Create a Spot Fleet
Using the AWS Management Console, quickly create a Spot Fleet request by choosing only an AMI and your desired total target capacity. Amazon EC2 will configure a fleet that best meets your needs and follows Spot best practice. For more information, see Quickly create a Spot Fleet request (console). Otherwise, you can modify any of the default settings. For more information, see Create a Spot Fleet request using defined parameters (console) and Create a Spot Fleet using the AWS CLI.
If you want to include On-Demand Instances in your fleet, you need to specify a launch template in your request and specify you desired On-Demand capacity.
The fleet launches On-Demand Instances when capacity is available, and launches Spot Instances when your maximum price exceeds the Spot price and capacity is available.
If your fleet includes Spot Instances and is of type maintain
, Amazon EC2 will attempt
to maintain your fleet target capacity when your Spot Instances are interrupted.
Topics
Spot Fleet permissions
If your users will create or manage a Spot Fleet, you need to grant them the required permissions.
If you use the Amazon EC2 console to create a Spot Fleet, it creates two service-linked roles
named AWSServiceRoleForEC2SpotFleet
and
AWSServiceRoleForEC2Spot
, and a role named
aws-ec2-spot-fleet-tagging-role
that grant the Spot Fleet the permissions
to request, launch, terminate, and tag resources on your behalf. If you use the
AWS CLI or an API, you must ensure that these roles exist.
Use the following instructions to grant the required permissions and create the roles.
Permissions and roles
Grant permission to users for Spot Fleet
If your users will create or manage a Spot Fleet, be sure to grant them the required permissions.
To create a policy for Spot Fleet
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, Create policy.
-
On the Create policy page, choose JSON, and replace the text with the following.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateTags", "ec2:RequestSpotFleet", "ec2:ModifySpotFleetRequest", "ec2:CancelSpotFleetRequests", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequestHistory" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles" ], "Resource": "*" } ] }
The preceding example policy grants a user the permissions required for most Spot Fleet use cases. To limit the user to specific API actions, specify only those API actions instead.
Required EC2 and IAM APIs
The following APIs must be included in the policy:
-
ec2:RunInstances
– Required to launch instances in a Spot Fleet -
ec2:CreateTags
– Required to tag the Spot Fleet request, instances, or volumes -
iam:PassRole
– Required to specify the Spot Fleet role -
iam:CreateServiceLinkedRole
– Required to create the service-linked role -
iam:ListRoles
– Required to enumerate existing IAM roles -
iam:ListInstanceProfiles
– Required to enumerate existing instance profiles
Important
If you specify a role for the IAM instance profile in the launch specification or launch template, you must grant the user the permission to pass the role to the service. To do this, in the IAM policy include
"arn:aws:iam::*:role/
as a resource for theIamInstanceProfile-role
"iam:PassRole
action. For more information, see Granting a user permissions to pass a role to an AWS service in the IAM User Guide.Spot Fleet APIs
Add the following Spot Fleet API actions to your policy, as needed:
-
ec2:RequestSpotFleet
-
ec2:ModifySpotFleetRequest
-
ec2:CancelSpotFleetRequests
-
ec2:DescribeSpotFleetRequests
-
ec2:DescribeSpotFleetInstances
-
ec2:DescribeSpotFleetRequestHistory
Optional IAM APIs
(Optional) To enable a user to create roles or instance profiles using the IAM console, you must add the following actions to the policy:
-
iam:AddRoleToInstanceProfile
-
iam:AttachRolePolicy
-
iam:CreateInstanceProfile
-
iam:CreateRole
-
iam:GetRole
-
iam:ListPolicies
-
-
Choose Review policy.
-
On the Review policy page, enter a policy name and description, and choose Create policy.
-
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Create a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Create a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
-
Service-linked role for Spot Fleet
Amazon EC2 uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles provide a secure way to delegate permissions to AWS services because only the linked service can assume a service-linked role. For more information, see Service-linked roles in the IAM User Guide.
Amazon EC2 uses the service-linked role named AWSServiceRoleForEC2SpotFleet to launch and manage instances on your behalf.
Important
If you specify an encrypted AMI or an encrypted Amazon EBS snapshot in your Spot Fleet, you must grant the AWSServiceRoleForEC2SpotFleet role permission to use the CMK so that Amazon EC2 can launch instances on your behalf. For more information, see Grant access to CMKs for use with encrypted AMIs and EBS snapshots.
Permissions granted by AWSServiceRoleForEC2SpotFleet
The AWSServiceRoleForEC2SpotFleet role grants the Spot Fleet permission to request, launch, terminate, and tag instances on your behalf. Amazon EC2 uses this service-linked role to complete the following actions:
-
ec2:RequestSpotInstances
- Request Spot Instances -
ec2:RunInstances
- Launch instances -
ec2:TerminateInstances
- Terminate instances -
ec2:DescribeImages
- Describe Amazon Machine Images (AMIs) for the instances -
ec2:DescribeInstanceStatus
- Describe the status of the instances -
ec2:DescribeSubnets
- Describe the subnets for the instances -
ec2:CreateTags
- Add tags to the Spot Fleet request, instances, and volumes -
elasticloadbalancing:RegisterInstancesWithLoadBalancer
- Add the specified instances to the specified load balancer -
elasticloadbalancing:RegisterTargets
- Register the specified targets with the specified target group
Create the service-linked role
Under most circumstances, you don't need to manually create a service-linked role. Amazon EC2 creates the AWSServiceRoleForEC2SpotFleet service-linked role the first time you create a Spot Fleet using the console.
If you had an active Spot Fleet request before October 2017, when Amazon EC2 began supporting this service-linked role, Amazon EC2 created the AWSServiceRoleForEC2SpotFleet role in your AWS account. For more information, see A new role appeared in my AWS account in the IAM User Guide.
If you use the AWS CLI or an API to create a Spot Fleet, you must first ensure that this role exists.
To create the AWSServiceRoleForEC2SpotFleet role for Spot Fleet using the console
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Choose Create role.
-
On the Select trusted entity page, do the following:
-
For Trusted entity type, choose AWS service.
-
Under Use case, for Service or use case, choose EC2.
-
For Use case, choose EC2 - Spot Fleet.
Note
The EC2 - Spot Fleet use case will automatically create a policy with the required IAM permissions and will suggest AWSEC2SpotFleetServiceRolePolicy as the role name.
-
Choose Next.
-
-
On the Add permissions page, choose Next.
-
On the Name, review, and create page, choose Create role.
To create the AWSServiceRoleForEC2SpotFleet role for Spot Fleet using the AWS CLI
Use the create-service-linked-role command as follows.
aws iam create-service-linked-role --aws-service-name spotfleet.amazonaws.com
If you no longer need to use Spot Fleet, we recommend that you delete the AWSServiceRoleForEC2SpotFleet role. After this role is deleted from your account, Amazon EC2 will create the role again if you request a Spot Fleet using the console. For more information, see Deleting a service-linked role in the IAM User Guide.
Grant access to CMKs for use with encrypted AMIs and EBS snapshots
If you specify an encrypted AMI or an encrypted Amazon EBS snapshot in your Spot Fleet request and you use a customer managed key for encryption, you must grant the AWSServiceRoleForEC2SpotFleet role permission to use the CMK so that Amazon EC2 can launch instances on your behalf. To do this, you must add a grant to the CMK, as shown in the following procedure.
When providing permissions, grants are an alternative to key policies. For more information, see Using Grants and Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.
To grant the AWSServiceRoleForEC2SpotFleet role permissions to use the CMK
-
Use the create-grant command to add a grant to the CMK and to specify the principal (the AWSServiceRoleForEC2SpotFleet service-linked role) that is given permission to perform the operations that the grant permits. The CMK is specified by the
key-id
parameter and the ARN of the CMK. The principal is specified by thegrantee-principal
parameter and the ARN of the AWSServiceRoleForEC2SpotFleet service-linked role.aws kms create-grant \ --region
us-east-1
\ --key-id arn:aws:kms:us-east-1
:444455556666
:key/1234abcd-12ab-34cd-56ef-1234567890ab
\ --grantee-principal arn:aws:iam::111122223333
:role/AWSServiceRoleForEC2SpotFleet \ --operations "Decrypt" "Encrypt" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "CreateGrant" "DescribeKey" "ReEncryptFrom" "ReEncryptTo"
Service-linked role for Spot Instances
Amazon EC2 uses the service-linked role named AWSServiceRoleForEC2Spot to launch and manage Spot Instances on your behalf. For more information, see Service-linked role for Spot Instance requests.
IAM role for tagging a Spot Fleet
The aws-ec2-spot-fleet-tagging-role
IAM role grants the Spot Fleet
permission to tag the Spot Fleet request, instances, and volumes. For more
information, see Tag a new or existing Spot Fleet request and the instances
and volumes it launches.
Important
If you choose to tag instances in the fleet and you also choose to
maintain target capacity (the Spot Fleet request is of type
maintain
), the differences in the permissions that are set for
the user and the IamFleetRole
might lead to inconsistent
tagging behavior of instances in the fleet. If the IamFleetRole
does not include the CreateTags
permission, some of the
instances launched by the fleet might not be tagged. While we are working to
fix this inconsistency, to ensure that all instances launched by the fleet
are tagged, we recommend that you use the
aws-ec2-spot-fleet-tagging-role
role for the
IamFleetRole
. Alternatively, to use an existing role,
attach the AmazonEC2SpotFleetTaggingRole
AWS Managed Policy
to the existing role. Otherwise, you need to manually add the
CreateTags
permission to your existing policy.
To create the IAM role for tagging a Spot Fleet
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Choose Create role.
-
On the Select trusted entity page, under Trusted entity type, choose AWS service.
-
Under Use case, from Use cases for other AWS services, choose EC2, and then choose EC2 - Spot Fleet Tagging.
-
Choose Next.
-
On the Add permissions page, choose Next.
-
On the Name, review, and create page, for Role name, enter a name for the role (for example,
aws-ec2-spot-fleet-tagging-role
). -
Review the information on the page, and then choose Create role.
Cross-service confused deputy prevention
The confused deputy
problem is a security issue where an entity that doesn't have
permission to perform an action can coerce a more-privileged entity to
perform the action. We recommend that you use the aws:SourceArn
and aws:SourceAccount
global condition context
keys in the aws-ec2-spot-fleet-tagging-role
trust policy to
limit the permissions that Spot Fleet gives another service to the
resource.
To add the aws:SourceArn and aws:SourceAccount condition keys to the
aws-ec2-spot-fleet-tagging-role
trust policy
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Find the
aws-ec2-spot-fleet-tagging-role
that you created previously and choose the link (not the checkbox). -
Under Summary, choose the Trust relationships tab, and then choose Edit trust policy.
-
In the JSON statement, add a
Condition
element containing youraws:SourceAccount
andaws:SourceArn
global condition context keys to prevent the confused deputy problem, as follows:"Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:us-east-1:
account_id
:spot-fleet-request/sfr-*" }, "StringEquals": { "aws:SourceAccount": "account_id
" }Note
If the
aws:SourceArn
value contains the account ID and you use both global condition context keys, theaws:SourceAccount
value and the account in theaws:SourceArn
value must use the same account ID when used in the same policy statement.The final trust policy will be as follows:
{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "spotfleet.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:
us-east-1
:account_id
:spot-fleet-request/sfr-*" }, "StringEquals": { "aws:SourceAccount": "account_id
" } } } } -
Choose Update policy.
The following table provides potential values for
aws:SourceArn
to limit the scope of the your
aws-ec2-spot-fleet-tagging-role
in varying degrees of
specificity.
API operation | Called service | Scope | aws:SourceArn |
---|---|---|---|
RequestSpotFleet | AWS STS (AssumeRole ) |
Limit the AssumeRole capability on
aws-ec2-spot-fleet-tagging-role to
spot-fleet-requests in the specified account. |
arn:aws:ec2:*: |
RequestSpotFleet | AWS STS (AssumeRole ) |
Limit the AssumeRole capability on
aws-ec2-spot-fleet-tagging-role to
spot-fleet-requests in the specified account and specified
Region. Note that this role will not be usable in other
Regions. |
arn:aws:ec2: |
RequestSpotFleet | AWS STS (AssumeRole ) |
Limit the AssumeRole capability on
aws-ec2-spot-fleet-tagging-role to only
actions affecting the fleet
sfr-11111111-1111-1111-1111-111111111111. Note that this
role may not be usable for other Spot Fleets. Also, this
role cannot be used to launch any new Spot Fleets through
request-spot-fleet. |
arn:aws:ec2: |
Quickly create a Spot Fleet request (console)
Follow these steps to quickly create a Spot Fleet request.
To create a Spot Fleet request using the recommended settings (console)
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Spot Requests.
-
If you are new to Spot, you see a welcome page; choose Get started. Otherwise, choose Request Spot Instances.
-
Under Launch parameters, choose Manually configure launch parameters.
-
For AMI, choose an AMI.
-
Under Target capacity, for Total target capacity, specify the number of units to request. For the type of unit, you can choose Instances, vCPUs, or Memory (GiB).
-
For Your fleet request at a glance, review your fleet configuration, and choose Launch.
Create a Spot Fleet request using defined parameters (console)
You can create a Spot Fleet by using parameters that you define.
To create a Spot Fleet request using defined parameters (console)
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Spot Requests.
-
If you are new to Spot, you see a welcome page; choose Get started. Otherwise, choose Request Spot Instances.
-
For Launch parameters, you can either manually configure the launch parameters or you can use a launch template, as follows:
-
[Manually configure] To define the launch parameters in the Amazon EC2 console, choose Manually configure launch parameters, and then do the following:
-
For AMI, choose one of the basic AMIs provided by AWS, or choose Search for AMI to use an AMI from our user community, the AWS Marketplace, or one of your own.
Note
If an AMI specified in the launch parameters is deregistered or disabled, no new instances can be launched from the AMI. For fleets that are set to maintain target capacity, the target capacity will not be maintained.
-
(Optional) For Key pair name, choose an existing key pair or create a new one.
[Existing key pair] Choose the key pair.
[New key pair] Choose Create new key pair to go the Key pairs page. When you are done, return to the Spot Requests page and refresh the list.
-
(Optional) Expand Additional launch parameters, and do the following:
-
(Optional) To enable Amazon EBS optimization, for EBS-optimized, select Launch EBS-optimized instances.
-
(Optional) To add temporary block-level storage for your instances, for Instance store, choose Attach at launch.
-
(Optional) To add storage, choose Add new volume, and specify additional instance store volumes or Amazon EBS volumes, depending on the instance type.
-
(Optional) By default, basic monitoring is enabled for your instances. To enable detailed monitoring, for Monitoring, select Enable CloudWatch detailed monitoring.
-
(Optional) To run a Dedicated Spot Instance, for Tenancy, choose Dedicated - run a dedicated instance.
-
(Optional) For Security groups, choose one or more security groups or create a new one.
[Existing security group] Choose one or more security groups.
[New security group] Choose Create new security group to go the Security Groups page. When you are done, return to the Spot Requests and refresh the list.
-
(Optional) To make your instances reachable from the internet, for Auto-assign IPv4 Public IP, choose Enable.
-
(Optional) To launch your Spot Instances with an IAM role, for IAM instance profile, choose the role.
-
(Optional) To run a start-up script, copy it to User data.
-
(Optional) To add a tag, choose Create tag and enter the key and value for the tag, and choose Create. Repeat for each tag.
For each tag, to tag the instances and the Spot Fleet request with the same tag, ensure that both Instances and Fleet are selected. To tag only the instances launched by the fleet, clear Fleet. To tag only the Spot Fleet request, clear Instances.
-
-
-
[Launch template] To use a configuration you created in a launch template, choose Use a launch template, and for Launch template, choose a launch template.
Note
If you want On-Demand capacity in your Spot Fleet, you must specify a launch template.
-
-
For Additional request details, do the following:
-
Review the additional request details. To make changes, clear Apply defaults.
-
(Optional) For IAM fleet role, you can use the default role or choose a different role. To use the default role after changing the role, choose Use default role.
-
(Optional) To create a request that is valid only during a specific time period, edit Request valid from and Request valid until.
-
(Optional) By default, Amazon EC2 terminates your Spot Instances when the Spot Fleet request expires. To keep them running after your request expires, clear Terminate the instances when the request expires.
-
(Optional) To register your Spot Instances with a load balancer, choose Receive traffic from one or more load balancers and choose one or more Classic Load Balancers or target groups.
-
-
For Target capacity, do the following:
-
For Total target capacity, specify the number of units to request. For the type of unit, you can choose Instances, vCPUs, or Memory (MiB). To specify a target capacity of 0 so that you can add capacity later, you must first select Maintain target capacity.
-
(Optional) For Include On-Demand base capacity, specify the number of On-Demand units to request. The number must be less than the Total target capacity. Amazon EC2 calculates the difference, and allocates the difference to Spot units to request.
Important
To specify optional On-Demand capacity, you must first choose a launch template.
-
(Optional) By default, Amazon EC2 terminates Spot Instances when they are interrupted. To maintain the target capacity, select Maintain target capacity. You can then specify that Amazon EC2 terminates, stops, or hibernates Spot Instances when they are interrupted. To do so, choose the corresponding option from Interruption behavior.
Note
If an AMI specified in the launch parameters is deregistered or disabled, no new instances can be launched from the AMI. In this case, for fleets that are set to maintain target capacity, the target capacity will not be maintained.
-
(Optional) To allow Spot Fleet to launch a replacement Spot Instance when an instance rebalance notification is emitted for an existing Spot Instance in the fleet, select Capacity rebalance, and then choose an instance replacement strategy. If you choose Launch before terminate, specify the delay (in seconds) before Amazon EC2 terminates the old instances. For more information, see Use Capacity Rebalancing in EC2 Fleet and Spot Fleet to replace at-risk Spot Instances.
-
(Optional) To control the amount you pay per hour for all the Spot Instances in your fleet, select Set maximum cost for Spot Instances and then enter the maximum total amount you're willing to pay per hour. When the maximum total amount is reached, Spot Fleet stops launching Spot Instances even if it hasn’t met the target capacity. For more information, see Set a spending limit for your EC2 Fleet or Spot Fleet.
-
-
For Network, do the following:
-
For Network, choose an existing VPC or create a new one.
[Existing VPC] Choose the VPC.
[New VPC] Choose Create new VPC to go the Amazon VPC console. When you're done, return to this screen and refresh the list.
-
(Optional) For Availability Zone, let Amazon EC2 choose the Availability Zones for your Spot Instances, or specify one or more Availability Zones.
If you have more than one subnet in an Availability Zone, choose the appropriate subnet from Subnet. To add subnets, choose Create new subnet to go to the Amazon VPC console. When you are done, return to this screen and refresh the list.
-
-
For Instance type requirements, you can either specify instance attributes and let Amazon EC2 identify the optimal instance types with these attributes, or you can specify a list of instances. For more information, see Specify attributes for instance type selection for EC2 Fleet or Spot Fleet.
-
If you choose Specify instance attributes that match your compute requirements, specify your instance attributes as follows:
-
For vCPUs, enter the desired minimum and maximum number of vCPUs. To specify no limit, select No minimum or No maximum, or both.
-
For Memory (GiB), enter the desired minimum and maximum amount of memory. To specify no limit, select No minimum or No maximum, or both.
-
(Optional) For Additional instance attribute, you can optionally specify one or more attributes to express your compute requirements in more detail. Each additional attribute adds a further constraint to your request. You can omit the additional attributes; when omitted, the default values are used. For a description of each attribute and their default values, see get-spot-placement-scores in the Amazon EC2 Command Line Reference.
-
(Optional) To view the instance types with your specified attributes, expand Preview matching instance types. To exclude instance types from being used in your request, select the instances and then choose Exclude selected instance types.
-
-
If you choose Manually select instance types, Spot Fleet provides a default list of instance types. To select more instance types, choose Add instance types, select the instance types to use in your request, and choose Select. To delete instance types, select the instance types and choose Delete.
-
-
For Allocation strategy, choose a Spot allocation strategy and an On-Demand allocation strategy that meets your needs. For more information, see Use allocation strategies to determine how EC2 Fleet or Spot Fleet fulfills Spot and On-Demand capacity.
-
For Your fleet request at a glance, review your fleet configuration, and make any adjustments if necessary.
-
(Optional) To download a copy of the launch configuration for use with the AWS CLI, choose JSON config.
-
When you're ready to launch your Spot Fleet, choose Launch.
The Spot Fleet request type is
fleet
. When the request is fulfilled, requests of typeinstance
are added, where the state isactive
and the status isfulfilled
.
Create a Spot Fleet using the AWS CLI
To create a Spot Fleet request using the AWS CLI
Use the request-spot-fleet command to create a Spot Fleet request.
aws ec2 request-spot-fleet --spot-fleet-request-config file://
config.json
For example configuration files, see Example CLI configurations Spot Fleet.
The following is example output:
{
"SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE"
}
Create a Spot Fleet that replaces unhealthy Spot Instances
Spot Fleet checks the health status of the Spot Instances in the fleet every two minutes. The
health status of an instance is either healthy
or
unhealthy
.
Spot Fleet determines the health status of an instance by using the status checks
provided by Amazon EC2. An instance is determined as unhealthy
when the
status of either the instance status check or the system status check is
impaired
for three consecutive health checks. For more information,
see Status checks for Amazon EC2 instances.
You can configure your fleet to replace unhealthy Spot Instances. After enabling health
check replacement, a Spot Instance is replaced when it is reported as unhealthy
.
The fleet could go below its target capacity for up to a few minutes while an
unhealthy Spot Instance is being replaced.
Requirements
-
Health check replacement is supported only for Spot Fleets that maintain a target capacity (fleets of type
maintain
), not for one-time Spot Fleets (fleets of typerequest
). -
Health check replacement is supported only for Spot Instances. This feature is not supported for On-Demand Instances.
-
You can configure your Spot Fleet to replace unhealthy instances only when you create it.
-
Users can use health check replacement only if they have permission to call the
ec2:DescribeInstanceStatus
action.