Create Windows 10 VHD and Import as EC2 AMI
In needing to test client configuration and keep them in the same domain as our server we recently needed to add some Windows 10 machines to EC2. It was a bit of a surprise that there were no AMIs available for Windows 10. Instead we needed to create our own VHD and import it as an AMI in our EC2 isntance.
Prepare VM
- Download and install Oracle VM Virtualbox
- Download your Windows 10 ISO file.
- Create a new Windows 10 VM
- When creating the hard drive make sure to choose the VHD format.
- I chose Fixed size for the storage on the hard disk. I have not tried using Dynamic.
- Give the hard drive at least 25GB go bigger if you can.
- Attach the ISO to your Virtual Machine and start it up.
- Run through the windows setup
- When prompted to either enter a windows account or a domain account choose domain account. You will be promoted to create a new user and password, this new user will be a local administrator on the machine, make sure to save this information.
- After you have completed the setup enable Remote Access to the machine. If you fail to do this now then you won't be able to connect later when you create the EC2 machine instance.
- Restart the machine and run Windows Update.
- Close the Virtual Machine
Install the AWS Command Line Utility
Upload the VHD File to S3
Create JSON Documents
These documents will be used to a role, assign rights, and import the vhd as an AMI. It's helpful to have all these documents in the same folder.
- Create a trust policy document which will create a new role and give that role the correct actions it will need to do the import. The file can be called role-trust.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] }
- Create a role policy document which will provide the role the security permissions it need to do the import. You can name the new file role-security.json, make sure the two places where YOURBUCKET is mentioned that you replace them with the name of your bucket where the VHD is located.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::YOURBUCKET" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::YOURBUCKET/*" ] }, { "Effect": "Allow", "Action":[ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource": "*" } ] }
- Create another document which will describe the VHD which is going to be imported. Make sure to replace YOURBUCKET with the name of your bucket where the VHD is located. You can name this file image-container.json
[{ "Description": "Windows 10 Base Install 1709", "Format": "vhd", "UserBucket": { "S3Bucket": "YOURBUCKET", "S3Key": "Windows 10.vhd" } }]
Run Commands
- Open a command prompt As Administrator
- Navigate to the folder where you have the json document you created in the last step.
- Run this first command which will create the role
aws iam create-role --role-name vmimport --assume-role-policy-document file://role-trust.json
- Run this command which assign permissions needed by the role
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-security.json
- Run this command which will import the VHD
aws ec2 import-image --description "Windows 10 (1709)" --disk-containers file://image-container.json --region us-east-1
- It can take a while to import the VHD as an AMI, in my case it took about 1.5 hours.
- To see the status of your import run this command.
aws ec2 describe-import-image-tasks --region us-east-1
- When the import is completed the status will look like this. Make note of the ImageId tag. You will need this to find the AMI later when you want to launch an instance of the AMI.
Create EC2 Instance
Now that our VHD is an AMI we can create a new EC2 instance from it.
- You can quickly launch an instance of the AMI from AWS -> EC2 -> AMIs
- Select the AMI you created and click the Launch button. You can located the AMI by the ImageId you got from the completed status you received earlier.
- Make sure when you set up the security group for the Instance you allow port 3389 for RDP.
- When you log into the machine use the local administrator account you created when you set up the VM.
Great work on the recent project. Your brilliant problem-solving skills helped us to reach our targets much more quickly
ReplyDeletewindows setup
Have you been able to start a AMI like these as spot instance, which is so much cheaper ? I get "Spot instance requests are not supported for this AMI."
ReplyDelete