Amazon EC2 - AWS GovCloud (US)

Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizeable computing capacity—literally, servers in Amazon's data centers—that you use to build and host your software systems.

How Amazon Elastic Compute Cloud Differs for AWS GovCloud (US)

  • EC2 Instance Connect will not work in AWS GovCloud (US) if your Linux instance has SELinux enabled in enforcing mode. The process for enabling or disabling SELinux varies across Linux distributions. For information about how to check the status of SELinux on your instance, or to enable or disable SELinux, see the relevant operating system guide for your instance.

  • Reserved Instance resale is not available in the AWS GovCloud (US) Regions.

  • AMI copy and snapshot copy do not support migrating AMIs and snapshots from another AWS Region into AWS GovCloud (US) Regions. For information about how to migrate your AMIs from another AWS Region into AWS GovCloud (US) Regions, see Importing Virtual Machines into AWS GovCloud (US) Regions .

  • When using the Amazon EC2 AMI tools, AWS GovCloud (US) Regions uses a non-default public key certificate to encrypt AMI manifests. The ec2-bundle-image, ec2-bundle-vol, ec2-migrate-bundle, and ec2-migrate-manifest commands require the --ec2cert $EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem option in AWS GovCloud (US) Regions.

  • By default, enhanced networking is not enabled on Windows Server 2012 R2 AMIs. For more information, see Enabling Enhanced Networking on Windows Instances in a VPC.

  • In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC; otherwise, you must create a VPC before launching instances. For more information, see Determining if Your Account Has a Default Amazon VPC.

  • When you launch an instance in AWS GovCloud (US) Regions using the CLI ec2-run-instances command or API RunInstances action, you must specify the subnet parameter.

  • Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.

  • Use SSL (HTTPS) when generating key pairs using ec2-create-keypair and CreateKeyPair commands.

  • To import your own set of key pairs, follow the directions in Importing Your Own Key Pair to Amazon EC2.

  • When using VM Import:

    • If your account is set up as default VPC, then your default VPC will be the target for your import.

    • If your account is not set up as default VPC, then you will need to specify an Availability Zone and subnet. To specify a subnet to use when you create the import task, use the --subnet subnet_id option and –z availability_zone option (specifying the Availability Zone corresponding to the subnet ID) with the ec2-import-instance command.

  • When using VM Export:

    • The Amazon EC2 instance must have been previously imported using VM Import.

    • The Amazon S3 bucket for the destination image must exist and must have WRITE and READ_ACP permissions granted to the AWS GovCloud (US) account with canonical ID: af913ca13efe7a94b88392711f6cfc8aa07c9d1454d4f190a624b126733a5602.

    • To export an instance, you can use the ec2-create-instance-export-task command. For more information, see Exporting Amazon EC2 Instances.

  • Microsoft System Center Virtual Machine Manager (SCVMM) is not yet supported in AWS GovCloud (US) Regions.

  • AWS Management Portal for vCenter is not compatible with AWS GovCloud (US) Regions.

  • Savings Plans cannot be purchased from AWS GovCloud (US) accounts but can be purchased in any standard account and these plans purchased in the Standard account can apply to usage in AWS GovCloud (US) Regions.

  • The Provisioned IOPS SSD (io2) EBS volume type is not available in the AWS GovCloud (US) Regions.

  • EC2 CPU Optimization is currently API-only in the AWS GovCloud (US) Regions.

  • AWS Nitro Enclaves is not available in the AWS GovCloud (US) Regions.

Determining if Your Account Has a Default Amazon VPC

In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC, where you launch all your Amazon EC2 instances. If your account doesn't have a default VPC, you must create a VPC before you can launch Amazon EC2 instances. For more information, see What is Amazon VPC? in Amazon VPC User Guide.

  1. Sign in to the AWS Management Console for the AWS GovCloud (US) Region.

  2. Navigate to the dashboard of the Amazon EC2 console.

  3. In the Account Attributes section, view the Supported Platforms.

    • If you see only EC2-VPC, as shown in the following figure, your account has a VPC by default.

    • If you see both EC2-Classic and EC2-VPC, as shown in the following figure, your account doesn't have a default VPC. You must create a VPC before you launch Amazon EC2 or Amazon RDS instances.

If you don't want a default VPC for your AWS GovCloud (US) account, you can delete the default VPC and default subnets. The default VPC and subnets will not be recreated. However, you still need to create a VPC before launching instances.

If you deleted your default VPC, you can create a new one. For more information, see Creating a Default VPC.

If your account doesn't have a default VPC but you want a default VPC, you can submit a request by completing the AWS GovCloud (US) Contact Us form. In the form, include your AWS GovCloud (US-West) account ID and indicate that you want to enable your account for a default VPC.

Documentation for Amazon EC2

Amazon Elastic Compute Cloud documentation.

Export-Controlled Content

For AWS Services architected within the AWS GovCloud (US) Regions, the table below explains how certain components of data may leave the Regions in the normal course of the Service Offerings. The table can be used as a guide to help meet applicable customer compliance obligations.

Data in the following service attributes will not leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings

Data in the following service attributes may leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings

  • All data entered, stored, and processed within an Amazon EC2 instance and ephemeral drives can contain export-controlled data.

  • Key Pairs created using HTTPS.

  • Imported Key Pairs.

  • Amazon EC2 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your instances.

  • Do not enter export-controlled data in the following fields:

    • Instance names

    • AMI descriptions

    • Resource tags

  • Key pairs created using HTTP.

  • When using VM Import, you may not enter any export-controlled data as part of CLI arguments, paths, or OS disk images. Any data that is export-controlled should be encrypted and placed in partitions other than root and boot.

  • If importing export-controlled images, do not use pre-signed URLs for the CLI argument --manifest-url.