base instance has been fully configured as a starting point for our application requirements. We will now use it to create a new AMI with all of these configurations.
- Navigate back to the list of Instances on AWS.
- Right click on the
web-buildinstance, mouse over Image, and select the Create Image option.
- Type an appropriate Image Name of
- For the Description, we can use
- Leave all of the other defaults and click the Create Image button.
Amazon will use the instance configuration to create a new AMI called
my-web-application. Allow some time for this to complete.
Using the AMI
Once the AMI has creation has completed, we can remove the
web-build instance that we've been working with. Navigate back to the list of instances in AWS, right click, mouse over Instance State, and choose Terminate.
We can use the AMI created a moment ago to launch a new instance that matches the configuration of the instance we just removed:
- Navigate to the "AMIs" section (under the "Images" group in the list on the left side of the page).
- Right click on the
my-web-applicationAMI that we created and choose Launch.
You will be presented with instance type options, etc, and AWS will launch a matching instance upon completion.
Using the AMI in Another Region
The new AMI is only available in the region we created it in. If you want to use it in a different region, right click the AMI from the list and choose Copy. You will be presented with options for copying the AMI to a new region.
Modifying the AMI Permissions**
You can make AMIs public/private or share them with other AWS accounts by right clicking the AMI from the list and choosing Modify Image Permissions. You will be presented with relevant permission options.