Stuck with ‘ can’t connect to EC2 Windows instance launched from custom AMI‘? We can help you with this!
As a part of our AWS Support Services, we often receive similar requests from our AWS customers.
Today, let’s see the steps followed by our Support Techs to help our customers to fix the connectivity issue with the EC2 Windows instance.
Can’t connect to EC2 Windows instance launched from custom AMI
For Amazon EC2 Windows instances launched from a public AMI, one of the following will automatically generate the default Administrator account password:
- EC2Config service – Windows Server 2012 R2 and before.
- EC2Launch service – Windows Server 2016 and after.
It is always better to change the default account password to a new password.
Here the instance launched from custom AMIs takes the Administrator password from the source instance. If we change the default password for the Administrator account in the source instance, then the new instance takes the same password.
If we didn’t configure EC2Launch or EC2Config to generate a new password on the next instance boot, decrypting the password using a key pair file is not possible.
We are able to retrieve access to the new instance by resetting the password. But if we launch any other instance from the same AMI will also experience the same issue. So we need to do some initialization tasks from EC2Launch or EC2Config to enable auto-generated passwords for avoiding this issue.
- Firstly, log in to the AWS Management console and then open the Amazon EC2 console.
2. Then using RDP, we need to connect to the original Windows EC2 instance.
3. We have to do the following from the Windows Start option:
For Windows Server 2016 or after, we need to open EC2 Launch Settings.
For Windows Server 2012 R2 and before, we need to open EC2ConfigService Settings, and then select the Image tab.
4. Select Random for Administartor Password.
5. Then select Shutdown without Sysprep *.
6. Now Select Yes.
7. Now open the Amazon EC2 console and then select Instances.
8. Select the instance after the status changes to stopped.
9. Then select Actions, Image, Create image.
10. Enter a name for image name and then click Create image.
Now all the Amazon EC2 instances launched from this AMI will be able to decrypt passwords using a key pair.
Also note that Shutting down with Sysprep standardizes our AMI by removing unique information such as for instance security identifiers (SID), computer name, and drivers. This allows us to launch multiple copies of our instances.
Important points to be noted:
- The data will be lost while stoping the instance if our instance is instance store-backed or has instance store volumes containing data. So make sure to back up any data that want to keep on the instance store volume.
- Also, note that stopping and restarting the instance changes the public IP address of the instance. So it is always better to use an Elastic IP address instead of a public IP address when routing external traffic to the instance.
- If the instance is part of an Amazon EC2 Auto Scaling group then stopping the instance could terminate the instance. Also, if the instance is launched by services that use AWS Auto Scaling, such as Amazon EMR, AWS CloudFormation, etc., then stopping the instance could lead to its termination. In these cases, the instance termination depends on the instance scale-in protection settings for the Auto Scaling group. So If the instance is a part of an Auto Scaling group, remove the instance temporarily from the Auto Scaling group first. Then we can proceed with the recovery.
[Need help with more AWS queries? We’d be happy to assist]
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to fix the ‘can’t connect to EC2 Windows instance launched from custom AMI’ issue.