VM Image Import Process on AWS

Prerequisites 

• If you have not already installed the AWS CLI, please follow the following document - WS Command Line Interface User Guide 

• For Windows: Install AWS CLI Tools for Windows https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html 

Preparing the Image for upload 

• Customization to OS as required such as disabling Firewall, set a Local Admin Account and Note the Password for future use. (Standard customizations need to be listed. TBD)  

• Once all the Customization are done and the Windows 10 VM is ready as a Template, Save the VM as VHD Image 

AWS side preparation

Amazon S3 Bucket: 

• VM Import requires an Amazon S3 bucket to store your disk images, in the Region where you want to import your VMs. 

• You can create a bucket as follows or use an existing bucket if you prefer. 

Creating a S3 Bucket: 

• Open the Amazon S3 console - https://console.aws.amazon.com/s3/.  

• Choose Create Bucket.  

• In the Create a Bucket dialog box, do the following:  

1. For Bucket Name, type a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.  

2. For Region, select the Region that you want for your AMI.  

3. Choose Create. 

VM Import Service Role: 

• VM Import requires a role to perform certain operations in your account, such as downloading disk images from an Amazon S3 bucket. 

• You must create a role named vmimport with a trust relationship policy document that allows VM Import to assume the role, and you must attach an IAM policy to the role. 

• To Create the Service Role, create a file named trust-policy.json with the following policy:  

2. {  

3.    "Version": "2012-10-17",  

4.    "Statement": [  

5.       {  

6.          "Effect": "Allow",  

7.          "Principal": { "Service": "vmie.amazonaws.com" },  

8.          "Action": "sts:AssumeRole",  

9.          "Condition": {  

10.             "StringEquals":{  

11.                "sts:Externalid": "vmimport"  

12.             }  

13.          }  

14.       }  

15.    ]  }  

• You can save the file anywhere on your computer. Take note of the location of the file because you'll specify the file in the next step. 

• Use the create-role command to create a role named vmimport and give VM Import/Export access to it. Ensure that you specify the full path to the location of the trust-policy.json , and that you prefix file:// to it: 

>> aws iam create-role --role-name vmimport --assume-role-policy-document file://C:\import\trust-policy.json

• Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket where the disk images are stored (make sure you edit the file and give your bucket name): 

19. {  

20.    "Version":"2012-10-17",  

21.    "Statement":[  

22.       {  

23.          "Effect":"Allow",  

24.          "Action":[  

25.             "s3:GetBucketLocation",  

26.             "s3:GetObject",  

27.             "s3:ListBucket"   

28.          ],  

29.          "Resource":[  

30.             "arn:aws:s3:::disk-image-file-bucket",  

31.             "arn:aws:s3:::disk-image-file-bucket/*"  

32.          ]  

33.       },  

34.       {  

35.          "Effect":"Allow",  

36.          "Action":[  

37.             "ec2:ModifySnapshotAttribute",  

38.             "ec2:CopySnapshot",  

39.             "ec2:RegisterImage",  

40.             "ec2:Describe*"  

41.          ],  

42.          "Resource":"*"  

43.       }  

44.    ]  

}  

• Use the following put-role-policy command to attach the policy to the role created above. Ensure that you specify the full path to the location of the  role-policy.json. 

>> aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json"  

Uploading Image on S3 bucket and running the import process 

• Upload your VM image file to your Amazon S3 bucket using the upload tool of your choice. We can also upload the VHD file through the S3 console Upload Option. 

• Create a file – containers.json. The following is the format of this file: 

[ 

  { 

    "Description": "Win10Enterprise", 

    "Format": "vhd", 

    "Url": "s3://win10vhd-oregon/win10e.vhd" 

  } 

]

• Make sure you edit the file accordingly with Disk format and the S3 URL where you have stored your image. 

• Use the AWS CLI command import-image to create import tasks. 

>> aws ec2 import-image --description "Win10Enterprise" --disk-containers file:///home/cloudshell-user/containers.json 

• if you are uploading a UEFI boot enabled image, then make sure to specify boot-mode: 

>> aws ec2 import-image --description "Win10Enterprise" --disk-containers file:///home/cloudshell-user/containers.json --boot-mode uefi 

• Once the Import is Successful, we will find an AMI under EC2 service AMI Page. 

Creating an Instance with the imported Image 

• In AWS Management Console under services > search/select EC2  > On the EC2 Service Page Left Side Go to > Images > AMIs. This is where the custom Win10 Image will show after successful Import from S3 Bucket.  

• Select the AMI and Click on Launch > Choose an Instance Type. 

• Configure Instance with specific VPC, Subnet, Public IP  

• Add storage and configure security Group to create and Launch an Instance (VM).  

Creating AMI with the required customizations  

• Once the Custom Image VM is ready, connect to the Instance with the Local Admin Account details from earlier and install the recommended Drivers as mentioned Below on the Instance.  

• For some operating systems, the device drivers for enhanced networking and NVMe block devices that are required by Nitro-based instances, are not installed automatically during import. To install these drivers manually, use the directions in the following documentation. Next, create a new AMI from the customized instance.  

(Recommended) Installing the Latest Version of EC2Config or Installing the Latest Version of EC2Launch  

Enabling Enhanced Networking on Windows Instances  

AWS NVMe Drivers for Windows Instances

• Once the required Drivers installed on the Win 10 Instance, Go To EC2 Service Page > Under Instances > Select the Instance > Actions > Stop  

• Next > Instance > Select the Instance > Actions > Image > Create Image.  

• Give Image Name, Description, Select Image Disk Size and click on Create Image. 

• Once the Image is Created Successfully, we will be able to see the Image Under EC2 > Images > AMIs  

• This AMI is now Ready to be used for launching supported Instance types in AWS EC2. 

Workspot Template 

• Deploy a new VM Instance from the AMI you just created. 

• Please follow the regular steps to install the Workspot Template Agent and Configure it. 

• Along with it, please proceed with installing your applications and making the cusotm changes that this template is required to have. 

• Shutdown the Template VM and do not forget to Tag the Template VM with Instance Tag in AWS console for the EC2 instance. 

Next, please proceed to create AMI from the Template VM. 

• Select the Template VM and drop the Actions button. 

• Under Images and Templates > Choose Create Image 

Provide a name for the AMI and Click on Create Image leaving all the other settings as default. 

After this you can proceed with registering the image on Control.