- Knowledge Base
- Amazon Web Services
- EC2 Instance Distribution Across Availability Zones
Ensure that your Amazon EC2 instances are spread across all Availability Zones (AZs) within an AWS cloud region in order to maintain reliability in the event of a service disruption.
Reliability Having a balanced distribution of Amazon EC2 instances across all AZs in a region will improve the availability and reliability of your applications in case of a planned or unplanned service disruption. As account owner and/or administrator, you should make sure that no Availability Zone houses 50% fewer instances than any other AZ. An example of even and uneven compute distribution within an AWS region is provided in the table below where the Asia Pacific (Sydney) region and its Availability Zones are used for demonstration:
| Even Distribution | Uneven Distribution | ||
| Availability Zone | Number of Instances | Availability Zone | Number of Instances |
| ap-southeast-2a | 10 | ap-southeast-2a | 10 |
| ap-southeast-2b | 11 | ap-southeast-2b | 9 |
| ap-southeast-2c | 12 | ap-southeast-2c | 2 |
Audit
To determine if your Amazon EC2 instances are distributed evenly across AZs within each AWS region, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under Instances, choose Instances.
04 Click inside the Filter instances box located under the console top menu, choose Availability Zone, and select one of the Availability Zones (AZs) available in the list. This filtering technique will help you to determine how many Amazon EC2 instances are deployed in the selected Availability Zone. Repeat this step for each other AZ available in the Availability Zone list and note the number of instances returned for each zone. If the number of instances is not evenly distributed across all the Availability Zones within the selected AWS region, the reliability of the cloud applications running on these instances can be affected in the event of an Amazon EC2 service disruption.
05 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.
Using AWS CLI
01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 instances provisioned within the us-east-1a Availability Zone, in the US East (N. Virginia) region:
aws ec2 describe-instances --region us-east-1 --filters "Name=availability-zone,Values=us-east-1a" --output table --query 'Reservations[*].Instances[*].InstanceId'
02 The command output should return a table with the requested instance IDs:
------------------------- | DescribeInstances | +-----------------------+ | i-01234abcd1234abcd | | i-0abcabcabc1234567 | | i-01234567dabcdabcd | | i-0abcd1234abcd1234 | +-----------------------+
03 Repeat step no. 1 for each Availability Zone (AZ) within the selected AWS cloud region. The describe-instances command output should return the IDs of the Amazon EC2 instances provisioned within each AZ. If the number of instances is not evenly distributed across all the Availability Zones within the selected AWS region, the reliability of the cloud applications running on these instances can be affected in the event of an Amazon EC2 service disruption.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.
Remediation / Resolution
To equally distribute your existing Amazon EC2 instances across all the Availability Zones, you must to migrate your EC2 instances between AZs. To migrate the required instances, perform the following operations:
Note: As an example, this section will explain how to migrate a Linux EC2 instance from us-east-1a to us-east-1b, within the US East (N. Virginia) region:Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under Instances, choose Instances.
04 Select the Amazon EC2 instance that you want to migrate to another Availability Zone (AZ).
05 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.
06 On the Create image setup page, provide the following information:
- In the Image name box, enter a unique name for the new AMI.
- (Optional) In the Image description box, provide a short description that reflects the usage of the selected EC2 instance.
- Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
- (Optional) For Tags, choose Tag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
- Choose Create image to create your new AMI.
07 Once the new image is ready, use it to re-create your Amazon EC2 instance into the required AZ. On the Instances listing page, choose Launch instances and perform the following actions:
- For Step 1: Choose an Amazon Machine Image (AMI), choose My AMIs tab, and select the Amazon Machine Image (AMI) created at step no. 6.
- For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source instance). Choose Next: Configure Instance Details to continue the setup process.
- For Step 3: Configure Instance Details, perform the following actions:
- Choose the Availability Zone where you want to launch your new instance from the Subnet dropdown list.
- Configure the network, identity management, behavior, and metadata settings. The new instance configuration must match the source instance configuration. Choose Next: Add Storage to continue the setup process.
- For Step 4: Add Storage, configure the storage device settings. Choose Next: Add Tags to set up the instance tags.
- For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new EC2 instance. You can track compute cost and other criteria by tagging your instance. Choose Configure Security Group to continue the setup process.
- For Step 6: Configure Security Group, choose Select an existing security group and select the security group(s) associated with the source Amazon EC2 instance. Choose Review and Launch to continue.
- For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
- In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the
I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instancecheckbox for confirmation, then choose Launch Instances to launch your new Amazon EC2 instance. - Choose View Instances to return to the Instances page.
08 After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:
- In the navigation panel, under Network & Security, select Elastic IPs.
- Select the Elastic IP address attached to the source instance, choose Actions, and select Disassociate Elastic IP address.
- In the Dissociate Elastic IP addressconfirmation box, review the EIP details, then choose Disassociate.
- Select the same IP address, choose Actions and select Associate Elastic IP address.
- In the Associate Elastic IP addressconfiguration box, perform the following:
- For Resource type, choose Instance.
- For Instance, select the ID of the newly created EC2 instance created at step no. 7.
- Choose Associate to attach the Elastic IP.
09 (Optional) You can terminate the source Amazon EC2 instance in order to stop incurring charges for it. To shut down the instance, perform the following actions:
- In the navigation panel, under Instances, choose Instances.
- Select the Amazon EC2 instance that you want to terminate.
- Choose Instance state and select Terminate instance.
- In the Terminate instance? confirmation box, review the instance details, then choose Terminate to shut down the selected EC2 instance.
10 Repeat steps no. 4 – 9 for each Amazon EC2 instance that you want to relocate, available within the current AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.
Using AWS CLI
01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information available for the Amazon EC2 instance that you want to migrate to another Availability Zone (AZ):
aws ec2 describe-instances --region us-east-1 --instance-ids i-01234abcd1234abcd --query 'Reservations[*].Instances[]'
02 The command output should return an array with the requested configuration information:
[
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0abcd1234abcd1234",
"InstanceId": "i-01234abcd1234abcd",
"InstanceType": "t2.micro",
"KeyName": "conformity",
"LaunchTime": "2021-03-10T10:00:00+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1a",
"GroupName": "",
"Tenancy": "dedicated"
},
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15",
"ProductCodes": [],
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIpAddress": "10.0.1.20",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-abcd1234",
"VpcId": "vpc-1234abcd",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2021-03-10T10:00:00+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0abcd1234abcd1234"
}
}
],
"ClientToken": "",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
"Id": "ABCDABCDABCDABCDABCDA"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIp": "10.0.1.20"
},
"Attachment": {
"AttachTime": "2021-03-10T10:00:00+00:00",
"AttachmentId": "eni-attach-0abcd1234abcd1234",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "Primary network interface",
"Groups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"Ipv6Addresses": [],
"MacAddress": "0e:53:19:7b:62:6b",
"NetworkInterfaceId": "eni-0abcd1234abcd1234",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIp": "10.0.1.20"
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-abcd1234",
"VpcId": "vpc-1234abcd",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"SourceDestCheck": true,
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 2,
"ThreadsPerCore": 4
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
},
"EnclaveOptions": {
"Enabled": false
}
}
]
03 Run create-image command (OSX/Linux/UNIX) to create an image from the source Amazon EC2 instance described at the previous step. Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:
aws ec2 create-image --region us-east-1 --instance-id i-01234abcd1234abcd --name "AZ Migration AMI" --description "Production Stack AMI for AZ Migration" --no-reboot
04 The command output should return the ID of the new Amazon Machine Image (AMI):
{
"ImageId": "ami-0abcdabcdabcdabcd"
}
05 Execute run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created at the previous steps. Use the information returned at step no. 2 for the instance configuration parameters. Set the --subnet-id parameter value to the ID of the subnet to launch the instance into. The chosen subnet must be associated with the target Availability Zone:
aws ec2 run-instances --region us-east-1 --image-id ami-0abcdabcdabcdabcd --count 1 --instance-type t2.micro --key-name conformity --security-group-ids sg-01234abcd1234abcd --iam-instance-profile Name="ec2-manager-role" --subnet-id subnet-1234abcd
06 The command output should return the configuration metadata for the newly created EC2 instance:
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0abcdabcdabcdabcd",
"InstanceId": "i-01234123412341234",
"InstanceType": "t2.micro",
"KeyName": "conformity.aws",
"LaunchTime": "2021-03-22T17:29:43+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1c",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 0,
"Name": "pending"
},
"StateTransitionReason": "",
"SubnetId": "subnet-abcdabcd",
"VpcId": "vpc-1234abcd",
"Architecture": "x86_64",
"BlockDeviceMappings": [],
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
"Id": "ABCDABCDABCDABCDABCD"
},
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2021-03-22T17:29:43+00:00",
"AttachmentId": "eni-attach-0abcd1234abcd1234",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attaching",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:00:c7:12:51:99",
"NetworkInterfaceId": "eni-0abcd1234abcd1234",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-1234abcd",
"VpcId": "vpc-1234abcd",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"SourceDestCheck": true,
"StateReason": {
"Code": "pending",
"Message": "pending"
},
"VirtualizationType": "hvm",
"HibernationOptions": {
"Configured": true
},
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"MetadataOptions": {
"State": "pending",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
},
"EnclaveOptions": {
"Enabled": false
}
}
],
"OwnerId": "123456789012",
"ReservationId": "r-0abcd1234abcd1234"
}
07 After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following commands:
- Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source Amazon EC2 instance (the command does not produce an output):
aws ec2 disassociate-address --association-id eipassoc-0abcd1234abcd1234
- Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:
aws ec2 associate-address --instance-id i-01234123412341234 --allocation-id eipalloc-0abcd1234abcd1234
- The command output should return the EIP association ID:
{ "AssociationId": "eipassoc-01234abcd1234abcd" }
08 (Optional) You can terminate the source Amazon EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) using the source instance ID as the identifier parameter:
aws ec2 terminate-instances --instance-ids i-01234abcd1234abcd
09 The output should return the terminate-instances command request metadata:
{
"TerminatingInstances": [
{
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"InstanceId": "i-01234abcd1234abcd",
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
10 Repeat steps no. 1 – 8 for each Amazon EC2 instance that you want to relocate, available in the selected AWS cloud region.
11 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.
References
- AWS Documentation
- Amazon EC2 FAQs
- Regions and Availability Zones
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-instances
- create-image
- run-instances
- disassociate-address
- associate-address
- terminate-instances
Related EC2 rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
EC2 Instance Distribution Across Availability Zones
Risk Level: Medium