Using the AMI Tools
Once a machine image has been created it must be bundled as an AMI for use with Amazon EC2, as
follows. Use ec2-bundle-image to bundle an image that you have prepared in a loopback file, as
described in the previous section.
# ec2-bundle-image -i my-image.img -k my-private-key.key -c my-x509-cert.cert
This will create the bundle files:
Alternatively an AMI could be created by snapshotting the local machine root file system and bundling
it all at once by using ec2-bundle-vol. (note: you will need to have root privileges to do this and
SELinux must be disabled). Use ec2-bundle-vol to re-bundle a (modified) running instance of an
existing AMI, as described in the previous section.
# ec2-bundle-vol -k my-private-key.key -s 1000 -u 495219933132
As with ec2-bundle-image, ec2-bundle-vol will create image parts files and a manifest file.
If selinux is enabled when ec2-bundle-vol is run, the filesystem creation step may fail. Selinux
should be disabled while this is done.
Uploading a Bundled AMI
The bundled AMI needs to be uploaded for storage in Amazon S3 before it can be accessed by
Amazon EC2. Use ec2-upload-bundle to upload the bundled AMI that you created as described above.
S3 stores data objects in buckets, which are similar in concept to directories. Buckets must have globally
unique names. The ec2-upload-bundle utility will upload the bundled AMI to a specified bucket. If the
specified bucket does not exist it will be created. However, if the specified bucket already exists, and
belongs to another user, then ec2-upload-bundle will fail.
# ec2-upload-bundle -b my-bucket -m image.manifest -a my-aws-access-key-id -s
The AMI manifest file and all image parts are uploaded to S3. The manifest file is encrypted with the
Amazon EC2 public key before being uploaded.
Amazon EC2
Developer Guide
Securing the Network
The Amazon EC2 service provides the ability to dynamically add and removed instances. However, this
flexibility can complicate firewall configuration and maintenance which traditionally relies on IP
addresses, subnet ranges or DNS host names as the basis for the firewall rules.
The Amazon EC2 firewall allows you to assign your compute resources to user-defined groups and
define firewall rules for and in terms of these groups. As compute resources are added to or removed
from groups, the appropriate rules are enforced. Similarly, if a group's rules are changed these changes
are automatically applied to all members of the affected group.
Amazon EC2
Developer Guide
Previous Page Next Page