Menu
AWS GovCloud (US)
User Guide

Amazon Elastic Compute Cloud (Amazon EC2)

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • Spot instances and select Amazon EC2 instance types are not available in the AWS GovCloud (US) Region.

  • The public IP ranges for AWS GovCloud (US) Region Amazon EC2 instances are 52.222.0.0/17 and 96.127.0.0/17.

  • Reserved Instance resale is not available in the AWS GovCloud (US) Region.

  • AMI copy and snapshot copy do not support migrating AMIs and snapshots from another AWS region into the AWS GovCloud (US) region. For information about how to migrate your AMIs from another AWS region into the AWS GovCloud (US) Region, see Importing Virtual Machines into the AWS GovCloud (US) Region.

  • When using the Amazon EC2 AMI tools, the AWS GovCloud (US) Region uses a non-default public key certificate to encrypt AMI manifests. The ec2-bundle-image, ec2-bundle-vol, ec2-migrate-bundle, and ec2-migrate-manifest commands require the --ec2cert $EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem option in the AWS GovCloud (US) Region.

  • By default, enhanced networking is not enabled on Windows Server 2012 R2 AMIs. For more information, see Enabling Enhanced Networking on Windows Instances in a VPC.

  • In the AWS GovCloud (US) Region, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC; otherwise, you must create a VPC before launching instances. For more information, see Determining if Your Account Has a Default Amazon VPC.

  • When you launch an instance in the AWS GovCloud (US) Region using the CLI ec2-run-instances command or API RunInstances action, you must specify the subnet parameter.

  • Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other regions, you can use HTTP or HTTPS.

  • Use SSL (HTTPS) when generating key pairs using ec2-create-keypair and CreateKeyPair commands.

  • To import your own set of key pairs, follow the directions in Importing Your Own Key Pair to Amazon EC2.

  • When using VM Import:

    • If your account is set up as default VPC, then your default VPC will be the target for your import.

    • If your account is not set up as default VPC, then you will need to specify an Availability Zone and subnet. To specify a subnet to use when you create the import task, use the --subnet subnet_id option and –z availability_zone option (specifying the Availability Zone corresponding to the subnet ID) with the ec2-import-instance command.

    • The AWS CLI commands, aws ec2 import-image and aws ec2 import-snapshot, and the ImportImage API are not available in the AWS GovCloud (US) Region.

  • When using VM Export:

    • The Amazon EC2 instance must have been previously imported using VM Import.

    • The Amazon S3 bucket for the destination image must exist and must have WRITE and READ_ACP permissions granted to the AWS GovCloud (US) account with canonical ID: af913ca13efe7a94b88392711f6cfc8aa07c9d1454d4f190a624b126733a5602.

    • To export an instance, you can use the ec2-create-instance-export-task command. For more information, see Exporting Amazon EC2 Instances.

  • Microsoft System Center Virtual Machine Manager (SCVMM) is not yet supported in the AWS GovCloud (US) Region.

  • AWS Management Portal for vCenter is not compatible with the AWS GovCloud (US) Region.

For more information about Amazon EC2, see the Amazon Elastic Compute Cloud documentation.

Determining if Your Account Has a Default Amazon VPC

In the AWS GovCloud (US) Region, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC, where you launch all your Amazon EC2 instances. If your account doesn't have a default VPC, you must create a VPC before you can launch Amazon EC2 instances. For more information, see What is Amazon VPC? in Amazon VPC User Guide.

  1. Sign in to the AWS Management Console for the AWS GovCloud (US) Region.

  2. Navigate to the dashboard of the Amazon EC2 console.

  3. In the Account Attributes section, view the Supported Platforms.

    • If you see only EC2-VPC, as shown in the following figure, your account has a VPC by default.

    • If you see both EC2-Classic and EC2-VPC, as shown in the following figure, your account doesn't have a default VPC. You must create a VPC before you launch Amazon EC2 or Amazon RDS instances.

If you don't want a default VPC for your AWS GovCloud (US) account, you can delete the default VPC and default subnets. The default VPC and subnets will not be recreated. However, you still need to create a VPC before launching instances.

If you deleted your default VPC, you can create a new one. For more information, see Creating a Default VPC.

If your account doesn't have a default VPC but you want a default VPC, you can submit a request by completing the AWS GovCloud (US) Contact Us form. In the form, include your AWS GovCloud (US) account ID and indicate that you want to enable your account for a default VPC.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • All data entered, stored, and processed within an Amazon EC2 instance and ephemeral drives can contain ITAR-regulated data.

  • Key Pairs created using HTTPS.

  • Imported Key Pairs.

  • Amazon EC2 metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your instances.

  • Do not enter ITAR-regulated data in the following fields:

    • Instance names

    • AMI descriptions

    • Resource tags

  • Key pairs created using HTTP.

  • When using VM Import, you may not enter any ITAR-regulated data as part of CLI arguments, paths, or OS disk images. Any data that is ITAR-regulated should be encrypted and placed in partitions other than root and boot.

  • If importing ITAR-regulated images, do not use pre-signed URLs for the CLI argument --manifest-url.