Open menu
-->

EC2 Instances Distribution Across Availability Zones

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

Ensure that your EC2 instances are spread across all Availability Zones (AZs) within an AWS region in order to maintain high reliability in the event of a service disruption

Having a balanced distribution of EC2 instances across all AZs in a region will improve the availability and reliability of your applications in case of an AWS planned or unplanned service disruption. As account owner and/or administrator, you should make sure that no AZ houses 50% fewer EC2 instances than any other AZ. An example of even and uneven compute distribution within an AWS region is provided in the table below where the Asia Pacific (Sydney) region and its Availability Zones are used for demonstration:

Even DistributionUneven Distribution
Availability ZoneNumber of InstancesAvailability ZoneNumber of Instances
ap-southeast-2a10ap-southeast-2a10
ap-southeast-2b11ap-southeast-2b9
ap-southeast-2c12ap-southeast-2c2

Audit

To determine if your EC2 instances are distributed evenly across AZs within each region, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 On the EC2 dashboard, click inside the attributes filter box located under the dashboard top menu, choose Availability Zone from the dropdown list and select one of the AZ names available in the list, e.g.

Availability Zone.

This filtering method will help you to determine how many EC2 instances are currently running within the selected Availability Zone. Repeat this step for each other AZ name available in the Availability Zone dropdown list and note the number of EC2 instances returned for each zone. If the number of instances is not evenly distributed across the AZs in the selected region, the reliability of your applications running on these instances can be affected in the event of an EC2 service disruption.

05 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using AZ filtering to list the IDs of all EC2 instances currently provisioned in the us-east-1a Availability Zone, within the US East (N. Virginia) region:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=availability-zone,Values=us-east-1a"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-07a50b2e10b5ed33b  |
|  i-0967f046ef12cd3d9  |
|  i-0d807d8ed0892dbca  |
|  i-06cd8dfcbc9f8c051  |
|  i-b2e10b53d0892dd8a  |
|  i-0c1b9a95f0692bdc7  |
+-----------------------+

03 Repeat step no. 1 and 2 to perform the audit process for each AZ available in the selected region. Each command output should return a table containing the IDs of the instances provisioned within the chosen Availability Zone and each table row returned represents an individual EC2 instance. If the number of instances returned for each AZ is not evenly distributed, the reliability of the applications running on these instances can be altered in the event of an EC2 service disruption within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the audit process for other regions.

Remediation / Resolution

To equally distribute your existing EC2 instances across the Availability Zones within the utilized AWS regions, you need to migrate these instances between AZs. To migrate the necessary instances, you must re-create them by perform the following:

Note: As example, this guide will explain how to migrate a Linux EC2 instance from us-east-1a to us-east-1b AZ, within the US East (N. Virginia) region:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 First, create an Amazon Machine Image (AMI) from the instance that you want to migrate. The image is required to re-create the instance within another Availability Zone, in the same AWS region. To instantiate the AMI, perform the following actions:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2 instance that you want to migrate to another AZ (see Audit section part I to identify the right resource).
  3. Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
  4. Inside Create Image dialog box, provide the following information:
    • Enter a name for the new AMI in the Image Name box.
    • In the Image description box, provide a description that reflects the instance usage.
    • Leave No reboot option unchecked so that Amazon can guarantee the file system integrity for the new image.
  5. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI creation process may take few minutes. Once the process is complete the image status should change from pending to available.

04 Once the AMI is ready, use it to re-create the EC2 instance into the necessary Availability Zone. To launch the instance, perform the following:

  1. In the left navigation panel, under IMAGES section, select AMIs.
  2. Select the Amazon Machine Image (AMI) created at step no. 3.
  3. Click the Launch button from the EC2 dashboard top menu to initiate the deployment.
  4. On the Choose Instance Type page, select the same EC2 instance type used by the existing resource then click Next: Configure Instance Details.
  5. On the Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the image created at step no. 3.
  6. On the Configure Instance Details page, select the Availability Zone where the EC2 instance will be re-created from the Subnet dropdown list and configure any other options such as IAM role, Monitoring and Shutdown Behavior based on the running instance existing configuration. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, without changing any configuration.
  7. On the Configure Security Groups, choose Select an existing security group and select the security group(s) currently assigned to the running EC2 instance. Click the Review and Launch button, review your new instance configuration details and click Launch.
  8. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the running resource. Check I acknowledge that I have access to the selected private key file (<key_name.pem) option then click Launch Instances.
  9. Click View Instances to return to the Instances page. The new instance will have the same data and system configuration as the running one but will be located in a different AZ, within the same region.

05 Transfer the Elastic IP (EIP) from the former EC2 instance to the latter instance in order to migrate the public IP reference to the new instance. If the older instance does not have an EIP attached, you will have to update the domain DNS record(s) to switch to the new instance IP (if required). To transfer the Elastic IP, perform the following actions:

  1. In the navigation panel, under NETWORK & SECURITY section, select Elastic IPs.
  2. Select the EIP address attached to the old instance, click the Actions dropdown button then select Disassociate Address.
  3. In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
  4. Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
  5. In the Associate Address dialog box, select the EC2 instance created at step no. 4 from Instance dropdown list then click Associate to attach the EIP.

06 Once you have verified that your new EC2 instance is working 100% within the selected AZ, shut down/terminate the older instance to stop incurring charges for it. To terminate the necessary instance, perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2 instance that you want to shut down.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

Using AWS CLI

01 Run create-image command (OSX/Linux/UNIX) to create an Amazon Machine Image (AMI) from the instance that you want to migrate. The image is required to re-create the instance within another Availability Zone, in the same AWS region. Include the –no-reboot command parameter to guarantee the file system integrity for the new AMI:

aws ec2 create-image
  --region us-east-1
  --instance-id i-07a50b2e10b5ed33b
  --name "US-EAST-1A EC2 Instance Image"
  --description "Instance AMI for AZ migration."
  --no-reboot

02 The command output should return the new AMI ID:

{
    "ImageId": "ami-d3e01fc5"
}

03 Get the configuration details from the running (existing) EC2 instance, required for the next step. Run describe-instances command (OSX/Linux/UNIX) using the ID of the instance that you want to re-create (see Audit section part II to identify the right resource) to describe its configuration details:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-0d46e1335f8e33337

04 The command output should return the running EC2 instance configuration metadata:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-00b20341832e7c2c4",
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2016-03-21T16:14:25.000Z",
                    "PublicIpAddress": "53.80.41.105",
                    "PrivateIpAddress": "172.31.5.98",
                    "ProductCodes": [],
                    "StateTransitionReason": "",
                    "InstanceId": "i-0d46e1335f8e33337",

                    ...

                    "EnaSupport": true,
                    "ImageId": "ami-0b33d91d",
                    "KeyName": "web-key",
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

05 Execute run-instances command (OSX/Linux/UNIX) using the configuration information returned at the previous step to launch an instance from the image created at step no. 1. The following command example re-creates an EC2 instance inside the us-east-1b Availability Zone (identified by the subnet ID subnet-23e7ca4f), within the US East region, using an AMI with the ID ami-d3e01fc5:

aws ec2 run-instances
  --region us-east-1
  --image-id ami-d3e01fc5
  --count 1
  --instance-type m3.medium
  --key-name web-key
  --security-group-ids sg-4e852af1
  --subnet-id subnet-23e7ca4f
  --no-ebs-optimized

06 The command output should return the new EC2 instance metadata:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-0f823c80bcf85d5ca",
            "Instances": [
                {
                    "EbsOptimized": false,
                    "LaunchTime": "2017-01-30T19:56:20.000Z",
                    "PrivateIpAddress": "172.31.3.101",
                    "ProductCodes": [],
                    "StateTransitionReason": "",

                    ...

                    "ImageId": "ami-d3e01fc5",
                    "KeyName": "web-key",
                    "Architecture": "x86_64",
                    "RootDeviceType": "eb",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

07 Now transfer the Elastic IP (EIP) from the former EC2 instance to the latter instance in order to migrate the reference for the public IP to the new instance. To transfer the EIP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP address from the old instance (the command does not produce an output):
    aws ec2 disassociate-address
      --region us-east-1
      --public-ip 54.201.109.87
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance, identified by the ID i-016b31cc7ba5e49b9:
    aws ec2 associate-address
      --instance-id i-016b31cc7ba5e49b9
      --allocation-id eipalloc-58dfe9e1
    
  3. Once you've verified that your new EC2 instance is working 100% within the selected AZ, shut down the older instance to stop incurring charges for the resource. To terminate the necessary instance, run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:
    aws ec2 terminate-instances
      --instance-ids i-0d46e1335f8e33337
    
  4. The command output should return the shutdown request metadata:
    {
        "TerminatingInstances": [
            {
                "InstanceId": "i-0d46e1335f8e33337",
                "CurrentState": {
                    "Code": 32,
                    "Name": "shutting-down"
                },
                "PreviousState": {
                    "Code": 16,
                    "Name": "running"
                }
            }
        ]
    }
    

References

Publication date Feb 6, 2017