Configure your Windows AMI for faster launching
Every EC2 Windows instance must go through the standard Windows operating system (OS) launch steps, which include several reboots, and often take 15 minutes or longer to complete. Windows AMIs that are optimized for faster launching complete some of those steps and reboots in advance by launching a set of instances in the background, and then creating snapshots when they have completed the initial launch steps. The use of these snapshots in the faster launching process can significantly reduce the time it takes to launch instances when they are needed. This is not the same process as EBS fast snapshot restore.
Any account that has access to an AMI that is configured for faster launching can benefit from reduced launch times. However, it is the AMI owner's account that provides the snapshots that are consumed for the launch.
Key terms
-
Pre-provisioned snapshot – A snapshot of an instance that was launched from a Windows AMI with faster launching enabled, and that has completed the following Windows launch steps, rebooting as required.
-
Sysprep specialize
-
Windows Out of Box Experience (OOBE)
When these steps are complete, Amazon EC2 stops the instance, and creates a snapshot that is later used for faster launching from the AMI.
-
-
Launch frequency – Controls the number of pre-provisioned snapshots that Amazon EC2 can launch within the specified timeframe. When faster launching is enabled for the AMI, Amazon EC2 creates the initial set of pre-provisioned snapshots in the background. For example, if the launch frequency is set to five launches per hour, which is the default, then Amazon EC2 creates an initial set of five pre-provisioned snapshots.
When an instance is launched, it uses one of the pre-provisioned snapshots to reduce the launch time. As snapshots are used, they are automatically replenished, up to the number specified by the launch frequency.
If you expect a spike in the number of instances that are launched from your AMI – during a special event, for example – you can increase the launch frequency in advance to cover the additional instances that you'll need. When your launch rate returns to normal, you can adjust the frequency back down.
When you experience a higher number of launches than anticipated, you might use up the fast-launching snapshots that you have available. This does not cause any launches to fail. However, it can result in some instances going through the standard launch process, until snapshots can be replenished.
-
Target resource count – The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.
-
Max parallel launches – Controls how many instances can be launched at a time for creating the pre-provisioned snapshots. If your target resource count is higher than the number of max parallel launches, Amazon EC2 will initially launch the number of instances specified by the max parallel launches setting for creating the snapshots. As those instances complete the process and Amazon EC2 takes the snapshot and stops the instance, more instances are launched until the total number of snapshots available has reached the target resource count. This value must be 6 or greater.
Resource costs
There is no service charge to configure Windows AMIs for faster launching. However, standard pricing applies for underlying AWS resources that are used to prepare and store the pre-provisioned snapshots. The following example demonstrates how associated costs are allocated.
Example scenario: The AtoZ Example company has a Windows AMI with a 50-GiB EBS root volume. They enable faster launching for their AMI, and set the target resource count to five. Over the course of a month, using Windows faster launching for their AMI costs them around $5.00, and the cost breakdown is as follows:
-
When AtoZ Example enables faster launching, Amazon EC2 launches five small instances. Each instance runs through the Sysprep and OOBE Windows launch steps, rebooting as required. This takes several minutes for each instance (time can vary, based on how busy that Region or Availability Zone (AZ) is, and on the size of the AMI).
Costs
-
Instance runtime costs (or minimum runtime, if applicable): five instances
-
Volume costs: five EBS root volumes
-
-
When the pre-provisioning process completes, Amazon EC2 takes a snapshot of the instance, which it stores in Amazon S3. Snapshots are typically stored for 4-8 hours before they are consumed by a launch. In this case, the cost is roughly $0.02 to $0.05 per snapshot.
Costs
-
Snapshot storage (Amazon S3): five snapshots
-
-
After Amazon EC2 takes the snapshot, it stops the instance. At that point, the instance is no longer accruing costs. However EBS volume costs continue to accrue.
Costs
-
EBS volumes: costs continue for the associated EBS root volumes.
-
The costs shown here are for demonstration purposes only. Your costs will vary, depending on your AMI configuration and pricing plan.
You can configure Windows AMIs that you own for faster launching using the Amazon EC2 console, API, SDKs, or ec2 commands in the AWS CLI. The following sections cover configuration steps for the Amazon EC2 console and AWS CLI.
Contents
Prerequisites
Before you set up faster launching for EC2 Windows instances, you must verify that the following prerequisites are met:
-
If you are using the AWS Management Console to configure your settings, ensure that a default VPC is configured for the Region in which you use faster launching for EC2 Windows instances. You cannot have EC2 Classic enabled in the Region, even if you have a default VPC configured. For more information about EC2 Classic, see EC2-Classic Networking is Retiring - Here's How to Prepare
. -
You can use a launch template to specify a non-default VPC by using the AWS CLI, EC2 API actions, or SDKs.
-
To change the settings for faster launching for EC2 Windows instances, your AWS account must own the Windows AMI.
-
The Windows AMI that you use to configure faster launching for EC2 Windows instances must be created using Sysprep with the shutdown option. AMIs that are created from an instance without running Sysprep are not currently supported. To create an AMI using Sysprep, see Create a custom Windows AMI.
Configuration scenarios
This section addresses specific scenarios to help you configure your Windows AMI for faster launching.
Scenario 1: You have deleted your default VPC
You have the following options to specify your VPC:
-
If you are using the AWS Management Console to configure your environment, you must use a default VPC in the Region for which you are configuring faster launching. To create a default VPC, see Create a default VPC in the Amazon VPC User Guide.
-
If you run the enable-fast-launch command in the AWS CLI, or call the EnableFastLaunch API action, you can specify the VPC in your launch template.
Scenario 2: You are using IMDSv2 for your launch
If your account includes a policy that enforces IMDSv2 for Amazon EC2 instances, you must create a launch template that specifies the metadata configuration to enforce IMDSv2. Amazon EC2 does not currently support this in the AWS Management Console.
Run the enable-fast-launch command in the AWS CLI, or call the EnableFastLaunch API action, specifying the launch template that includes your metadata configuration.
Start faster launching for Windows AMIs
To start faster launching for EC2 Windows instances, choose the tab that matches your environment, and follow the steps.
Before changing these settings, make sure that your AMI, and the Region that you run in meet all Prerequisites.
Stop faster launching for Windows AMIs
To stop faster launching for EC2 Windows instances, choose the tab that matches your environment, and follow the steps.
Before changing these settings, make sure that your AMI, and the Region that you run in meet all Prerequisites.
View Windows AMIs that have faster launching enabled (AWS CLI)
You can use the describe-fast-launch-images command in the AWS CLI, or the Get-EC2FastLaunchImage Tools for Windows PowerShell cmdlet to get details for Windows AMIs that have faster launching enabled.
Amazon EC2 provides the following details for each Windows AMI that is returned in the results:
-
The image ID that identifies the fast-launch enabled Windows image.
-
The resource type that is used for pre-provisioning the Windows AMI. Supported value:
snapshot
. -
The snapshot configuration, which is a group of parameters that is used for pre-provisioning the associated Windows AMI using snapshots.
-
Launch template information, including the ID, name, and version of the launch template that the AMI uses when it launches Window instances from pre-provisioned snapshots.
-
The maximum number of parallel instances that are launched for creating resources.
-
The owner ID for the fast-launch enabled Windows AMI.
-
The current state of faster launching for the specified Windows AMI. Supported values include:
enabling | enabling-failed | enabled | enabled-failed | disabling | disabling-failed
. -
The reason that faster launching for the Windows AMI changed to the current state.
-
The time that faster launching for the Windows AMI changed to the current state.
Choose the tab that matches your command line environment:
Service-linked role for faster launching for EC2 Windows instances
Amazon EC2 uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles provide a secure way to delegate permissions to AWS services because only the linked service can assume a service-linked role. For more information about how Amazon EC2 uses IAM roles, including service-linked roles, see IAM roles for Amazon EC2.
Amazon EC2 uses the service-linked role named AWSServiceRoleForEC2FastLaunch
to
create and manage a set of pre-provisioned snapshots that reduce the time it takes to
launch instances from your Windows AMI.
You don't need to create this service-linked role manually. When you start using faster launching for EC2 Windows instances for your AMI, Amazon EC2 creates the service-linked role for you, if it does not already exist.
If the service-linked role is deleted from your account, you can start faster launching for EC2 Windows instances for another Windows AMI to re-create the role in your account. Alternatively, you can stop faster launching for EC2 Windows instances for your current AMI, and then start it again. However, stopping the feature results in your AMI using the standard launch process for all new instances while Amazon EC2 removes all of your pre-provisioned snapshots. After all of the pre-provisioned snapshots are gone, you can start using faster launching for EC2 Windows instances for your AMI again.
Amazon EC2 does not allow you to edit the AWSServiceRoleForEC2FastLaunch
service-linked role. After you create a service-linked role, you cannot change the name
of the role because various entities might reference the role. However, you can edit the
description of the role by using IAM. For more information, see Editing a Service-Linked Role in the
IAM User Guide.
You can delete a service-linked role only after first deleting all of the related resources. This protects the Amazon EC2 resources that are associated with your faster launching-enabled AMI because you can't inadvertently remove permission to access the resources.
Amazon EC2 supports the faster launching for EC2 Windows instances service-linked role in all of the Regions where the Amazon EC2 service is available. For more information, see Regions.
Permissions granted
by AWSServiceRoleForEC2FastLaunch
Amazon EC2 uses the EC2FastLaunchServiceRolePolicy
managed policy to
complete the following actions:
-
cloudwatch:PutMetricData
– Post metric data associated with faster launching for EC2 Windows instances to the Amazon EC2 namespace. -
ec2:CreateLaunchTemplate
– Create a launch template for your faster launching-enabled AMI. -
ec2:CreateSnapshot
– Create pre-provisioned snapshots for your faster launching-enabled AMI. -
ec2:CreateTags
– Create tags for resources that are associated with launching and pre-provisioning Windows instances for your faster launching-enabled AMI. -
ec2:DeleteSnapshots
– Delete all associated pre-provisioned snapshots if faster launching for EC2 Windows instances is turned off for a previously enabled AMI. -
ec2:DescribeImages
– Describe images for all resources. -
ec2:DescribeInstanceAttribute
– Describe instance attributes for all resources. -
ec2:DescribeInstanceStatus
– Describe instance status for all resources. -
ec2:DescribeInstances
– Describe instances for all resources. -
ec2:DescribeInstanceTypeOfferings
– Describe instance type offerings for all resources. -
ec2:DescribeLaunchTemplates
– Describe launch templates for all resources. -
ec2:DescribeLaunchTemplateVersions
– Describe launch template versions for all resources. -
ec2:DescribeSnapshots
– Describe snapshot resources for all resources. -
ec2:DescribeSubnets
– Describe subnets for all resources. -
ec2:RunInstances
– Launch instances from a faster launching-enabled AMI, in order to perform provisioning steps. -
ec2:StopInstances
– Stop instances that were launched from a faster launching-enabled AMI in order to create pre-provisioned snapshots. -
ec2:TerminateInstances
– Terminate an instance that was launched from a faster launching-enabled AMI after creating the pre-provisioned snapshot from it. -
iam:PassRole
– Allows theAWSServiceRoleForEC2FastLaunch
service-linked role to launch instances on your behalf using the instance profile from your launch template.
For more information about using managed policies for Amazon EC2, see AWS managed policies for Amazon Elastic Compute Cloud.
Access to customer managed keys for use with encrypted AMIs and EBS snapshots
Prerequisite
-
To enable Amazon EC2 to access an encrypted AMI on your behalf, you must have permission for the
createGrant
action in the customer managed key.
When you enable faster launching for EC2 Windows instances for an encrypted AMI, Amazon EC2 ensures that
permission is granted for the AWSServiceRoleForEC2FastLaunch
role to use
the customer managed key to access your AMI. This permission is needed to launch instances and
create pre-provisioned snapshots on your behalf.