AWS Snowball Edge is no longer available to new customers. New customers should explore [AWS DataSync](https://aws.amazon.com/datasync/) for online transfers, [AWS Data Transfer Terminal](https://aws.amazon.com/data-transfer-terminal/) for secure physical transfers, or AWS Partner solutions. For edge computing, explore [AWS Outposts](https://aws.amazon.com/outposts/).
# Using Amazon EC2-compatible compute instances on Snowball Edge
You can run Amazon EC2-compatible compute instances hosted on a Snowball Edge with the `sbe1`, `sbe-c`, and `sbe-g` instance types. The `sbe1` instance type works on devices with the Snowball Edge Storage Optimized option. The `sbe-c` instance type works on devices with the Snowball Edge Compute Optimized option. For a list of supported instance types, see [Quotas for compute instances on a Snowball Edge device](ec2-edge-limits.md).
All three compute instance types supported for use on Snowball Edge device options are unique to Snowball Edge devices. Like their cloud-based counterparts, these instances require Amazon Machine Images (AMIs) to launch. You choose the AMI to be that base image for an instance in the cloud, before you create your Snowball Edge job.
To use a compute instance on a Snowball Edge, create a job to order a Snowball Edge device and specify your AMIs. You can do this using the [AWS Snow Family Management Console](https://console.aws.amazon.com/snowfamily/home), the AWS CLI, or one of the AWS SDKs. Typically, there are some housekeeping prerequisites that you must perform before creating your job, to use your instances.
After your device arrives, you can start managing your AMIs and instances. You can manage your compute instances on a Snowball Edge through an Amazon EC2-compatible endpoint. This type of endpoint supports many of the Amazon EC2-compatible CLI commands and actions for the AWS SDKs. You can't use the AWS Management Console on the Snowball Edge to manage your AMIs and compute instances.
When you're done with your device, return it to AWS. If the device was used in an import job, the data transferred using the Amazon S3 adapter or the NFS interface is imported into Amazon S3. Otherwise, we perform a complete erasure of the device when it is returned to AWS. This erasure follows the National Institute of Standards and Technology (NIST) 800-88 standards.
**Important**
Using encrypted AMIs on Snowball Edge Edge devices is not supported.
Data in compute instances running on a Snowball Edge isn't imported into AWS.
**Topics**
+ [Difference between Amazon EC2 and Amazon EC2-compatible instances on Snowball Edge](#ec2-compatible-sbe)
+ [Pricing for Compute Instances on Snowball Edge](#pricing-for-ec2-edge)
+ [Using an Amazon EC2-compatible AMI on Snowball Edge](using-ami.md)
+ [Importing a virtual machine image to a Snowball Edge device](ec2-ami-import-cli.md)
+ [Using the AWS CLI and API operations on Snowball Edge device](using-ec2-cli-specify-region.md)
+ [Network configurations for compute instances on Snowball Edge](network-config-ec2.md)
+ [Using SSH to connect to compute instances on a Snowball Edge](ssh-ec2-edge.md)
+ [Transferring data from EC2-compatible compute instances to S3 buckets on the same Snowball Edge](data-transfer-ec2-s3-edge.md)
+ [Starting EC2-compatible instances automatically](using-ec2-edge-client.md)
+ [Using the Amazon EC2-compatible endpoint on a Snowball Edge](using-ec2-endpoint.md)
+ [Autostarting EC2-compatible instances with launch templates on a Snowball Edge](ec2-autostart.md)
+ [Using Instance Metadata Service for Snow with Amazon EC2-compatible instances on a Snowball Edge](imds.md)
+ [Using block storage with Amazon EC2-compatible instances on Snowball Edge](edge-ebs.md)
+ [Controlling network traffic with security groups on Snowball Edge](edge-security-groups.md)
+ [Supported EC2-compatible instance metadata and user data on Snowball Edge](edge-compute-instance-metadata.md)
+ [Stopping EC2-compatible instances running on Snowball Edge](#managing-ec2-instances)
## Difference between Amazon EC2 and Amazon EC2-compatible instances on Snowball Edge
AWS Snowball Edge EC2-compatible instances allow customers to use and manage Amazon EC2-compatible instances using a subset of EC2 APIs and a subset of AMIs.
## Pricing for Compute Instances on Snowball Edge
There are additional costs associated with using compute instances. For more information, see [AWS Snowball Edge Pricing](http://aws.amazon.com/snowball-edge/pricing).
# Using an Amazon EC2-compatible AMI on Snowball Edge
To use an Amazon Machine Image (AMI) on your AWS Snowball Edge device, you must first add it to the device. You can add an AMI in the following ways:
+ Upload the AMI when you order the device.
+ Add the AMI when your device arrives at your site.
Amazon EC2 compute instances that come with your Snowball Edge are launched based on the Amazon EC2 AMIs that you add to your device. Amazon EC2-compatible AMIs support both Linux and Microsoft Windows operating systems.
**Linux**
The following Linux operating systems are supported:
+ [Amazon Linux 2 for Snowball Edge](https://aws.amazon.com/marketplace/pp/B08Q76DLTM/ )
**Note**
The latest version of this AMI will be provided at the time your Snowball Edge is being prepared to ship by AWS. To determine the version of this AMI on the device when you receive it, see [Determining the version of the Amazon Linux 2 AMI for Snowball Edge](#snow-al-version).
+ [CentOS 7 (x86\$164) - with Updates HVM](https://aws.amazon.com/marketplace/pp/B00O7WM7QW)
+ Ubuntu 16.04 LTS - Xenial (HVM)
**Note**
Ubuntu 16.04 LTS - Xenial (HVM) images are no longer supported in the AWS Marketplace, but still supported for use on Snowball Edge devices through Amazon EC2 VM Import/Export and running locally in AMIs.
+ [Ubuntu 20.04 LTS - Focal](https://aws.amazon.com/marketplace/pp/prodview-iftkyuwv2sjxi)
+ [Ubuntu 22.04 LTS - Jammy](https://aws.amazon.com/marketplace/pp/prodview-f2if34z3a4e3i)
As a best-practice for security, keep your Amazon Linux 2 AMIs up-to-date on Snowball Edge as new Amazon Linux 2 AMIs are released. See [Updating your Amazon Linux 2 AMIs on Snowball Edge](update-ami.md).
**Windows**
The following Windows operating systems are supported:
+ Windows Server 2012 R2
+ Windows Server 2016
+ Windows Server 2019
You can add Windows AMIs to your device by importing your Windows virtual machine (VM) image into AWS using VM Import/Export. Or, you can import the image into your device right after the device is deployed to your site. For more information, see [Adding a Microsoft Windows AMI to a Snowball Edge](#windows-ami).
**Note**
Windows AMIs that originated in AWS can't be added to your device.
AMIs imported locally must be in BIOS boot mode as UEFI is not supported.
Snowball Edge supports the Bring Your Own License (BYOL) model. For more information, see [Adding a Microsoft Windows AMI to a Snowball Edge](#windows-ami).
**Note**
AWS Snowball Edge EC2-compatible instances allow customers to use and manage Amazon EC2-compatible instances using a subset of EC2 APIs and a subset of AMIs.
**Topics**
+ [Adding an AMI when creating a job to order a Snowball Edge](#add-ami-order)
+ [Adding an AMI from AWS Marketplace to a Snowball Edge](#add-marketplace-ami)
+ [Adding an AMI to a Snowball Edge after receiving the device](#add-ami-locally)
+ [Adding a Microsoft Windows AMI to a Snowball Edge](#windows-ami)
+ [Importing a VM Image to a Snowball Edge](#import-vm-image)
+ [Exporting the latest Amazon Linux 2 AMI for a Snowball Edge](#export-latest-al2-ami)
## Adding an AMI when creating a job to order a Snowball Edge
When you order your device, you can add AMIs to the device by choosing them in the **Compute using EC2 instances - optional** section in the AWS Snow Family Management Console. The **Compute using EC2 instances - optional** lists all of the AMIs that can be loaded onto your device. The AMIs fall into the following categories:
+ **AMIs from AWS Marketplace** — These are AMIs created from the list of supported AMIs. For information about creating an AMI from the supported AMIs from AWS Marketplace, see [Adding an AMI from AWS Marketplace to a Snowball Edge](#add-marketplace-ami).
+ **AMIs uploaded using VM Import/Export** — When you order your device, the AMIs that were uploaded using VM Import/Export are listed in the console. For more information, see [Importing a VM as an Image Using VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html) in the *VM Import/Export User Guide*. For information about supported virtualization environments, see [VM Import/Export Requirements](https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html).
## Adding an AMI from AWS Marketplace to a Snowball Edge
You can add many AMIs from AWS Marketplace to your Snowball Edge device by launching the AWS Marketplace instance, creating an AMI from it, and configuring the AMI in the same region from which you'll order the Snow device. Then, you can choose to include the AMI on the device when you create a job to order the device. When choosing an AMI from the Marketplace, make sure it has a supported product code and platform.
**Topics**
+ [Checking product codes and platform details of AWS Marketplace AMIs for Snowball Edge](#check-marketplace-ami-codes-snb)
+ [Determining the version of the Amazon Linux 2 AMI for Snowball Edge](#snow-al-version)
+ [Configure the AMI for the Snowball Edge device](#configure-ami-snow-device)
### Checking product codes and platform details of AWS Marketplace AMIs for Snowball Edge
Before you begin the process to add an AMI from AWS Marketplace to your Snowball Edge device, ensure the product code and platform details of the AMI are supported in your AWS Region.
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the navigation bar, select the Region in which to launch your instances and from which you will create the job to order the Snowball Edge device. You can select any Region that is available to you, regardless of your location.
1. In the navigation pane, choose **AMIs**.
1. Use the filter and search options to scope the list of displayed AMIs to see only the AMIs that match your criteria. For example, AMIs provided by the AWS Marketplace, choose **Public images**. Then use the search options to further scope the list of displayed AMIs:
+ (New console) Choose the **Search** bar and, from the menu, choose **Owner alias**, then the = operator, and then the value **amazon**.
+ (Old console) Choose the **Search** bar and, from the menu, choose **Owner** and then the value **Amazon images**.
**Note**
AMIs from AWS Marketplace include **aws-marketplace** in the **Source** column.
1. In the **AMI ID** column, choose the AMI ID of the AMI.
1. In the **Image summary** of the AMI, ensure the **Product codes** are supported by your Region. For more information, see the table below.
**Supported AWS Marketplace AMI product codes**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/using-ami.html)
1. Then, also ensure the **Platform details** contains one of entries from the list below.
+ Amazon Linux, Ubuntu, or Debian
+ Red Hat Linux bring-your-own-license
+ Amazon RDS for Oracle bring-your-own-license
+ Windows bring-your-own-license
### Determining the version of the Amazon Linux 2 AMI for Snowball Edge
Use the following procedure to determine the version of the Amazon Linux 2 AMI for Snowball Edge on the Snowball Edge. Install the latest version of the AWS CLI before continuing. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the AWS Command Line Interface User Guide.
+ Use the `describe-images` AWS CLI command to see the description of the AMI. The version is contained in the description. Provide the public key certificate from the previous step. For more information, see [describe-images](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-images.html) in the AWS CLI Command Reference.
```
aws ec2 describe-images --endpoint http://snow-device-ip:8008 --region snow
```
**Example of output of the `describe-images` command**
```
{
"Images": [
{
"CreationDate": "2024-02-12T23:24:45.705Z",
"ImageId": "s.ami-02ba84cb87224e16e",
"Public": false,
"ProductCodes": [
{
"ProductCodeId": "avyfzznywektkgl5qv5f57ska",
"ProductCodeType": "marketplace"
}
],
"State": "AVAILABLE",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": true,
"Iops": 0,
"SnapshotId": "s.snap-0efb49f2f726fde63",
"VolumeSize": 8,
"VolumeType": "sbp1"
}
}
],
"Description": "Snow Family Amazon Linux 2 AMI 2.0.20240131.0 x86_64 HVM gp2",
"EnaSupport": false,
"Name": "amzn2-ami-snow-family-hvm-2.0.20240131.0-x86_64-gp2-b7e7f8d2-1b9e-4774-a374-120e0cd85d5a",
"RootDeviceName": "/dev/xvda"
}
]
}
```
In this example, the version of the Amazon Linux 2 AMI for Snowball Edge is `2.0.20240131.0`. It is found in the value of the `Description` name.
### Configure the AMI for the Snowball Edge device
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Launch a new instance of a supported AMI in AWS Marketplace.
**Note**
When you launch your instance, make sure that the storage size you assign to the instance is appropriate for your use case. In the Amazon EC2 console, you do this in the **Add storage** step.
1. Install and configure the applications that you want to run on the Snowball Edge, and make sure that they work as expected.
**Important**
Only single volume AMIs are supported.
The EBS volume in your AMI should be 10 TB or less. We recommend that you provision the EBS volume size needed for the data in the AMI. This will help decrease the time it takes to export your AMI and load it into your device. You can resize or add more volumes to your instance after your device is deployed.
The EBS snapshot in your AMI must not be encrypted.
1. Make a copy of the PEM or PPK file that you used for the SSH key pair when you created this instance. Save this file to the server that you plan to use to communicate with the Snowball Edge device. Make a note of the path to this file because you will need it when you use SSH to connect to the EC2-compatible instance on your device.
**Important**
If you don't follow this procedure, you can't connect to your instances with SSH when you receive your Snowball Edge device.
1. Save the instance as an AMI. For more information, see [Amazon EC2 User Guide for Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html) in the *Amazon EC2 User Guide.*
1. Repeat steps 1–4 for each of the instances that you want to connect to using SSH. Be sure to make copies of each of the SSH key pairs, and keep track of the AMIs that they're associated with.
1. Now, when you order your device, these AMIs are available to add to your device.
## Adding an AMI to a Snowball Edge after receiving the device
When the device arrives on your site, you can add new AMIs to it. For instructions, see [Importing a virtual machine image to a Snowball Edge device](ec2-ami-import-cli.md). Keep in mind that although all VMs are supported, only supported AMIs have been tested for full functionality.
**Note**
When you use VM Import/Export to add AMIs to your device or import a VM after your device is deployed, you can add VMs that use any operating system. However, only supported operating systems have been tested and validated on Snowball Edge. You are responsible for adhering to the terms and conditions of any operating system or software that is in the virtual image that you import onto your device.
For AWS services to function properly on a Snowball Edge, you must allow the ports for the services. For details, see [Port requirements for AWS services on a Snowball Edge](port-requirements.md).
## Adding a Microsoft Windows AMI to a Snowball Edge
For virtual machines (VMs) that use a supported Windows operating system, you can add the AMI by importing your Windows VM image into AWS using VM Import/Export, or by importing it into your device directly after it is deployed to your site.
**Bring Your Own License (BYOL)**
Snowball Edge supports importing Microsoft Windows AMIs onto your device with your own license. Bring Your Own License (BYOL) is the process of bringing an AMI that you own with its on-premises license to AWS. AWS provides both shared and dedicated deployment options for the BYOL option.
You can add your Windows VM image to your device by importing it into AWS using VM Import/Export or by importing it into your device directly after it is deployed to your site. You can't add Windows AMIs that originated in AWS. Therefore, you must create and import your own Windows VM image and bring your own license if you want to use the AMI on your Snowball Edge device. For more information about Windows licensing and BYOL, see [Amazon Web Services and Microsoft: Frequently Asked Questions](https://aws.amazon.com/windows/faq/).
### Creating a Windows VM image to import into a Snowball Edge
To create a Windows VM image, you need a virtualization environment, such as VirtualBox, which is supported for the Windows and macOS operating systems. When you create a VM for Snow devices, we recommend that you allocate at least two cores with at least 4 GB of RAM. When the VM is up and running, you must install your operating system (Windows Server 2012, 2016, or 2019). To install the required drivers for the Snowball Edge device, follow the instructions in this section.
For a Windows AMI to run on a Snow device, you must add the VirtIO, FLR, NetVCM, Vioinput, Viorng, Vioscsi, Vioserial, and VioStor drivers. You can [download a Microsoft Software Installer (virtio-win-guest-tools-installer)](https://github.com/virtio-win/virtio-win-pkg-scripts) for installing these drivers on Windows images from the virtio-win-pkg-scripts repository on GitHub.
**Note**
If you plan to import your VM image directly to your deployed Snow device, the VM image file must be in the RAW format.
**To create a Windows image**
1. On your Microsoft Windows computer, choose **Start** and enter **devmgmt.msc** to open **Device Manager**.
1. In the main menu, choose **Actions**, and then choose **Add legacy hardware**.
**Note**
For Windows 11, first select any device in the panel below before the **Add legacy hardware** option will appear in the **Actions** menu.
1. In the wizard, choose **Next**.
1. Choose **Install the hardware that I manually select from a list (advanced)**, and choose **Next**.
1. Choose **Show All Devices** and choose **Next**.
1. Choose **Have Disk**, open the **Copy manufacturer’s files from** list, and browse to the ISO file.
1. In the ISO file, browse to the `Driver\W2K8R2\amd64` directory, and then find the `.INF` file.
1. Choose the **.INF** file, choose **Open**, and then choose **OK**.
1. When you see the driver name, choose **Next**, and then choose **Next** two more times. Then choose **Finish**.
This installs a device using the new driver. The actual hardware doesn't exist, so you will see a yellow exclamation mark that indicates an issue on the device. You must fix this issue.
**To fix the hardware issue**
1. Open the context (right-click) menu for the device that has the exclamation mark.
1. Choose **Uninstall**, clear **Delete the driver software for this device**, and choose **OK**.
The driver is installed, and you are ready to launch the AMI on your device.
## Importing a VM Image to a Snowball Edge
After you prepare your VM image, you can use one of the options to import the image to your device.
+ **In the cloud using VM Import/Export** — When you import your VM image into AWS and register it as an AMI, you can add it to your device when you place an order from the AWS Snow Family Management Console. For more information, see [Importing a VM as an Image Using VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html) in the *VM Import/Export User Guide*.
+ **Locally on your device that is deployed at your site** — You can import your VM image directly into your device using AWS OpsHub or the AWS Command Line Interface (AWS CLI).
For information about using AWS OpsHub, see [Using Amazon EC2-compatible compute instances locally](https://docs.aws.amazon.com/snowball/latest/developer-guide/manage-ec2.html).
For information about using the AWS CLI, see [Importing a virtual machine image to a Snowball Edge device](ec2-ami-import-cli.md).
## Exporting the latest Amazon Linux 2 AMI for a Snowball Edge
To update your Amazon Linux 2 AMIs to the latest version, first export the latest Amazon Linux 2 VM image from AWS Marketplace, then import that VM image into the Snow device.
1. Use the `ssm get-parameters` AWS CLI command to find the latest image ID of the Amazon Linux 2 AMI in the AWS Marketplace.
```
aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].[Value]' --region your-region
```
The command returns the latest image ID of the AMI. For example, `ami-0ccb473bada910e74`.
1. Export the latest Amazon Linux 2 image. See [Exporting a VM directly from an Amazon Machine Image (AMI)](https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport_image.html) in the Amazon EC2 User Guide. Use the latest image ID of the Amazon Linux 2 AMI as the value of the `image-id` parameter of the `ec2 export-image` command.
1. Import the VM image into the Snow device using the AWS CLI or AWS OpsHub.
+ For information about using AWS CLI, see [Importing a virtual machine image to a Snowball Edge device](ec2-ami-import-cli.md).
+ For information about using AWS OpsHub, see [Importing an image as an Amazon EC2-compatible AMI with AWS OpsHub](ec2-ami-import.md).
# Importing a virtual machine image to a Snowball Edge device
You can use the AWS CLI and the VM Import/Export service to import a virtual machine (VM) image to the Snowball Edge device as an Amazon Machine Image (AMI). After importing a VM image, register the image as an AMI and launch it as an Amazon EC2-compatible instance.
You can add AMIs from Amazon EC2 to the device when creating a job to order a Snowball Edge device. Use this procedure after you have received the Snowball Edge device. For more information, see [Choosing your compute and storage options](create-job-common.md#compute-storage).
You can also use AWS OpsHub to upload the VM image file. For more information, see [Importing an image into your device as an Amazon EC2-compatible AMI](https://docs.aws.amazon.com/snowball/latest/developer-guide/manage-ec2.html#ec2-ami-import) in this guide.
**Topics**
+ [Step 1: Prepare the VM image and upload it to the Snowball Edge device](#prepare-image-cli)
+ [Step 2: Set up required permissions on the Snowball Edge](#setup-permission-cli)
+ [Step 3: Import the VM image as a snapshot on the Snowball Edge](#import-snapshot-cli)
+ [Step 4: Register the snapshot as an AMI on the Snowball Edge](#register-snapshot-cli)
+ [Step 5: Launch an instance from the AMI on the Snowball Edge](#launch-ami-cli)
+ [Additional AMI actions for a Snowball Edge](#additional-ami-actions)
## Step 1: Prepare the VM image and upload it to the Snowball Edge device
Prepare the VM image by exporting a VM image from an Amazon EC2 AMI or instance in the AWS Cloud using VM Import/Export or by generating the VM image locally using your choice of virtualization platform.
To export an Amazon EC2 instance as a VM image using VM Import/Export, see [Exporting an instance as a VM using VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html) in the VM Import/Export User Guide. To export an Amazon EC2 AMI as a VM image using VM Import/Export, see [Exporting a VM directly from an Amazon Machine Image (AMI)](https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport_image.html) in the VM Import/Export User Guide.
If generating a VM image from your local environment, ensure the image is configured for use as an AMI on the Snowball Edge device. You may need to configure the following items, depending on your environment.
+ Configure and update the operating system.
+ Set a hostname.
+ Ensure network time protocol (NTP) is configured.
+ Include SSH public keys, if necessary. Make local copies of the key pairs. For more information, see [Using SSH to Connect to Your Compute Instances on a Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/ssh-ec2-edge.html).
+ Install and configure any software you will use on the Snowball Edge device.
**Note**
Be aware of the following limitations when preparing a disk snapshot for a Snowball Edge device.
Snowball Edge currently only support importing snapshots that are in the RAW image format.
Snowball Edge currently only support importing snapshots with sizes from 1 GB to 1 TB.
### Uploading a VM image to an Amazon S3 bucket on the Snowball Edge device
After preparing a VM image, upload it to an S3 bucket on the Snowball Edge device or cluster. You can use the S3 adapter or Amazon S3 compatible storage on Snowball Edge to upload the snapshot.
**To upload the virtual machine image using the S3 adapter**
+ Use the `cp` command to copy the VM image file to a bucket on the device.
```
aws s3 cp image-path s3://S3-bucket-name --endpoint http://S3-object-API-endpoint:443 --profile profile-name
```
For more information, see [Supported AWS CLI commands](https://docs.aws.amazon.com/snowball/latest/developer-guide/using-adapter-cli.html) in this guide.
**To upload the VM image using Amazon S3 compatible storage on Snowball Edge**
+ Use the `put-object` command to copy the snapshot file to a bucket on the device.
```
aws s3api put-object --bucket bucket-name --key path-to-snapshot-file --body snapshot-file --endpoint-url s3api-endpoint-ip --profile your-profile
```
For more information, see [Working with S3 objects on a Snowball Edge device](https://docs.aws.amazon.com/snowball/latest/developer-guide/objects-s3-snow.html).
## Step 2: Set up required permissions on the Snowball Edge
For the import to be successful, you must set up permissions for VM Import/Export on the Snowball Edge device, Amazon EC2, and the user.
**Note**
The service roles and policies that provide these permissions are located on the Snowball Edge device.
### Permissions required for VM Import/Export on a Snowball Edge
Before you can start the import process, you must create an IAM role with a trust policy that allows VM Import/Export on the Snowball Edge device to assume the role. Additional permissions are given to the role to allow VM Import/Export on the device to access the image stored in the S3 bucket on the device.
**Create a trust policy json file**
Following is an example trust policy required to be attached to the role so that VM Import/Export can access the snapshot that needs to be imported from the S3 bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"vmie.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
```
------
**Create a role with the trust policy json file**
The role name can be vmimport. You can change it by using the --role-name option in the command:
```
aws iam create-role --role-name role-name --assume-role-policy-document file:///trust-policy-json-path --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
The following is an example output from the `create-role` command.
```
{
"Role":{
"AssumeRolePolicyDocument":{
"Version": "2012-10-17",
"Statement":[
{
"Action":"sts:AssumeRole",
"Effect":"Allow",
"Principal":{
"Service":"vmie.amazonaws.com"
}
}
]
},
"MaxSessionDuration":3600,
"RoleId":"AROACEMGEZDGNBVGY3TQOJQGEZAAAABQBB6NSGNAAAABPSVLTREPY3FPAFOLKJ3",
"CreateDate":"2022-04-19T22:17:19.823Z",
"RoleName":"vmimport",
"Path":"/",
"Arn":"arn:aws:iam::123456789012:role/vmimport"
}
}
```
**Create a policy for the role**
The following example policy has the minimum required permissions to access Amazon S3. Change the Amazon S3 bucket name to the one which has your images. For a standalone Snowball Edge device, change *snow-id* to your job ID. For a cluster of devices, change *snow-id* to the cluster ID. You also can use prefixes to further narrow down the location where VM Import/Export can import snapshots from. Create a policy json file like this.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource":[
"arn:aws:s3:::import-snapshot-bucket-name",
"arn:aws:s3:::import-snapshot-bucket-name/*"
]
}
]
}
```
------
**Create a policy with the policy file:**
```
aws iam create-policy --policy-name policy-name --policy-document file:///policy-json-file-path --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
The following is an output example from the create-policy command.
```
{
"Policy":{
"PolicyName":"vmimport-resource-policy",
"PolicyId":"ANPACEMGEZDGNBVGY3TQOJQGEZAAAABOOEE3IIHAAAABWZJPI2VW4UUTFEDBC2R",
"Arn":"arn:aws:iam::123456789012:policy/vmimport-resource-policy",
"Path":"/",
"DefaultVersionId":"v1",
"AttachmentCount":0,
"IsAttachable":true,
"CreateDate":"2020-07-25T23:27:35.690000+00:00",
"UpdateDate":"2020-07-25T23:27:35.690000+00:00"
}
}
```
****Attach the policy to the role****
Attach a policy to the preceding role and grant permissions to access the required resources. This allows the local VM Import/Export service to download the snapshot from Amazon S3 on the device.
```
aws iam attach-role-policy --role-name role-name --policy-arn arn:aws:iam::123456789012:policy/policy-name --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
### Permissions required by the caller on a Snowball Edge
In addition to the role for the Snowball Edge VM Import/Export to assume, you also must ensure that the user has the permissions that allow them to pass the role to VMIE. If you use the default root user to perform the import, the root user already has all the permissions required, so you can skip this step, and go to step 3.
Attach the following two IAM permissions to the user that is doing the import.
+ `pass-role`
+ `get-role`
**Create a policy for the role**
The following is an example policy that allows a user to perform the `get-role` and `pass-role` actions for the IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "iam:GetRole",
"Resource":"*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/snowball*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "importexport.amazonaws.com"
}
}
}
]
}
```
------
****Create a policy with the policy file:****
```
aws iam create-policy --policy-name policy-name --policy-document file:///policy-json-file-path --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
The following is an output example from the create-policy command.
```
{
"Policy":{
"PolicyName":"caller-policy",
"PolicyId":"ANPACEMGEZDGNBVGY3TQOJQGEZAAAABOOOTUOE3AAAAAAPPBEUM7Q7ARPUE53C6R",
"Arn":"arn:aws:iam::123456789012:policy/caller-policy",
"Path":"/",
"DefaultVersionId":"v1",
"AttachmentCount":0,
"IsAttachable":true,
"CreateDate":"2020-07-30T00:58:25.309000+00:00",
"UpdateDate":"2020-07-30T00:58:25.309000+00:00"
}
}
```
After the policy has been generated, attach the policy to the IAM users that will call the Amazon EC2 API or CLI operation to import the snapshot.
```
aws iam attach-user-policy --user-name your-user-name --policy-arn arn:aws:iam::123456789012:policy/policy-name --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
### Permissions Required to call Amazon EC2 APIs on a Snowball Edge
To import a snapshot, the IAM user must have the `ec2:ImportSnapshot` permissions. If restricting access to the user is not required, you can use the `ec2:*` permissions to grant full Amazon EC2 access. The following are the permissions that can be granted or restricted for Amazon EC2 on your device. Create a policy file with the content shown:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:ImportSnapshot",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask",
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",
"ec2:RegisterImage",
"ec2:DescribeImages",
"ec2:DeregisterImage"
],
"Resource":"*"
}
]
}
```
------
**Create a policy with the policy file:**
```
aws iam create-policy --policy-name policy-name --policy-document file:///policy-json-file-path --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
The following is an output example from the create-policy command.
```
{
"Policy":
{
"PolicyName": "ec2-import.json",
"PolicyId": "ANPACEMGEZDGNBVGY3TQOJQGEZAAAABQBGPDQC5AAAAATYN62UNBFYTF5WVCSCZS",
"Arn": "arn:aws:iam::123456789012:policy/ec2-import.json",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"IsAttachable": true,
"CreateDate": "2022-04-21T16:25:53.504000+00:00",
"UpdateDate": "2022-04-21T16:25:53.504000+00:00"
}
}
```
After the policy has been generated, attach the policy to the IAM users that will call the Amazon EC2 API or CLI operation to import the snapshot.
```
aws iam attach-user-policy --user-name your-user-name --policy-arn arn:aws:iam::123456789012:policy/policy-name --endpoint http://snowball-ip:6078 --region snow --profile profile-name
```
## Step 3: Import the VM image as a snapshot on the Snowball Edge
The next step is to import the VM image as a snapshot on the device. The value of the `S3Bucket` parameter is the name of the bucket which contains the VM image. The value of the `S3Key` parameter is the path to the VM image file in this bucket.
```
aws ec2 import-snapshot --disk-container "Format=RAW,UserBucket={S3Bucket=bucket-name,S3Key=image-file}" --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
For more information, see [import-snapshot](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/import-snapshot.html) in the AWS CLI Command Reference.
This command doesn't support the following switches.
+ [--client-data `value`]
+ [--client-token `value`]
+ [--dry-run]
+ [--no-dry-run]
+ [--encrypted]
+ [--no-encrypted]
+ [--kms-key-id `value`]
+ [--tag-specifications `value`]
**Example output of `import-snapshot` command**
```
{
"ImportTaskId":"s.import-snap-1234567890abc",
"SnapshotTaskDetail":{
"DiskImageSize":2.0,
"Encrypted":false,
"Format":"RAW",
"Progress":"3",
"Status":"active",
"StatusMessage":"pending",
"UserBucket":{
"S3Bucket":"bucket",
"S3Key":"vmimport/image01"
}
}
}
```
Snowball Edge currently only allow one active import job to run at a time, per device. To start a new import task, either wait for the current task to finish, or choose another available node in a cluster. You can also choose to cancel the current import if you want. To prevent delays, don't reboot the Snowball Edge device while the import is in progress. If you reboot the device, the import will fail, and progress will be deleted when the device becomes accessible. To check the status of your snapshot import task status, use the following command:
```
aws ec2 describe-import-snapshot-tasks --import-task-ids id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
## Step 4: Register the snapshot as an AMI on the Snowball Edge
When the snapshot import to the device is successful, you can register it using the `register-image` command.
**Note**
You can only register an AMI when all of its snapshots are available.
For more information, see [register-image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/register-image.html) in the AWS CLI Command Reference.
**Example of the `register-image` command**
```
aws ec2 register-image \
--name ami-01 \
--description my-ami-01 \
--block-device-mappings "[{\"DeviceName\": \"/dev/sda1\",\"Ebs\":{\"Encrypted\":false,\"DeleteOnTermination\":true,\"SnapshotId\":\"snapshot-id\",\"VolumeSize\":30}}]" \
--root-device-name /dev/sda1 \
--endpoint http://snowball-ip:8008 \
--region snow \
--profile profile-name
```
Following is an example of block device mapping JSON. For more information, see the [block-device-mapping parameter of register-image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/register-image.html) in the AWS CLI Command Reference.
```
[
{
"DeviceName": "/dev/sda",
"Ebs":
{
"Encrypted": false,
"DeleteOnTermination": true,
"SnapshotId": "snapshot-id",
"VolumeSize": 30
}
}
]
```
**Example of the `register-image` command**
```
{
"ImageId": "s.ami-8de47d2e397937318"
}
```
## Step 5: Launch an instance from the AMI on the Snowball Edge
To launch an instance, see [run-instances](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/run-instances.html) in the AWS CLI Command Reference.
The value of the `image-id` parameter is the value of the `ImageId` name as the output of the `register-image` command.
```
aws ec2 run-instances --image-id image-id --instance-type instance-type --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
```
{
"Instances":[
{
"SourceDestCheck":false,
"CpuOptions":{
"CoreCount":1,
"ThreadsPerCore":2
},
"InstanceId":"s.i-12345a73123456d1",
"EnaSupport":false,
"ImageId":"s.ami-1234567890abcdefg",
"State":{
"Code":0,
"Name":"pending"
},
"EbsOptimized":false,
"SecurityGroups":[
{
"GroupName":"default",
"GroupId":"s.sg-1234567890abc"
}
],
"RootDeviceName":"/dev/sda1",
"AmiLaunchIndex":0,
"InstanceType":"sbe-c.large"
}
],
"ReservationId":"s.r-1234567890abc"
}
```
**Note**
You can also use AWS OpsHub to launch the instance. For more information, see [Launching an Amazon EC2-compatible instance](https://docs.aws.amazon.com/snowball/latest/developer-guide/manage-ec2.html#launch-instance) in this guide.
## Additional AMI actions for a Snowball Edge
You can use additional AWS CLI commands to monitor snapshot import status, get details on snapshots that have been imported, canceling importing a snapshot, and deleting or deregistering snapshots after they have been imported.
### Monitoring snapshot import status on a Snowball Edge
To see the current state of the import progress, you can run the Amazon EC2 `describe-import-snapshot-tasks` command. This command supports pagination and filtering on the `task-state`.
**Example of the `describe-import-snapshot-tasks` command**
```
aws ec2 describe-import-snapshot-tasks --import-task-ids id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
**Example of `describe-import-snapshot-tasks` command output**
```
{
"ImportSnapshotTasks": [
{
"ImportTaskId": "s.import-snap-8f6bfd7fc9ead9aca",
"SnapshotTaskDetail": {
"Description": "Created by AWS-Snowball-VMImport service for s.import-snap-8f6bfd7fc9ead9aca",
"DiskImageSize": 8.0,
"Encrypted": false,
"Format": "RAW",
"Progress": "3",
"SnapshotId": "s.snap-848a22d7518ad442b",
"Status": "active",
"StatusMessage": "pending",
"UserBucket": {
"S3Bucket": "bucket1",
"S3Key": "image1"
}
}
}
]
}
```
**Note**
This command only shows output for tasks that have successfully completed or been marked as deleted within the last 7 days. Filtering only supports `Name=task-state`, `Values=active | deleting | deleted | completed`
This command doesn't support the following parameters.
+ [--dry-run]
+ [--no-dry-run]
### Canceling an import task on a Snowball Edge
To cancel an import task, run the `cancel-import-task` command.
**Example of the `cancel-import-task` command**
```
aws ec2 cancel-import-task --import-task-id import-task-id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
**Example of `cancel-import-task` command output**
```
{
"ImportTaskId": "s.import-snap-8234ef2a01cc3b0c6",
"PreviousState": "active",
"State": "deleting"
}
```
Only tasks that are not in a completed state can be canceled.
This command doesn't support the following parameters.
+ [--dry-run]
+ [--no-dry-run]
### Describing snapshots on a Snowball Edge
After a snapshot is imported, you can use this command to describe it. To filter the snapshots, you can pass in `snapshot-ids` with the snapshot ID from the previous import task response. This command supports pagination and filter on `volume-id`, `status`, and `start-time`.
**Example of `describe-snapshots` command**
```
aws ec2 describe-snapshots --snapshot-ids snapshot-id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
**Example of `describe-snapshots` command output**
```
{
"Snapshots": [
{
"Description": "Created by AWS-Snowball-VMImport service for s.import-snap-8f6bfd7fc9ead9aca",
"Encrypted": false,
"OwnerId": "123456789012",
"SnapshotId": "s.snap-848a22d7518ad442b",
"StartTime": "2020-07-30T04:31:05.032000+00:00",
"State": "completed",
"VolumeSize": 8
}
]
}
```
This command doesn't support the following parameters.
+ [--restorable-by-user-ids `value`]
+ [--dry-run]
+ [--no-dry-run]
### Deleting a snapshot from a Snowball Edge device
To remove snapshots that you own and you no longer need, you can use the `delete-snapshot` command.
**Example of the `delete-snapshot` command**
```
aws ec2 delete-snapshot --snapshot-id snapshot-id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
**Note**
Snowball Edge does not support deleting snapshots that are in a **PENDING** state or if it is designated as a root device for an AMI.
This command doesn't support the following parameters.
+ [--dry-run]
+ [--no-dry-run]
### Deregistering an AMI on a Snowball Edge
To deregister AMIs that you no longer need, you can run the `deregister-image` command. Deregistering an AMI that is in the **Pending** state is not currently supported.
**Example of the `deregister-image` command**
```
aws ec2 deregister-image --image-id image-id --endpoint http://snowball-ip:8008 --region snow --profile profile-name
```
This command doesn't support the following parameters.
+ [--dry-run]
+ [--no-dry-run]
# Using the AWS CLI and API operations on Snowball Edge device
When using the AWS Command Line Interface (AWS CLI) or API operations to issue IAM, Amazon S3 and Amazon EC2 commands on Snowball Edge, you must specify the `region` as "`snow`." You can do this using `AWS configure` or within the command itself, as in the following examples.
```
aws configure --profile ProfileName
AWS Access Key ID [None]: defgh
AWS Secret Access Key [None]: 1234567
Default region name [None]: snow
Default output format [None]: json
```
Or
```
aws s3 ls --endpoint http://192.0.2.0:8080 --region snow --profile ProfileName
```
# Network configurations for compute instances on Snowball Edge
After you launch your compute instance on a Snowball Edge, you must provide it with an IP address by creating a network interface. Snowball Edges support two kinds of network interfaces, a virtual network interface and a direct network interface.
**Virtual network interface (VNI)** – A virtual network interface is the standard network interface for connecting to an EC2-compatible instance on your Snowball Edge. You must create a VNI for each of your EC2-compatible instances regardless of whether you also use a direct network interface or not. The traffic passing through a VNI is protected by the security groups that you set up. You can only associate VNIs with the physical network port you use to control your Snowball Edge.
**Note**
VNI will use the same physical interface (RJ45, SFP\$1, or QSFP) that is used to managed the Snowball Edge. Creating a VNI on a different physical interface than the one being used for device management could lead to unexpected results.
**Direct network interface (DNI)** – A direct network interface (DNI) is an advanced network feature that enables use cases like multicast streams, transitive routing, and load balancing. By providing instances with layer 2 network access without any intermediary translation or filtering, you can gain increased flexibility over the network configuration of your Snowball Edge and improved network performance. DNIs support VLAN tags and customizing the MAC address. Traffic on DNIs is not protected by security groups.
On Snowball Edge devices, DNIs can be associated with the RJ45, SFP, or QSFP ports. Each physical port supports a maximum of 63 DNIs. DNIs do not have to be associated to the same physical network port that you use to manage the Snowball Edge.
**Note**
Snowball Edge storage optimized (with EC2 compute functionality) devices don't support DNIs.
**Topics**
+ [Prerequisites for DNIs or VNIs on Snowball Edge](#snowcone-configuration-prerequisites)
+ [Setting up a Virtual Network Interface (VNI) on a Snowball Edge](#setup-vni)
+ [Setting Up a Direct Network Interface (DNI) on a Snowball Edge](#snowcone-setup-dni)
## Prerequisites for DNIs or VNIs on Snowball Edge
Before you configure a VNI or a DNI, be sure that you've done the following prerequisites.
****
1. Make sure there's power to your device and that one of your physical network interfaces, like the RJ45 port, is connected with an IP address.
1. Get the IP address associated with the physical network interface that you're using on the Snowball Edge.
1. Configure the Snowball Edge client. For more information, see [Configuring a profile for the Snowball Edge Client](using-client-commands.md#client-configuration).
1. Configure the AWS CLI. For more information, see [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) in the AWS Command Line Interface User Guide.
1. Unlock the device.
+ Use AWS OpsHub to unlock the device. For more information, see [Unlocking a Snowball Edge with AWS OpsHub](https://docs.aws.amazon.com/snowball/latest/developer-guide/connect-unlock-device.html).
+ Use the Snowball Edge Client to unlock the device. For more information, see [Unlocking the Snowball Edge](unlockdevice.md).
1. Launch an EC2-compatible instance on the device. You will associate the VNI with this instance.
1. Use the Snowball Edge Client to run the `describe-device` command. The output of the command will provide a list of physical network interface IDs. For more information, see [Viewing status of a Snowball Edge](using-client-commands.md#client-status).
1. Identify the ID for the physical network interface that you want to use, and make a note of it.
## Setting up a Virtual Network Interface (VNI) on a Snowball Edge
After you have identified the ID of the physical network interface, you can set up a virtual network interface (VNI) with that physical interface. Use the following procedure set up a VNI. Make sure that you perform the prerequisite tasks before you create a VNI.
**Create a VNI and associate an IP address**
1. Use the Snowball Edge Client to run the `create-virtual-network-interface` command. The following examples show running this command with the two different IP address assignment methods, either `DHCP` or `STATIC`. The `DHCP` method uses Dynamic Host Configuration Protocol (DHCP).
```
snowballEdge create-virtual-network-interface \
--physical-network-interface-id s.ni-abcd1234 \
--ip-address-assignment DHCP \
--profile profile-name
//OR//
snowballEdge create-virtual-network-interface \
--physical-network-interface-id s.ni-abcd1234 \
--ip-address-assignment STATIC \
--static-ip-address-configuration IpAddress=192.0.2.0,Netmask=255.255.255.0 \
--profile profile-name
```
The command returns a JSON structure that includes the IP address. Make a note of that IP address to use with the `ec2 associate-address` AWS CLI command later in the process.
Anytime you need this IP address, you can use the Snowball Edge Client command `describe-virtual-network-interfaces` Snowball Edge client command, or the AWS CLI command `aws ec2 describe-addresses` to get it.
1. Use the AWS CLI to associate the IP address with the EC2-compatible instance, replacing the red text with your values:
```
aws ec2 associate-address --public-ip 192.0.2.0 --instance-id s.i-01234567890123456 --endpoint http://Snowball Edge physical IP address:8008
```
## Setting Up a Direct Network Interface (DNI) on a Snowball Edge
**Note**
The direct network interface feature is available on or after January 12, 2021 and is available in all AWS Regions where Snowball Edges are available.
### Prerequisites for a DNI on a Snowball Edge
Before you set up a direct network interface (DNI), you must perform the tasks in the prerequisites section.
1. Perform the prerequisite tasks before setting up the DNI. For instructions, see [Prerequisites for DNIs or VNIs on Snowball Edge](#snowcone-configuration-prerequisites).
1. Additionally, you must launch an instance on your device, create a VNI, and associate it with the instance. For instructions, see [Setting up a Virtual Network Interface (VNI) on a Snowball Edge](#setup-vni).
**Note**
If you added direct networking to your existing device by performing an in-the-field software update, you must restart the device twice to fully enable the feature.
**Create a DNI and associate IP address**
1. Create a direct network interface and attach it to the Amazon EC2-compatible instance by running the following command. You will need the MAC address of the device for the next step.
```
create-direct-network-interface [--endpoint endpoint] [--instance-id instanceId] [--mac macAddress]
[--physical-network-interface-id physicalNetworkInterfaceId]
[--unlock-code unlockCode] [--vlan vlanId]
```
OPTIONS
** --endpoint ** The endpoint to send this request to. The endpoint for your devices will be a URL using the `https` scheme followed by an IP address. For example, if the IP address for your device is 123.0.1.2, the endpoint for your device would be https://123.0.1.2.
** --instance-id ** The EC2-compatible instance ID to attach the interface to (optional).
** --mac ** Sets the MAC address of the network interface (optional).
**--physical-network-interface-id ** The ID for the physical network interface on which to create a new virtual network interface. You can determine the physical network interfaces available on your Snowball Edge using the `describe-device` command.
**--vlan ** Set the assigned VLAN for the interface (optional). When specified, all traffic sent from the interface is tagged with the specified VLAN ID. Incoming traffic is filtered for the specified VLAN ID, and has all VLAN tags stripped before being passed to the instance.
1. After you create a DNI and associate it with your EC2-compatible instance, you must make two configuration changes inside your Amazon EC2-compatible instance.
+ The first is to change ensure that packets meant for the VNI associated with the EC2-compatible instance are sent through eth0.
+ The second change configures your direct network interface to use either DCHP or static IP when booting.
The following are examples of shell scripts for Amazon Linux 2 and CentOS Linux that make these configuration changes.
------
#### [ Amazon Linux 2 ]
```
# Mac address of the direct network interface.
# You got this when you created the direct network interface.
DNI_MAC=[MAC ADDRESS FROM CREATED DNI]
# Configure routing so that packets meant for the VNI always are sent through eth0.
PRIVATE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
PRIVATE_GATEWAY=$(ip route show to match 0/0 dev eth0 | awk '{print $3}')
ROUTE_TABLE=10001
echo "from $PRIVATE_IP table $ROUTE_TABLE" > /etc/sysconfig/network-scripts/rule-eth0
echo "default via $PRIVATE_GATEWAY dev eth0 table $ROUTE_TABLE" > /etc/sysconfig/network-scripts/route-eth0
echo "169.254.169.254 dev eth0" >> /etc/sysconfig/network-scripts/route-eth0
# Query the persistent DNI name, assigned by udev via ec2net helper.
# changable in /etc/udev/rules.d/70-persistent-net.rules
DNI=$(ip --oneline link | grep -i $DNI_MAC | awk -F ': ' '{ print $2 }')
# Configure DNI to use DHCP on boot.
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$DNI
DEVICE="$DNI"
NAME="$DNI"
HWADDR=$DNI_MAC
ONBOOT=yes
NOZEROCONF=yes
BOOTPROTO=dhcp
TYPE=Ethernet
MAINROUTETABLE=no
EOF
# Make all changes live.
systemctl restart network
```
------
#### [ CentOS Linux ]
```
# Mac address of the direct network interface. You got this when you created the direct network interface.
DNI_MAC=[MAC ADDRESS FROM CREATED DNI]
# The name to use for the direct network interface. You can pick any name that isn't already in use.
DNI=eth1
# Configure routing so that packets meant for the VNIC always are sent through eth0
PRIVATE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
PRIVATE_GATEWAY=$(ip route show to match 0/0 dev eth0 | awk '{print $3}')
ROUTE_TABLE=10001
echo from $PRIVATE_IP table $ROUTE_TABLE > /etc/sysconfig/network-scripts/rule-eth0
echo default via $PRIVATE_GATEWAY dev eth0 table $ROUTE_TABLE > /etc/sysconfig/network-scripts/route-eth0
# Configure your direct network interface to use DHCP on boot.
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$DNI
DEVICE="$DNI"
NAME="$DNI"
HWADDR="$DNI_MAC"
ONBOOT=yes
NOZEROCONF=yes
BOOTPROTO=dhcp
TYPE=Ethernet
EOF
# Rename DNI device if needed.
CURRENT_DEVICE_NAME=$(LANG=C ip -o link | awk -F ': ' -vIGNORECASE=1 '!/link\/ieee802\.11/ && /'"$DNI_MAC"'/ { print $2 }')
ip link set $CURRENT_DEVICE_NAME name $DNI
# Make all changes live.
systemctl restart network
```
------
# Using SSH to connect to compute instances on a Snowball Edge
To use Secure Shell (SSH) to connect to compute instances on a Snowball Edge, you have the following options for providing or creating an SSH key.
+ You can provide the SSH key for the Amazon Machine Image (AMI) when you create a job to order a device. For more information, see [Creating a job to order a Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/create-job-common.html).
+ You can provide the SSH key for the AMI when you create a virtual machine image to import to a Snowball Edge. For more information, see [Importing a virtual machine image to a Snowball Edge device](ec2-ami-import-cli.md).
+ You can create a key pair on the Snowball Edge and choose to launch an instance with that locally generated public key. For more information, see [Create a key pair using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html#having-ec2-create-your-key-pair) in the Amazon EC2 User Guide.
**To connect to an instance through SSH**
1. Make sure that your device is powered on, connected to the network, and unlocked. For more information, see [Connecting a Snowball Edge to your local network](getting-started.md#getting-started-connect).
1. Make sure that you have your network settings configured for your compute instances. For more information, see [Network configurations for compute instances on Snowball Edge](network-config-ec2.md).
1. Check your notes to find the PEM or PPK key pair that you used for this specific instance. Make a copy of those files somewhere on your computer. Make a note of the path to the PEM file.
1. Connect to your instance through SSH as in the following example command. The IP address is the IP address of the virtual network interface (VNIC) that you set up in [Network configurations for compute instances on Snowball Edge](network-config-ec2.md).
```
ssh -i path/to/PEM/key/file instance-user-name@192.0.2.0
```
For more information, see [Connecting to Your Linux Instance Using SSH](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html) in the* Amazon EC2 User Guide.*
# Transferring data from EC2-compatible compute instances to S3 buckets on the same Snowball Edge
You can transfer data between compute instances and Amazon S3 buckets on the same Snowball Edge device. You do this by using the supported AWS CLI commands and the appropriate endpoints. For example, assume that you want to move data from a directory in my `sbe1.xlarge` instance into the Amazon S3 bucket, `amzn-s3-demo-bucket` on the same device. Assume that you're using the Amazon S3 compatible storage on Snowball Edge endpoint `https://S3-object-API-endpoint:443`. You use the following procedure.
**To transfer data between a compute instance and a bucket on the same Snowball Edge**
1. Use SSH to connect to your compute instance.
1. Download and install the AWS CLI. If your instance doesn't already have the AWS CLI, download and install it. For more information, see [Installing the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
1. Configure the AWS CLI on your compute instance to work with the Amazon S3 endpoint on the Snowball Edge. For more information, see [Getting and using local Amazon S3 credentials on Snowball Edge](using-adapter.md#adapter-credentials).
1. Use the supported Amazon S3 compatible storage on Snowball Edge commands to transfer data. For example:
```
aws s3 cp ~/june2018/results s3://amzn-s3-demo-bucket/june2018/results --recursive --endpoint https://S3-object-API-endpoint:443
```
# Starting EC2-compatible instances automatically
The Snowball Edge Client is a standalone command line interface (CLI) application that you can run in your environment. You can use it to perform some administrative tasks on your Snowball Edge device or cluster of devices. For more information about how to use the Snowball Edge client, including how to start and stop services with it, see [Configuring and using the Snowball Edge Client](using-client-commands.md).
Following, you can find information about the Snowball Edge client commands that are specific to compute instances, including examples of use.
For a list of Amazon EC2-compatible commands you can use on your AWS Snowball Edge device, see [Supported Amazon EC2-compatible AWS CLI commands on a Snowball Edge](using-ec2-endpoint.md#cli-support-ec2-edge).
## Creating an EC2-compatible launch configuration on a Snowball Edge
To automatically start Amazon EC2-compatible compute instances on your AWS Snowball Edge device after it is unlocked, you can create a launch configuration. To do so, use the `snowballEdge create-autostart-configuration` command, as shown following.
**Usage**
```
snowballEdge create-autostart-configuration --physical-connector-type [SFP_PLUS or RJ45 or QSFP] --ip-address-assignment [DHCP or STATIC] [--static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]] --launch-template-id [--launch-template-version]
```
## Updating an EC2-compatible launch configuration on a Snowball Edge
To update an existing launch configuration on your Snowball Edge, use the `snowballEdge update-autostart-configuration` command. You can find its usage following. To enable or disable a launch configuration, specify the `--enabled` parameter.
**Usage**
```
snowballEdge update-autostart-configuration --autostart-configuration-arn [--physical-connector-type [SFP_PLUS or RJ45 or QSFP]] [--ip-address-assignment [DHCP or STATIC]] [--static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]][--launch-template-id] [--launch-template-version] [--enabled]
```
## Deleting an EC2-compatible launch configuration on a Snowball Edge
To delete a launch configuration that's no longer in use, use the `snowballEdge delete-autostart-configuration` command, as follows.
**Usage**
```
snowballEdge delete-autostart-configuration --autostart-configuration-arn
```
## Listing EC2-compatible launch configurations on a Snowball Edge
To list the launch configurations that you have created on your Snowball Edge, use the `describe-autostart-configurations` command, as follows.
**Usage**
```
snowballEdge describe-autostart-configurations
```
## Creating a Virtual Network Interface on a Snowball Edge
To run a compute instance or start the NFS interface on a Snowball Edge, first create a Virtual Network Interface (VNI). Each Snowball Edge has three network interfaces (NICs), the physical network interface controllers for the device. These are the RJ45, SFP, and QSFP ports on the back of the device.
Each VNI is based on a physical one, and you can have any number of VNI s associated with each NIC. To create a virtual network interface, use the `snowballEdge create-virtual-network-interface` command.
**Note**
The `--static-ip-address-configuration` parameter is valid only when using the `STATIC` option for the `--ip-address-assignment` parameter.
**Usage **
You can use this command in two ways: with the Snowball Edge client configured, or without the Snowball Edge client configured. The following usage example shows the method with the Snowball Edge client configured.
```
snowballEdge create-virtual-network-interface --ip-address-assignment [DHCP or STATIC] --physical-network-interface-id [physical network interface id] --static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]
```
The following usage example shows the method without the Snowball Edge client configured.
```
snowballEdge create-virtual-network-interface --endpoint https://[ip address] --manifest-file /path/to/manifest --unlock-code [unlock code] --ip-address-assignment [DHCP or STATIC] --physical-network-interface-id [physical network interface id] --static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]
```
**Example: Creating VNICs (Using DHCP)**
```
snowballEdge create-virtual-network-interface --ip-address-assignment dhcp --physical-network-interface-id s.ni-8EXAMPLEaEXAMPLEd
{
"VirtualNetworkInterface" : {
"VirtualNetworkInterfaceArn" : "arn:aws:snowball-device:::interface/s.ni-8EXAMPLE8EXAMPLEf",
"PhysicalNetworkInterfaceId" : "s.ni-8EXAMPLEaEXAMPLEd",
"IpAddressAssignment" : "DHCP",
"IpAddress" : "192.0.2.0",
"Netmask" : "255.255.255.0",
"DefaultGateway" : "192.0.2.1",
"MacAddress" : "EX:AM:PL:E1:23:45",
"MtuSize" : "1500"
}
}
```
## Describing Your Virtual Network Interfaces
To describe the VNICs that you previously created on your device, use the `snowballEdge describe-virtual-network-interfaces` command. You can find its usage following.
**Usage **
You can use this command in two ways: with the Snowball Edge client configured, or without the Snowball Edge client configured. The following usage example shows the method with the Snowball Edge client configured.
```
snowballEdge describe-virtual-network-interfaces
```
The following usage example shows the method without the Snowball Edge client configured.
```
snowballEdge describe-virtual-network-interfaces --endpoint https://[ip address] --manifest-file /path/to/manifest --unlock-code [unlock code]
```
**Example: Describing VNICs**
```
snowballEdge describe-virtual-network-interfaces
[
{
"VirtualNetworkInterfaceArn" : "arn:aws:snowball-device:::interface/s.ni-8EXAMPLE8EXAMPLE8",
"PhysicalNetworkInterfaceId" : "s.ni-8EXAMPLEaEXAMPLEd",
"IpAddressAssignment" : "DHCP",
"IpAddress" : "192.0.2.0",
"Netmask" : "255.255.255.0",
"DefaultGateway" : "192.0.2.1",
"MacAddress" : "EX:AM:PL:E1:23:45",
"MtuSize" : "1500"
},{
"VirtualNetworkInterfaceArn" : "arn:aws:snowball-device:::interface/s.ni-1EXAMPLE1EXAMPLE1",
"PhysicalNetworkInterfaceId" : "s.ni-8EXAMPLEaEXAMPLEd",
"IpAddressAssignment" : "DHCP",
"IpAddress" : "192.0.2.2",
"Netmask" : "255.255.255.0",
"DefaultGateway" : "192.0.2.1",
"MacAddress" : "12:34:5E:XA:MP:LE",
"MtuSize" : "1500"
}
]
```
## Updating a Virtual Network Interface on a Snowball Edge
After creating a virtual network interface (VNI), you can update its configuration using the `snowballEdge update-virtual-network-interface` command. After providing the Amazon Resource Name (ARN) for a particular VNI, you provide values only for whatever elements you are updating.
**Usage**
You can use this command in two ways: with the Snowball Edge client configured, or without the Snowball Edge client configured. The following usage example shows the method with the Snowball Edge client configured.
```
snowballEdge update-virtual-network-interface --virtual-network-interface-arn [virtual network-interface-arn] --ip-address-assignment [DHCP or STATIC] --physical-network-interface-id [physical network interface id] --static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]
```
The following usage example shows the method without the Snowball Edge client configured.
```
snowballEdge update-virtual-network-interface --endpoint https://[ip address] --manifest-file /path/to/manifest --unlock-code [unlock code] --virtual-network-interface-arn [virtual network-interface-arn] --ip-address-assignment [DHCP or STATIC] --physical-network-interface-id [physical network interface id] --static-ip-address-configuration IpAddress=[IP address],NetMask=[Netmask]
```
**Example: Updating a VNIC (Using DHCP)**
```
snowballEdge update-virtual-network-interface --virtual-network-interface-arn arn:aws:snowball-device:::interface/s.ni-8EXAMPLEbEXAMPLEd --ip-address-assignment dhcp
```
## Deleting a Virtual Network Interface on a Snowball Edge
To delete a virtual network interface (VNI), you can use the` snowballEdge delete-virtual-network-interface` command.
**Usage**
You can use this command in two ways: with the Snowball Edge client configured, or without the Snowball Edge client configured. The following usage example shows the method with the Snowball Edge client configured.
```
snowballEdge delete-virtual-network-interface --virtual-network-interface-arn [virtual network-interface-arn]
```
The following usage example shows the method without the Snowball Edge client configured.
```
snowballEdge delete-virtual-network-interface --endpoint https://[ip address] --manifest-file /path/to/manifest --unlock-code [unlock code] --virtual-network-interface-arn [virtual network-interface-arn]
```
**Example: Deleting a VNIC**
```
snowballEdge delete-virtual-network-interface --virtual-network-interface-arn arn:aws:snowball-device:::interface/s.ni-8EXAMPLEbEXAMPLEd
```
# Using the Amazon EC2-compatible endpoint on a Snowball Edge
Following, you can find an overview of the Amazon EC2-compatible endpoint. Using this endpoint, you can manage your Amazon Machine Images (AMIs) and compute instances programmatically using Amazon EC2-compatible API operations.
## Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge
When you use the AWS CLI to issue a command to the AWS Snowball Edge device, you can specify that the endpoint is the Amazon EC2-compatible endpoint. You have the choice of using the HTTPS endpoint, or an unsecured HTTP endpoint, as shown following.
**HTTPS secured endpoint**
```
aws ec2 describe-instances --endpoint https://192.0.2.0:8243 --ca-bundle path/to/certificate
```
**HTTP unsecured endpoint**
```
aws ec2 describe-instances --endpoint http://192.0.2.0:8008
```
If you use the HTTPS endpoint of `8243`, your data in transit is encrypted. This encryption is ensured with a certificate that's generated by the Snowball Edge when it is unlocked. After you have your certificate, you can save it to a local `ca-bundle.pem` file. Then you can configure your AWS CLI profile to include the path to your certificate, as described following.
**To associate your certificate with the Amazon EC2-compatible endpoint**
1. Connect the Snowball Edge to power and network, and turn it on.
1. After the device has finished unlocking, make a note of its IP address on your local network.
1. From a terminal on your network, make sure you can ping the Snowball Edge.
1. Run the `snowballEdge get-certificate` command in your terminal. For more information on this command, see [Managing public key certificates on Snowball Edge](snowball-edge-certificates-cli.md).
1. Save the output of the `snowballEdge get-certificate` command to a file, for example `ca-bundle.pem`.
1. Run the following command from your terminal.
```
aws configure set profile.snowballEdge.ca_bundle /path/to/ca-bundle.pem
```
After you complete the procedure, you can run CLI commands with these local credentials, your certificate, and your specified endpoint.
## Supported Amazon EC2-compatible AWS CLI commands on a Snowball Edge
You can manage your compute instances on a Snowball Edge device through an Amazon EC2-compatible endpoint. This type of endpoint supports many of the Amazon EC2 CLI commands and actions of the AWS SDKs. For information about installing and setting up the AWS CLI, including specifying which AWS Regions you want to make AWS CLI calls against, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/).
### List of supported EC2-compatible AWS CLI commands on a Snowball Edge
Following, you can find a description of the subset of AWS CLI commands and options for Amazon EC2 that are supported on Snowball Edge devices. If a command or option isn't listed following, it's not supported. You can declare some unsupported options along with a command. However, these are ignored.
+ [associate-address](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-address.html) – Associates a virtual IP address with an instance for use on one of the three physical network interfaces on the device:
+ --instance-id – The ID of a single `sbe` instance.
+ --public-ip – The virtual IP address that you want to use to access your instance.
+ [attach-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-volume.html) – Attaches an Amazon EBS volume to a stopped or running instance on your device and exposes it to the instance with the specified device name.
+ --device `value` – The device name.
+ --instance-id – The ID of a target Amazon EC2-compatible instance.
+ --volume-id `value` – The ID of the EBS volume.
+ [authorize-security-group-egress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-egress.html) – Adds one or more egress rules to a security group for use with a Snowball Edge device. Specifically, this action permits instances to send traffic to one or more destination IPv4 CIDR address ranges. For more information, see [Controlling network traffic with security groups on Snowball Edge](edge-security-groups.md).
+ --group-id `value` – The ID of the security group
+ [--ip-permissions `value`] – One or more sets of IP permissions.
+ [authorize-security-group-ingress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html) – Adds one or more ingress rules to a security group. When calling `authorize-security-group-ingress`, you must specify a value either for `group-name` or `group-id`.
+ [--group-name `value`] – The name of the security group.
+ [--group-id `value`] – The ID of the security group
+ [--ip-permissions `value`] – One or more sets of IP permissions.
+ [--protocol `value`] The IP protocol. Possible values are `tcp`, `udp`, and `icmp`. The `--port` argument is required unless the "all protocols" value is specified (-1).
+ [--port `value`] – For TCP or UDP, the range of ports to allow. This value can be a single integer or a range (minimum–maximum).
For ICMP, a single integer or a range (`type`-`code`) in which `type` represents the ICMP type number and `code` represents the ICMP code number. A value of -1 indicates all ICMP codes for all ICMP types. A value of -1 just for `type` indicates all ICMP codes for the specified ICMP type.
+ [--cidr `value`] – The CIDR IP range.
+ [create-launch-template](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-launch-template.html) – Creates a launch template. A *launch template *contains the parameters to launch an instance. When you launch an instance using `RunInstances`, you can specify a launch template instead of providing the launch parameters in the request. You can create up to 100 templates per device.
+ --launch-template-name `string` – A name for the launch template.
+ --launch-template-data `structure` – The information for the launch template. The following attributes are supported:
+ `ImageId`
+ `InstanceType`
+ `SecurityGroupIds`
+ `TagSpecifications`
+ `UserData`
JSON syntax:
```
{
"ImageId":"string",
"InstanceType":"sbe-c.large",
"SecurityGroupIds":["string", ...],
"TagSpecifications":[{"ResourceType":"instance","Tags":[{"Key":"Name","Value":"Test"},
{"Key":"Stack","Value":"Gamma"}]}],
"UserData":"this is my user data"
}
```
+ [--version-description `string`] – A description for the first version of the launch template.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [create-launch-template-version](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-launch-template-version.html) – Creates a new version for a launch template. You can specify an existing version of a launch template from which to base the new version. Launch template versions are numbered in the order in which they are created. You can't specify, change, or replace the numbering of launch template versions. You can create up to 100 versions of each launch template.
Specify either the launch template ID or launch template name in the request.
+ --launch-template-id `string` – The ID of the launch template.
+ --launch-template-name `string` – A name for the launch template.
+ --launch-template-data `structure` – The information for the launch template. The following attributes are supported:
+ `ImageId`
+ `InstanceType`
+ `SecurityGroupIds`
+ `TagSpecifications`
+ `UserData`
JSON syntax:
```
{
"ImageId":"string",
"InstanceType":"sbe-c.large",
"SecurityGroupIds":["string", ...],
"TagSpecifications":[{"ResourceType":"instance","Tags":[{"Key":"Name","Value":"Test"},
{"Key":"Stack","Value":"Gamma"}]}],
"UserData":"this is my user data"
}
```
+ [--source-version `string`] – The version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify in `launch-template-data`.
+ [--version-description `string`] – A description for the first version of the launch template.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [create-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html) – Adds or overwrites one or more tags for the specified resource. Each resource can have a maximum of 50 tags. Each tag consists of a key and optional value. Tag keys must be unique for a resource. The following resources are supported:
+ AMI
+ Instance
+ Launch template
+ Security group
+ Key pair
+ [create-security-group](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html) – Creates a security group on your Snowball Edge. You can create up to 50 security groups. When you create a security group, you specify a friendly name of your choice:
+ --group-name `value` – The name of the security group.
+ --description `value` – A description of the security group. This is informational only. This value can be up to 255 characters in length.
+ [create-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-volume.html) – Creates an Amazon EBS volume that can be attached to an instance on your device.
+ [--size `value`] – The size of the volume in GiBs, which can be from 1 GiB to 1 TB (1000 GiBs).
+ [--snapshot-id `value`] – The snapshot from which to create the volume.
+ [--volume-type `value`] – The volume type. If no value is specified, the default is `sbg1`. Possible values include the following:
+ `sbg1` for magnetic volumes
+ `sbp1` for SSD volumes
+ [--tag-specification `value`] – A list of tags to apply to the volume during creation.
+ [delete-launch-template](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-launch-template.html) – Deletes a launch template. Deleting a launch template deletes all of its versions.
Specify either the launch template ID or launch template name in the request.
+ --launch-template-id `string` – The ID of the launch template.
+ --launch-template-name `string` – A name for the launch template.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [delete-launch-template-version](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-launch-template-version.html) – Deletes one or more versions of a launch template. You can't delete the default version of a launch template; you must first assign a different version as the default. If the default version is the only version for the launch template, delete the entire launch template by using the `delete-launch-template` command.
Specify either the launch template ID or launch template name in the request.
+ --launch-template-id `string` – The ID of the launch template.
+ --launch-template-name `string` – A name for the launch template.
+ --versions (list) `"string" "string"` – The version numbers of one or more launch template versions to delete.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [delete-security-group](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-security-group.html) – Deletes a security group.
If you attempt to delete a security group that is associated with an instance, or is referenced by another security group, the operation fails with `DependencyViolation`.
+ --group-name `value` – The name of the security group.
+ --description `value` – A description of the security group. This is informational only. This value can be up to 255 characters in length.
+ [delete-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-tags.html) – Deletes the specified set of tags from the specified resource (AMI, compute instance, launch template, or security group).
+ [delete-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-volume.html) – Deletes the specified Amazon EBS volume. The volume must be in the `available` state (not attached to an instance).
+ --volume-id `value` – The ID of the volume.
+ [describe-addresses](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-addresses.html) – Describes one or more of your virtual IP addresses associated with the same number of `sbe` instances on your device.
+ --public-ips – One or more of the virtual IP addresses associated with your instances.
+ [describe-images](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html) – Describes one or more of the images (AMIs) available to you. Images available to you are added to the Snowball Edge device during job creation.
+ --image-id – The Snowball AMI ID of the AMI.
+ [describe-instance-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-attribute.html) – Describes the specified attribute of the specified instance. You can specify only one attribute at a time. The following attributes are supported:
+ `instanceInitiatedShutdownBehavior`
+ `instanceType`
+ `userData`
+ [describe-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html) – Describes one or more of your instances. The response returns any security groups that are assigned to the instances.
+ --instance-ids – The IDs of one or more `sbe` instances that were stopped on the device.
+ --page-size – The size of each page to get in the call. This value doesn't affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the device, retrieving fewer items in each call. Doing this can help prevent the calls from timing out.
+ --max-items – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command.
+ --starting-token – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response.
+ [describe-instance-status](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-status.html) – Describes the status of the specified instances or all of your instances. By default, only running instances are described, unless you specifically indicate to return the status of all instances. Instance status includes the following components:
+ **Status checks** – Snow device performs status checks on running Amazon EC2-compatible instances to identify hardware and software issues.
+ **Instance state** – You can manage your instances from the moment you launch them through their termination.
With this command following filters are supported.
+ `[--filters]` (list)
The filters.
+ `instance-state-code` – The code for the instance state, as a 16-bit unsigned integer. The high byte is used for internal service reporting purposes and should be ignored. The low byte is set based on the state represented. The valid values are 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64 (stopping), and 80 (stopped).
+ `instance-state-name` – The state of the instance (`pending` \$1 `running` \$1 `shutting-down` \$1 `terminated` \$1 `stopping` \$1 `stopped` ).
+ `instance-status.reachability` – Filters on instance status where the name is `reachability` (`passed` \$1 `failed` \$1 `initializing` \$1 `insufficient-data` ).
+ `instance-status.status` – The status of the instance (`ok` \$1 `impaired` \$1 `initializing` \$1 `insufficient-data` \$1 `not-applicable` ).
+ `system-status.reachability` – Filters on system status where the name is reachability (`passed` \$1 `failed` \$1 `initializing` \$1 `insufficient-data` ).
+ `system-status.status` – The system status of the instance (`ok` \$1 `impaired` \$1 `initializing` \$1 `insufficient-data` \$1 `not-applicable` ).
+ JSON Syntax:
```
[
{
"Name": "string",
"Values": ["string", ...]
}
...
]
```
+ `[--instance-ids]` (list)
The instance IDs.
Default: Describes all of your instances.
+ `[--dry-run|--no-dry-run]` (boolean)
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is `DryRunOperation`.
Otherwise, it is `UnauthorizedOperation`.
+ `[--include-all-instances | --no-include-all-instances]` (boolean)
When `true`, includes the health status for all instances. When `false`, includes the health status for running instances only.
Default: `false`
+ `[--page-size]` (integer) – The size of each page to get in the call. This value doesn't affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the device, retrieving fewer items in each call. Doing this can help prevent the calls from timing out.
+ `[--max-items]` (integer) – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command.
+ `[--starting-token]` (string) – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response.
+ [describe-launch-templates](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-launch-templates.html) – Describes one or more launch templates. The `describe-launch-templates` command is a paginated operation. You can make multiple calls to retrieve the entire dataset of results.
Specify either the launch template IDs or launch template names in the request.
+ --launch-template-ids (list) `"string" "string"` – A list of IDs of the launch templates.
+ --launch-template-names (list) `"string" "string"` – A list of names for the launch templates.
+ --page-size – The size of each page to get in the call. This value doesn't affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the device, retrieving fewer items in each call. Doing this can help prevent the calls from timing out.
+ --max-items – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command.
+ --starting-token – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [describe-launch-template-versions](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-launch-template-versions.html) – Describes one or more versions of a specified launch template. You can describe all versions, individual versions, or a range of versions. The `describe-launch-template-versions` command is a paginated operation. You can make multiple calls to retrieve the entire dataset of results.
Specify either the launch template IDs or launch template names in the request.
+ --launch-template-id `string` – The ID of the launch template.
+ --launch-template-name `string` – A name for the launch template.
+ [--versions (list) `"string" "string"`] – The version numbers of one or more launch template versions to delete.
+ [--min-version `string`] – The version number after which to describe launch template versions.
+ [--max-version `string`] – The version number up to which to describe launch template versions.
+ --page-size – The size of each page to get in the call. This value doesn't affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the device, retrieving fewer items in each call. Doing this can help prevent the calls from timing out.
+ --max-items – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command.
+ --starting-token – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [describe-security-groups](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html) – Describes one or more of your security groups.
The `describe-security-groups` command is a paginated operation. You can issue multiple API calls to retrieve the entire dataset of results.
+ [--group-name `value`] – The name of the security group.
+ [--group-id `value`] – The ID of the security group.
+ [--page-size `value`] – The size of each page to get in the AWS service call. This size doesn't affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This approach can help prevent the AWS service calls from timing out. For usage examples, see [Pagination](https://docs.aws.amazon.com/cli/latest/userguide/pagination.html) in the *AWS Command Line Interface User Guide*.
+ [--max-items `value`] – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command. Don't use the `NextToken` response element directly outside of the AWS CLI. For usage examples, see [Pagination](https://docs.aws.amazon.com/cli/latest/userguide/pagination.html) in the *AWS Command Line Interface User Guide*.
+ [--starting-token `value`] – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response. For usage examples, see [Pagination](https://docs.aws.amazon.com/cli/latest/userguide/pagination.html) in the *AWS Command Line Interface User Guide*.
+ [describe-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-tags.html) – Describes one or more of the tags for specified resource (`image`, `instance`, or security group). With this command, the following filters are supported:
+ launch-template
+ resource-id
+ resource-type – `image` or `instance`
+ key
+ value
+ [describe-volumes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html) – Describes the specified Amazon EBS volumes.
+ [--max-items `value`] – The total number of items to return in the command's output. If the total number of items available is more than the value specified, `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the `starting-token` argument of a subsequent command.
+ [--starting-token `value`] – A token to specify where to start paginating. This token is the `NextToken` value from a previously truncated response.
+ [--volume-ids `value`] – One or more volume IDs.
+ [detach-volume](https://docs.aws.amazon.com/cli/latest/reference/ec2/detach-volume.html) – Detaches an Amazon EBS volume from a stopped or running instance.
+ [--device `value`] – The device name.
+ [--instance-id] – The ID of a target Amazon EC2 instance.
+ --volume-id `value` – The ID of the volume.
+ [disassociate-address](https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-address.html) – Disassociates a virtual IP address from the instance it's associated with.
+ --public-ip – The virtual IP address that you want to disassociate from your instance.
+ [get-launch-template-data](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-launch-template-data.html) – Retrieves the configuration data of the specified instance. You can use this data to create a launch template.
+ --instance-id – The ID of a single `sbe` instance.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [modify-launch-template](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-launch-template.html) – Modifies a launch template. You can specify which version of the launch template to set as the default version. When you launch an instance without specifying a launch template version, the default version of the launch template applies.
Specify either the launch template ID or launch template name in the request.
+ --launch-template-id `string` – The ID of the launch template.
+ --launch-template-name `string` – A name for the launch template.
+ --default-version `string` – The version number of the launch template to set as the default version.
+ --endpoint `snowballEndpoint` – A value that enables you to manage your compute instances programmatically using Amazon EC2-compatible API operations. For more information, see [Specifying the EC2-compatible endpoint as the AWS CLI endpoint on a Snowball Edge](#using-ec2-adapter-cli-endpoint).
+ [modify-instance-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html) – Modifies an attribute of the specified instance. The following attributes are supported:
+ `instanceInitiatedShutdownBehavior`
+ `userData`
+ [revoke-security-group-egress](https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-egress.html) – Removes one or more egress rules from a security group:
+ [--group-id `value`] – The ID of the security group
+ [--ip-permissions `value`] – One or more sets of IP permissions.
+ [revoke-security-group-ingress](https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html) – Revokes one or more ingress rules to a security group. When calling `revoke-security-group-ingress`, you must specify a value for either `group-name` or `group-id`.
+ [--group-name `value`] – The name of the security group.
+ [--group-id `value`] – The ID of the security group.
+ [--ip-permissions `value`] – One or more sets of IP permissions.
+ [--protocol `value`] The IP protocol. Possible values are `tcp`, `udp`, and `icmp`. The `--port` argument is required unless the "all protocols" value is specified (-1).
+ [--port `value`] – For TCP or UDP, the range of ports to allow. A single integer or a range (minimum–maximum).
For ICMP, a single integer or a range (`type`-`code`) in which `type` represents the ICMP type number and `code` represents the ICMP code number. A value of -1 indicates all ICMP codes for all ICMP types. A value of -1 just for `type` indicates all ICMP codes for the specified ICMP type.
+ [--cidr `value`] – The CIDR IP range.
+ [run-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html) – Launches a number of compute instances by using a Snowball AMI ID for an AMI.
**Note**
It can take up to an hour and a half to launch a compute instance on a Snowball Edge, depending on the size and type of the instance.
+ [--block-device-mappings `(list)]` – The block device mapping entries. The parameters `DeleteOnTermination`, `VolumeSize`, and `VolumeType` are supported. Boot volumes must be type `sbg1`.
The JSON syntax for this command is as follows.
```
{
"DeviceName": "/dev/sdh",
"Ebs":
{
"DeleteOnTermination": true|false,
"VolumeSize": 100,
"VolumeType": "sbp1"|"sbg1"
}
}
```
+ --count – Number of instances to launch. If a single number is provided, it is assumed to be the minimum to launch (defaults to 1). If a range is provided in the form `min:max`, then the first number is interpreted as the minimum number of instances to launch and the second is interpreted as the maximum number of instances to launch.
+ --image-id – The Snowball AMI ID of the AMI, which you can get by calling `describe-images`. An AMI is required to launch an instance.
+ --InstanceInitiatedShutdownBehavior – By default, when you initiate a shutdown from your instance (using a command such as shutdown or poweroff), the instance stops. You can change this behavior so that it terminates instead. The parameters `stop` and `terminate` are supported. The default is `stop`. For more information, see [Changing the instance initiated shutdown behavior](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingInstanceInitiatedShutdownBehavior) in the *Amazon EC2 User Guide for Linux Instances*.
+ --instance-type – The `sbe` instance type.
+ --launch-template `structure` – The launch template to use to launch the instances. Any parameters that you specify in the `run-instances` command override the same parameters in the launch template. You can specify either the name or ID of a launch template, but not both.
```
{
"LaunchTemplateId": "string",
"LaunchTemplateName": "string",
"Version": "string"
}
```
+ --security-group-ids – One or more security group IDs. You can create a security group using [CreateSecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html). If no value is provided, the ID for the default security group is assigned to created instances.
+ --tag-specifications – The tags to apply to the resources during launch. You can only tag instances on launch. The specified tags are applied to all instances that are created during launch. To tag a resource after it has been created, use `create-tags`.
+ --user-data – The user data to make available to the instance. If you are using the AWS CLI, base64-encoding is performed for you, and you can load the text from a file. Otherwise, you must provide base64-encoded text.
+ --key-name (string) – The name of the key pair. You can create a key pair using `CreateKeyPair` or `ImportKeyPair`.
**Warning**
If you don't specify a key pair, you can't connect to the instance unless you choose an AMI that is configured to allow users another way to log in.
+ [start-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/start-instances.html) – Starts an `sbe` instance that you've previously stopped. All resources attached to the instance persist through starts and stops, but are erased if the instance is terminated.
+ --instance-ids – The IDs of one or more `sbe` instances that were stopped on the device.
+ [stop-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/stop-instances.html) – Stops an `sbe` instance that is running. All resources attached to the instance persist through starts and stops, but are erased if the instance is terminated.
+ --instance-ids – The IDs of one or more `sbe` instances to be stopped on the device.
+ [terminate-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/terminate-instances.html) – Shuts down one or more instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds. All resources attached to the instance persist through starts and stops, but data is erased if the instance is terminated.
**Note**
By default, when you use a command like `shutdown` or `poweroff` to initiate a shutdown from your instance, the instance stops. However, you can use the `InstanceInitiatedShutdownBehavior` attribute to change this behavior so that these commands terminate your instance. For more information, see [Changing the instance initiated shutdown behavior](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingInstanceInitiatedShutdownBehavior) in the *Amazon EC2 User Guide for Linux Instances*.
+ --instance-ids – The IDs of one or more `sbe` instances to be terminated on the device. All associated data stored for those instances will be lost.
+ [create-key-pair](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-key-pair.html) – Creates a 2048-bit RSA key pair with the specified name. Amazon EC2 stores the public key and displays the private key for you to save to a file. The private key is returned as an unencrypted PEM-encoded PKCS\$11 private key. If a key with the specified name already exists, Amazon EC2 returns an error.
+ --key-name (string) – A unique name for the key pair.
Constraints: Up to 255 ASCII characters.
+ [--tag-specifications] (list) – The tags to apply to the new key pair.
```
{
"ResourceType": "image"|"instance"|"key-pair"|"launch-template"|"security-group",
"Tags": [
{
"Key": "string",
"Value": "string"
}
...
]
}
...
```
+ [import-key-pair](https://docs.aws.amazon.com/cli/latest/reference/ec2/import-key-pair.html) –
+ --key-name (string) – A unique name for the key pair.
Constraints: Up to 255 ASCII characters.
+ --public-key-material (blob) – The public key. For API calls, the text must be base64-encoded. For command line tools, base64-encoding is performed for you.
+ [--tag-specifications] (list) – The tags to apply to the new key pair.
```
{
"ResourceType": "image"|"instance"|"key-pair"|"launch-template"|"security-group",
"Tags": [
{
"Key": "string",
"Value": "string"
}
...
]
}
```
+ [describe-key-pairs](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-key-pairs.html) –
[--filters] (list) – The filters.
+ key-pair-id – The ID of the key pair.
+ key-name – The name of the key pair.
+ tag-key – The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
+ [--tag-specifications] (list) – The tags to apply to the new key pair.
+ tag :key – The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `Team A`, specify `tag:Owner` for the filter name and `Team A` for the filter value.
```
{
"Name": "string",
"Values": ["string", ...]
}
...
```
+ [--key-names] (list) – The key pair names.
Default: Describes all your key pairs.
+ [--key-pair-ids] (list) – The IDs of the key pairs.
+ [delete-key-pair](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-key-pair.html) –
+ [--key-name] (string) – The name of the key pair.
+ [--key-pair-id] (string) – The ID of the key pair.
## Supported Amazon EC2-compatible API operations on a Snowball Edge
Following, you can find Amazon EC2-compatible API operations that you can use with a Snowball Edge, with links to their descriptions in the *Amazon EC2 API Reference. *Amazon EC2-compatible API calls require Signature Version 4 (SigV4) signing. If you're using the AWS CLI or an AWS SDK to make these API calls, the SigV4 signing is handled for you. Otherwise, you need to implement your own SigV4 signing solution. For more information, see [Getting and using local Amazon S3 credentials on Snowball Edge](using-adapter.md#adapter-credentials).
+ [AssociateAddress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateAddress.html) – Associates an Elastic IP address with an instance or a network interface.
+ [AttachVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachVolume.html) – The following request parameters are supported:
+ `Device`
+ `InstanceId`
+ `VolumeId`
+ [AuthorizeSecurityGroupEgress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html) – Adds one or more egress rules to a security group for use with a Snowball Edge device. Specifically, this action permits instances to send traffic to one or more destination IPv4 CIDR address ranges.
+ [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html) – Adds one or more ingress rules to a security group. When calling AuthorizeSecurityGroupIngress, you must specify a value either for `GroupName` or `GroupId`.
+ [CreateVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) – The following request parameters are supported:
+ `SnapshotId`
+ `Size`
+ `VolumeType`
+ `TagSpecification.N`
+ [CreateLaunchTemplate](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) – The following request parameters are supported:
+ `ImageId`
+ `InstanceType`
+ `SecurityGroupIds`
+ `TagSpecifications`
+ `UserData`
+ [CreateLaunchTemplateVersion](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplateVersion.html)
+ [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) – The following request parameters are supported:
+ `AMI`
+ `Instance`
+ `Launch template`
+ `Security group`
+ [CreateSecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html) – Creates a security group on your Snowball Edge. You can create up to 50 security groups. When you create a security group, you specify a friendly name of your choice.
+ [DeleteLaunchTemplate](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLaunchTemplate.html)
+ [DeleteLaunchTemplateVersions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLaunchTemplateVersions.html)
+ [DeleteSecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html) – Deletes a security group. If you attempt to delete a security group that is associated with an instance, or is referenced by another security group, the operation fails with `DependencyViolation`.
+ [DeleteTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTags.html) – Deletes the specified set of tags from the specified set of resources.
+ [DeleteVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVolume.html) – The following request parameters are supported:
+ `VolumeId`
+ [DescribeAddresses](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html)
+ [DescribeImages](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html)
+ [DescribeInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html) – The following attributes are supported:
+ `instanceType`
+ `userData`
+ [DescribeInstanceStatus](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceStatus.html)
+ [DescribeLaunchTemplates](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplates.html)
+ [DescribeLaunchTemplateVersions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplateVersions.html)
+ [DescribeInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html)
+ [DescribeSecurityGroups](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) – Describes one or more of your security groups. `DescribeSecurityGroups` is a paginated operation. You can issue multiple API calls to retrieve the entire dataset of results.
+ [DescribeTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html) – With this command, the following filters are supported:
+ `resource-id`
+ `resource-type` – AMI or compute instance only
+ `key`
+ `value`
+ [DescribeVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html) – The following request parameters are supported:
+ `MaxResults`
+ `NextToken`
+ `VolumeId.N`
+ [DetachVolume](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachVolumes.html) – The following request parameters are supported:
+ `Device`
+ `InstanceId`
+ `VolumeId`
+ [DisassociateAddress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateAddress.html)
+ [GetLaunchTemplateData](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetLaunchTemplateData.html)
+ [ModifyLaunchTemplate](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyLaunchTemplate.html)
+ [ModifyInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html) – Only the `userData` attribute is supported.
+ [RevokeSecurityGroupEgress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html) – Removes one or more egress rules from a security group.
+ [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html) – Revokes one or more ingress rules to a security group. When calling RevokeSecurityGroupIngress, you must specify a value either for `group-name` or `group-id`.
+ [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) –
**Note**
It can take up to an hour and a half to launch a compute instance on a Snowball Edge, depending on the size and type of the instance.
+ [StartInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html)
+ [StopInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html) – Resources associated with a stopped instance persist. You can terminate the instance to free up these resources. However, any associated data is deleted.
+ [TerminateInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html)
# Autostarting EC2-compatible instances with launch templates on a Snowball Edge
You can automatically start your Amazon EC2-compatible instances on your AWS Snowball Edge device using launch templates and Snowball Edge client launch configuration commands.
A *launch template* contains the configuration information necessary to create an Amazon EC2-compatible instance on your Snowball Edge. You can use a launch template to store launch parameters so you don't have to specify them every time that you start an EC2-compatible instance on your Snowball Edge.
When you use autostart configurations on your Snowball Edge, you configure the parameters that you want your Amazon EC2-compatible instance to start with. After your Snowball Edge is configured, when you reboot and unlock it, it uses your autostart configuration to launch an instance with the parameters that you specified. If an instance that you launched using an autostart configuration is stopped, the instance starts running when you unlock your device.
**Note**
After you first configure an autostart configuration, restart your device to launch it. All subsequent instance launches (after planned or unplanned reboots) happen automatically after your device is unlocked.
A launch template can specify the Amazon Machine Image (AMI) ID, instance type, user data, security groups, and tags for an Amazon EC2-compatible instance when you launch that instance. For a list of supported instance types, see [Quotas for compute instances on a Snowball Edge device](ec2-edge-limits.md).
To automatically launch EC2-compatible instances on your Snowball Edge, take the following steps:
1. When you order your AWS Snowball Edge device, create a job to order a Snowball Edge device with compute instances. For more information, see [Creating a job to order a Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/create-job-common.html).
1. After receiving your Snowball Edge, unlock it.
1. Use the EC2-compatible API command `aws ec2 create-launch-template` to create a launch template.
1. Use the Snowball Edge client command `snowballEdge create-autostart-configuration` to bind your EC2-compatible instance launch template to your network configuration. For more information, see [Creating an EC2-compatible launch configuration on a Snowball Edge](using-ec2-edge-client.md#ec2-edge-create-autostart-config).
1. Reboot, then unlock your device. Your EC2-compatible instances are automatically started using the attributes specified in your launch template and your Snowball Edge client command `create-autostart-configuration`.
To view the status of your running instances, use the EC2-compatible API command `describe-autostart-configurations`.
**Note**
There is no console or job management API for AWS Snowball Edge support for launch templates. You use EC2-compatible and Snowball Edge client CLI commands to automatically start EC2-compatible instances on your AWS Snowball Edge device.
# Using Instance Metadata Service for Snow with Amazon EC2-compatible instances on a Snowball Edge
IMDS for Snow provides Instance Metadata Service (IMDS) for Amazon EC2-compatible instances on Snow. Instance metadata is categories of information about instances. It includes categories such as *host name*, *events*, and *security groups*. Using IMDS for Snow, you can use instance metadata to access user data that you specified when launching your Amazon EC2-compatible instance. For example, you can use IMDS for Snow to specify parameters for configuring your instance, or include these parameters in a simple script. You can build generic AMIs and use user data to modify the configuration files supplied at launch time.
To learn about instance metadata and user data and Snow EC2-compatible instances, see [Supported Instance Metadata and User Data](https://docs.aws.amazon.com/snowball/latest/developer-guide/edge-compute-instance-metadata.html) in this guide.
**Important**
Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.
**Note**
The examples in this section use the IPv4 address of the instance metadata service: 169.254.169.254. We do not support the retrieval of instance metadata using the link-local IPv6 address.
**Topics**
+ [IMDS versions on a Snowball Edge](imds-versions.md)
+ [Examples of retrieving instance metadata using IMDSv1 and IMDSv2 on a Snowball Edge](imds-code-examples.md)
# IMDS versions on a Snowball Edge
You can access instance metadata from a running instance using IMDS version 2 or IMDS version 1:
+ Instance Metadata Service version 2 (IMDSv2), a session‐oriented method
+ Instance Metadata Service version 1 (IMDSv1), a request‐response method
Depending on the version of your Snow software, you can use IMDSv1, IMDSv2, or both. This also depends on the type of AMI running in the EC2-compatible instance. Some AMIs, such as those running Ubuntu 20.04, require IMDSv2. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on the presence of `PUT` or `GET` headers. IMDSv2 uses both of these headers. IMDSv1 uses only the `GET` header.
AWS encourages the use of IMDSv2 rather than IMDSv1 because IMDSv2 includes higher security. For more information, see [Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/).
## IMDSv2 on a Snowball Edge
When you use IMDSv2 to request instance metadata, the request must follow these rules:
1. Use a `PUT` request to initiate a session to the instance metadata service. The `PUT` request returns a session token that must be included in subsequent `GET` requests to the instance metadata service. The session token that defines the session duration. Session duration can be a minimum of one second and a maximum of six hours. During this duration, you can use the same session token for subsequent requests. After this duration expires, you must create a new session token for future requests. The token is required to access metadata using IMDSv2.
1. Include the token in all `GET` requests to the instance metadata service.
1. The token is an instance‐specific key. The token is not valid on other EC2-compatible instances and will be rejected if you attempt to use it outside of the instance on which it was generated.
1. The `PUT` request must include a header that specifies the time to live (TTL) for the token, in seconds, up to a maximum of six hours (21,600 seconds). The token represents a logical session. The TTL specifies the length of time that the token is valid and, therefore, the duration of the session.
1. After a token expires, to continue accessing instance metadata, you must create a new session using another `PUT` request.
1. You can choose to reuse a token or create a new token with every request. For a small number of requests, it might be easier to generate and immediately use a token each time you need to access the instance metadata service. But for efficiency, you can specify a longer duration for the token and reuse it rather than having to write a `PUT` request every time you need to request instance metadata. There is no practical limit on the number of concurrent tokens, each representing its own session.
HTTP `GET` and `HEAD` methods are allowed in IMDSv2 instance metadata requests. `PUT` requests are rejected if they contain an `X-Forwarded-For` header.
By default, the response to `PUT` requests has a response hop limit (time to live) of 1 at the IP protocol level. IMDS for Snow does not have ability to modify the hop limit on `PUT` responses.
The following example uses a Linux shell script and IMDSv2 to retrieve the top‐level instance metadata items. This example:
1. Creates a session token lasting six hours (21,600 seconds) using the `PUT` request.
1. Stores the session token header in a variable named `TOKEN`.
1. Requests the top‐level metadata items using the token.
Use two commands to generate the EC2-compatible token. You can run the commands seperately or as one command.
First, generate a token using the following command.
**Note**
`X-aws-ec2-metadata-token-ttl-seconds` is a required header. If this header is not included, you will receive an **400 - Missing or Invalid Parameters** error code.
```
[ec2-user ~]$ TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
```
Then, use the token to generate top‐level metadata items using the following command.
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
```
**Note**
If there is an error in creating the token, an error message is stored in the variable instead of a valid token and the command will not work.
You can store the token and combine the commands. The following example combines the above two commands and stores the session token header in a variable named `TOKEN`.
**Example of combined commands**
```
[ec2-user ~]$ TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
```
After you've created a token, you can reuse it until it expires. The following example command gets the ID of the AMI used to launch the instance and stores it in the `$TOKEN` created in the previous example.
**Example of reusing a token**
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id
```
## IMDSv1 on a Snowball Edge
IMDSv1 uses the request‐response model. To request instance metadata, you send a `GET` request to the instance metadata service.
```
[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/
```
Your instance metadata is available from your running instance, so you do not need to use Amazon EC2 console or the AWS CLI to access it. This can be helpful when you're writing scripts to run from your instance. For example, you can access the local IP address of your instance from instance metadata to manage a connection to an external application. Instance metadata is divided into categories. For a description of each instance metadata category, see [Supported Instance Metadata and User Data](https://docs.aws.amazon.com/snowball/latest/developer-guide/edge-compute-instance-metadata.html) in this guide.
To view all categories of instance metadata from within a running instance, use the following IPv4 URI:
```
http://169.254.169.254/latest/meta-data/
```
The IP addresses are link-local addresses and are valid only from the instance. For more information, see [Link-local address](https://en.wikipedia.org/wiki/Link-local_address) on Wikipedia.
All instance metadata is returned as text (HTTP content type `text/plain`).
A request for a specific metadata resource returns the appropriate value, or an **404 - Not Found** HTTP error code, if the resource is not available.
A request for a general metadata resource (when the URI ends with a `/` character) returns a list of available resources, or an **404 - Not Found** HTTP error code if there is no such resource. The list items are on separate lines, terminated by line feeds (ASCII character code 10).
For requests made using IMDSv1, the following HTTP error codes can be returned:
+ **400 ‐ Missing or Invalid Parameters** — The `PUT` request is not valid.
+ **401 ‐ Unauthorized** — The `GET` request uses an invalid token. The recommended action is to generate a new token.
+ **403 ‐ Forbidden** — The request is not allowed or the instance metadata service is turned off.
# Examples of retrieving instance metadata using IMDSv1 and IMDSv2 on a Snowball Edge
The following examples provide commands that you can use on a Linux instance.
**Example of getting the available versions of the instance metadata**
This example gets the available versions of the instance metadata. Each version refers to an instance metadata build when new instance metadata categories were released. The earlier versions are available to you in case you have scripts that rely on the structure and information present in a previous version.
IMDSv2
```
[ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
100 56 100 56 0 0 3733 0 --:--:-- --:--:-- --:--:-- 3733
* Trying 169.254.169.254...
* TCP_NODELAY set
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> GET / HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/7.61.1
> Accept: */*
> X-aws-ec2-metadata-token: MDAXcxNFLbAwJIYx8KzgNckcHTdxT4Tt69TzpKExlXKTULHIQnjEtXvD
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Mon, 12 Sep 2022 21:58:03 GMT
< Content-Length: 274
< Content-Type: text/plain
< Server: EC2ws
<
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
* Closing connection 0
```
IMDSv1
```
[ec2-user ~]$ curl http://169.254.169.254/
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
latest
```
**Example of getting the top‐level metadata items**
This example gets the top‐level metadata items. For information on top‐level metadata items, see [Supported Instance Metadata and User Data](https://docs.aws.amazon.com/snowball/latest/developer-guide/edge-compute-instance-metadata.html) in this guide.
IMDSv2
```
[ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
ami-id
hostname
instance-id
instance-type
local-hostname
local-ipv4
mac
network/
reservation-id
security-groups
```
IMDSv1
```
[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/
ami-id
hostname
instance-id
instance-type
local-hostname
local-ipv4
mac
network/
reservation-id
security-groups
```
**Example of getting values of top‐level metadata**
The following examples get the values of some of the top‐level metadata items that were obtained in the preceding example. The IMDSv2 requests use the stored token that was created in the preceding example command, assuming it has not expired.
`ami‐id` IMDSv2
```
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id ami-0abcdef1234567890
```
`ami-id` IMDSv1
```
curl http://169.254.169.254/latest/meta-data/ami-id ami-0abcdef1234567890
```
`reservation-id` IMDSv2
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/reservation-id r-0efghijk987654321
```
`reservation-id` IMDSv1
```
[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/reservation-id \
r-0efghijk987654321
```
`local-hostname` IMDSv2
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/local-hostname ip-00-000-00-00
```
`local-hostname` IMDSv1
```
[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/local-hostname ip-00-000-00-00
```
# Using block storage with Amazon EC2-compatible instances on Snowball Edge
With block storage on Snowball Edge, you can add or remove block storage based on the needs of your applications. Volumes that are attached to an Amazon EC2-compatible instance are exposed as storage volumes that persist independently from the life of the instance. You can manage block storage using the familiar Amazon EBS API.
Certain Amazon EBS commands are supported by using the EC2-compatible endpoint. Supported commands include `attach-volume`, `create-volume`, `delete-volume`, `detach-volume`, and `describe-volumes`. For more information about these commands, see [List of supported EC2-compatible AWS CLI commands on a Snowball Edge](using-ec2-endpoint.md#list-cli-commands-ec2-edge).
**Important**
Be sure to unmount any file systems on the device within your operating system before detaching the volume. Failure to do so can potentially result in data loss.
Following, you can find Amazon EBS volume quotas and differences between Amazon EBS volumes on your device and Amazon EBS volumes in the cloud:
+ Amazon EBS volumes are only available to EC2-compatible instances running on the device hosting the volumes.
+ Volume types are limited to either capacity-optimized HDD (`sbg1`) or performance-optimized SSD (`sbp1`). The default volume type is `sbg1`.
+ Snowball Edge shares HDD memory between Amazon S3 objects and Amazon EBS. If you use HDD-based block storage on AWS Snowball Edge, it reduces the amount of memory available for Amazon S3 objects. Likewise, Amazon S3 objects reduce the amount of memory available for Amazon EBS block storage on HDD volumes.
+ Amazon EC2-compatible root volumes always use the IDE driver. Additional Amazon EBS volumes will preferentially use the Virtio driver if available. If the Virtio driver isn't available, SBE defaults to the IDE driver. The Virtio driver allows for better performance and is recommended.
+ When creating Amazon EBS volumes, the `encrypted` parameter isn't supported. However, all data on your device is encrypted by default. .
+ Volumes can be from 1 GB to 10 TB in size.
+ Up to 10 Amazon EBS volumes can be attached to a single EC2-compatible instance.
+ There is no formal limit to the number of Amazon EBS volumes you can have on your AWS Snowball Edge device. However, total Amazon EBS volume capacity is limited by the available space on your device.
# Controlling network traffic with security groups on Snowball Edge
A *security group* acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You can add rules to each security group to allow traffic to or from its associated instances. For more information, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the Amazon EC2 User Guide.
Security groups on Snowball Edge devices are similar to security groups in the AWS Cloud. Virtual private clouds (VPCs) aren't supported on Snowball Edge devices.
Following, you can find the other differences between Snowball Edge security groups and EC2 VPC security groups:
+ Each Snowball Edge device has a limit of 50 security groups.
+ The default security group allows all inbound and outbound traffic.
+ Traffic between local instances can use either the private instance IP address or a public IP address. For example, suppose that you want to connect using SSH from instance A to instance B. In this case, your target IP address can be either the public IP or private IP address of instance B, if the security group rule allows the traffic.
+ Only the parameters listed for AWS CLI actions and API calls are supported. These typically are a subset of those supported in EC2 VPC instances.
For more information about supported AWS CLI actions, see [List of supported EC2-compatible AWS CLI commands on a Snowball Edge](using-ec2-endpoint.md#list-cli-commands-ec2-edge). For more information on supported API operations, see [Supported Amazon EC2-compatible API operations on a Snowball Edge](using-ec2-endpoint.md#using-ec2-adapter-supported-api).
# Supported EC2-compatible instance metadata and user data on Snowball Edge
*Instance metadata* is data about your instance that you can use to configure or manage the running instance. Snowball Edge supports a subset of instance metadata categories for your compute instances. For more information, see [Instance metadata and user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the Amazon EC2 User Guide.
The following categories are supported. Using any other categories returns a `404` error message.
**Supported instance metadata categories on a Snowball Edge device**
| Data | Description |
| --- | --- |
| ami-id | The AMI ID used to launch the instance. |
| hostname | The private IPv4 DNS hostname of the instance. |
| instance-id | The ID of this instance. |
| instance-type | The type of instance. |
| local-hostname | The private IPv4 DNS hostname of the instance. |
| local-ipv4 | The private IPv4 address of the instance. |
| mac | The instance's media access control (MAC) address. |
| network/interfaces/macs/mac/local-hostname | The interface's local hostname. |
| network/interfaces/macs/mac/local-ipv4s | The private IPv4 addresses associated with the interface. |
| network/interfaces/macs/mac/mac | The instance's MAC address. |
| network/interfaces/macs/mac/public-ipv4s | The Elastic IP addresses associated with the interface. |
| public-ipv4 | The public IPv4 address. |
| public-keys/0/openssh-key | Public key. Only available if supplied at instance launch time. |
| reservation-id | The ID of the reservation. |
| userData | Shell scripts to send instructions to an instance at launch. |
**Supported instance dynamic data categories on a Snowball Edge device**
| Data | Description |
| --- | --- |
| instance-identity/document | JSON containing instance attributes. Only instanceId, imageId, privateIp, and instanceType have values, and the other returned attributes are null. For more information, see [Instance Identity Documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) in the Amazon EC2 User Guide. |
## Computer instance user data on Snowball Edge
Use shell scripts to access compute instance user data on a Snowball Edge device. Using shell scripts, you can send instructions to an instance at launch. You can change user data with the `modify-instance-attribute` AWS CLI command, or the `ModifyInstanceAttribute` API action.
**To change user data**
1. Stop your compute instance with the `stop-instances` AWS CLI command.
1. Using the `modify-instance-attribute` AWS CLI command, modify the `userData` attribute.
1. Restart your compute instance with the `start-instances` AWS CLI command.
Only shell scripts are supported for compute instances. There is no support for `cloud-init` package directives on compute instances running on a Snowball Edge device. For more information about working with AWS CLI commands, see the *[AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/).*
## Stopping EC2-compatible instances running on Snowball Edge
To avoid accidentally deleting the Amazon EC2-compatible instances that you create on a device, don't shut down your instances from the operating system. For example, don't use the `shutdown` or `reboot` commands. Shutting down an instance from within the operating system has the same effect as calling the [terminate-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/terminate-instances.html) command.
Instead, use the [stop-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/stop-instances.html) command to suspend Amazon EC2-compatible instances that you want to preserve.