Mount EBS volume

extend increase disk size


Create EFS but use some new nfs-security-group (later you can see on Network tab) and allow incoming connections for NFS 2049 from your instances.

Click on Attach to see command to mount using efs mount helper Video Install

sudo apt-get update
sudo apt-get -y install git binutils
git clone
cd efs-utils
sudo apt-get -y install ./build/amazon-efs-utils*deb


sudo mount -t efs fs-b95a6d4c:/ efs

When it timeouts that means that nfs-security-group should allow input rule for NFS type (port 2049) for source that EC2 belongs.

Permanently mount automatically on reboot

# /etc/fstab
fs-b95a6d4c:/ /home/ubuntu/efs efs defaults,_netdev,tls 0 0

Elastic load balancer

Classic looks at IP address and port (OSI Layer 4)

ALB Application load balancers looks at url (OSI Layer 7)

# list instances
cap production elbas:ssh

It could be that new instances are started from old image and that is preventing capistrano to deploy code to all instances. You can go to auto scaling group and set maximum capacity 1 and than deploy.

Static ip address on load balancer It can be done on Network Load Balancer Q: How does Network Load Balancer compare to what I get with the TCP listener on a Classic Load Balancer?

A: Network Load Balancer preserves the source IP of the client which in the Classic Load Balancer is not preserved. Customers can use proxy protocol with Classic Load Balancer to get the source IP. Network Load Balancer automatically provides a static IP per Availability Zone to the load balancer and also enables assigning an Elastic IP to the load balancer per Availability Zone. This is not supported with Classic Load Balancer.

Auto scaling groups ASG AWS Autoscaling Autoscaling and Load Balancing in AWS AWS Training Edureka What are AWS Load Balancer, Auto Scaling and Route 53 | AWS Tutorial | Edureka | AWS Rewind - 4

A launch configuration includes:

  • AMI (amazon machine image, it is bootable copy of snapshoty: only a copy) + instance type (t2.micro)
  • EC2 user data
  • EBS volumes
  • Security groups
  • SSH Key Pair

Scaling policies using ClodWatch alarms or using EC2 managed rules: average CPU usage, number of requests on the ELB per instance, average network in, or using custom metric (number or connected users, using PutMetric API from our app to CloudWatch)


When we use ELB (ALB/NLB) and eable listener (HTTPS/TLS) on port 443 than we have to use certificates on load balancer, ie we need to copy paste or use AWS Cert Manager ACM to keep certs.

There is some post to use passthrough so ssl is terminated on server (lsyncd and restart services when we update certs) but that is for Digital Ocean . also depends on http-01 or dns-01 challenge (lexicon ) ? Renewing should be on one instance (LB should forward check path to it).

API to upload to iam import acm Amazon Certificate Manager import to iam script to generate and upload cert

sudo snap install --classic aws-cli

Import (upload) certificate to ACM we need AWSCertificateManagerFullAccess permissions

# list certificates
AWS_CONFIG_FILE=~/efs/.dns_keys aws acm list-certificates

# uploading certificate
cd /etc/letsencrypt/live/
sudo su
AWS_CONFIG_FILE=/home/ubuntu/efs/.dns_keys aws acm import-certificate --certificate fileb://cert.pem --certificate-chain fileb://chain.pem --private-key fileb://privkey.pem
# this commands returns ARN which we have to use to set up ELB certificate
    "CertificateArn": "arn:aws:acm:us-east-1:219232999684:certificate/369b84d6-4527-49ed-8fc1-27004561f4da"

Set certificate on ELB (we need AmazonEC2FullAccess)

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer --load-balancer-port 443 --ssl-certificate-id arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

for Network load balancers use elbv2 instead of elb

AWS_CONFIG_FILE=/home/ubuntu/efs/.dule_keys aws elbv2 add-listener-certificates --listener-arn arn:aws:elasticloadbalancing:us-east-1:219232999684:listener/net/elb-trk/0b0c954a93bd6917/7cdcf7185ab7a1ec --certificates CertificateArn=arn:aws:acm:us-east-1:219232999684:certificate/369b84d6-4527-49ed-8fc1-27004561f4df

# I got error when I try to set IsDefault=true
An error occurred (ValidationError) when calling the AddListenerCertificates operation: You cannot set the isDefault parameter for a certificate.