How to Move an EC2 Instance to a Different Region (us-east-1 → ap-northeast-2)
There is no "move" button for EC2 instances across AWS regions — regions are fully isolated fault domains, and AWS intentionally provides no direct instance migration API. The correct path is to capture your instance as an AMI, copy that AMI to the target region, and launch a new instance from it. This post walks you through every step, including the gotchas that trip up engineers the first time.
TL;DR
| Step | Action | Key Detail |
|---|---|---|
| 1 | Create AMI from source instance | Optionally stop instance first for filesystem consistency |
| 2 | Copy AMI to target region | aws ec2 copy-image --source-region us-east-1 --destination-region ap-northeast-2 |
| 3 | Prepare target region prerequisites | VPC, subnet, SG, key pair, instance profile |
| 4 | Launch new instance from copied AMI | Use aws ec2 run-instances in ap-northeast-2 |
| 5 | Validate & decommission source | Verify app health, then terminate old instance and deregister old AMI |
Why There Is No Direct Migration
AWS regions are physically separate infrastructure with independent control planes. An EC2 instance is bound to the Availability Zone it was launched in — its EBS volumes, ENIs, and placement groups are all region-local resources. The only portable artifact is an Amazon Machine Image (AMI), which encodes the root volume snapshot(s) and launch configuration metadata. Copying an AMI across regions replicates the underlying EBS snapshots to the target region's S3-backed snapshot store, making a fully independent copy.
Analogy: Think of your EC2 instance as a running application on a physical server in one data center. You cannot teleport the server. Instead, you take a disk image (AMI), ship that image to the new data center (copy-image), and boot a new server from it. The original server keeps running until you decide to shut it down.
Architecture: The Migration Flow
- Source Instance (us-east-1): Your running EC2 instance with attached EBS volumes.
- Create AMI: AWS snapshots all attached EBS volumes and registers an AMI in us-east-1. The instance can remain running (crash-consistent) or be stopped first (filesystem-consistent).
- Copy AMI: The
copy-imageAPI replicates the EBS snapshots to ap-northeast-2 and registers a new AMI there with a new AMI ID. - Target Region Prerequisites: VPC, subnets, security groups, key pair, and instance profile must exist in ap-northeast-2 before launch.
- Launch New Instance: A new EC2 instance is launched from the copied AMI in ap-northeast-2.
- Decommission Source: After validation, terminate the old instance and clean up the source AMI and snapshots.
Step-by-Step Implementation
Step 1 — Create an AMI from the Source Instance
For the cleanest disk state, stop the instance before creating the AMI. If downtime is unacceptable, you can create a running-instance AMI (crash-consistent), but ensure your application handles this gracefully.
🔽 [Click to expand] — Stop instance & create AMI (AWS CLI)
# Optional but recommended: stop the instance first
aws ec2 stop-instances \
--instance-ids i-0abcdef1234567890 \
--region us-east-1
# Wait until stopped
aws ec2 wait instance-stopped \
--instance-ids i-0abcdef1234567890 \
--region us-east-1
# Create the AMI
aws ec2 create-image \
--instance-id i-0abcdef1234567890 \
--name "migration-to-apne2-$(date +%Y%m%d)" \
--description "Pre-migration snapshot for ap-northeast-2" \
--no-reboot \
--region us-east-1
# Note the returned ImageId, e.g., ami-0source1234567890
Note on --no-reboot: If you already stopped the instance, --no-reboot is safe. If the instance is running and you pass --no-reboot, AWS will not reboot it before snapshotting — you get a crash-consistent image. Omitting --no-reboot on a running instance causes AWS to reboot it automatically for a cleaner snapshot.
Step 2 — Copy the AMI to ap-northeast-2
The copy-image call is made against the destination region's endpoint. The source region and source AMI ID are passed as parameters.
🔽 [Click to expand] — Copy AMI across regions
# Copy AMI from us-east-1 to ap-northeast-2
aws ec2 copy-image \
--source-region us-east-1 \
--source-image-id ami-0source1234567890 \
--name "migration-from-use1-$(date +%Y%m%d)" \
--description "Copied from us-east-1 for migration" \
--region ap-northeast-2
# Returns a new ImageId in ap-northeast-2, e.g., ami-0target9876543210
# Monitor copy progress (state must be 'available' before launch)
aws ec2 describe-images \
--image-ids ami-0target9876543210 \
--region ap-northeast-2 \
--query 'Images[0].State'
AMI copy duration depends on the total size of the EBS snapshots. Large volumes (hundreds of GBs) can take 30–60+ minutes. Poll describe-images until State is available.
Step 3 — Prepare Target Region Prerequisites
Resources are region-scoped. Nothing from us-east-1 automatically exists in ap-northeast-2. You must provision the following before launching:
| Resource | Action Required |
|---|---|
| VPC & Subnets | Create or use the default VPC in ap-northeast-2 |
| Security Groups | Recreate your SG rules in ap-northeast-2 (SGs are region-scoped) |
| Key Pair | Import or create a key pair in ap-northeast-2 (key pairs are region-scoped) |
| IAM Role & Instance Profile | IAM is a global service — your existing IAM role and its policies are available account-wide. However, you must ensure an instance profile referencing that role exists and is correctly associated when launching in ap-northeast-2. Instance profiles are IAM resources (global), but they must be explicitly specified at launch time in the target region. |
| Elastic IP (if needed) | EIPs are region-scoped; allocate a new one in ap-northeast-2 |
Step 4 — Launch the New Instance in ap-northeast-2
🔽 [Click to expand] — run-instances in target region
aws ec2 run-instances \
--image-id ami-0target9876543210 \
--instance-type t3.medium \
--key-name my-apne2-keypair \
--security-group-ids sg-0targetsg1234567 \
--subnet-id subnet-0targetsubnet123 \
--iam-instance-profile Name="MyExistingInstanceProfile" \
--tag-specifications \
'ResourceType=instance,Tags=[{Key=Name,Value=migrated-from-use1}]' \
--region ap-northeast-2
# Note: The instance profile (e.g., "MyExistingInstanceProfile") must already
# exist in your AWS account and reference the correct IAM role for EC2.
# IAM is global, so the same role/profile is accessible, but it must be
# explicitly specified here — it is NOT automatically attached.
Step 5 — Validate and Decommission
Before terminating anything in us-east-1, run a full validation checklist:
- ✅ Application health checks pass on the new instance's endpoint
- ✅ All expected processes are running (
systemctl status, application logs) - ✅ Data integrity verified (databases, file mounts, environment variables)
- ✅ DNS / load balancer updated to point to the new region endpoint
Once validated, clean up to avoid ongoing charges:
# Terminate source instance
aws ec2 terminate-instances \
--instance-ids i-0abcdef1234567890 \
--region us-east-1
# Deregister source AMI
aws ec2 deregister-image \
--image-id ami-0source1234567890 \
--region us-east-1
# Delete source snapshots (get snapshot IDs from describe-images first)
aws ec2 delete-snapshot \
--snapshot-id snap-0sourcesnap1234 \
--region us-east-1
Encryption Considerations
If your source EBS volumes are encrypted with an AWS KMS key, the copy-image operation requires that you specify a KMS key in the target region. KMS keys are region-scoped — your us-east-1 KMS key cannot be used directly in ap-northeast-2.
aws ec2 copy-image \
--source-region us-east-1 \
--source-image-id ami-0source1234567890 \
--name "encrypted-migration" \
--encrypted \
--kms-key-id arn:aws:kms:ap-northeast-2:123456789012:key/your-target-key-id \
--region ap-northeast-2
IAM Permissions Required
The IAM principal executing these steps needs the following minimum permissions (least privilege):
🔽 [Click to expand] — Minimum IAM policy for migration
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAMISource",
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages"
],
"Resource": "*",
"Condition": {
"StringEquals": {"aws:RequestedRegion": "us-east-1"}
}
},
{
"Sid": "CopyAMITarget",
"Effect": "Allow",
"Action": [
"ec2:CopyImage",
"ec2:DescribeImages",
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {"aws:RequestedRegion": "ap-northeast-2"}
}
},
{
"Sid": "PassInstanceProfile",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/YourEC2InstanceRole"
}
]
}
Common Pitfalls
| Pitfall | Impact | Fix |
|---|---|---|
Launching before AMI state is available | Launch fails | Poll describe-images or use aws ec2 wait image-available |
| Forgetting to recreate security groups | Instance unreachable | Export SG rules and recreate in ap-northeast-2 before launch |
| Key pair not imported to target region | Cannot SSH | Import public key to ap-northeast-2 via import-key-pair |
| KMS key not available in target region | copy-image fails for encrypted volumes | Create or use an existing KMS key in ap-northeast-2 |
| Not specifying instance profile at launch | Instance has no IAM role attached | Explicitly pass --iam-instance-profile in run-instances |
| Leaving source AMI/snapshots after migration | Ongoing EBS snapshot storage charges | Deregister AMI and delete snapshots post-validation |
Glossary
| Term | Definition |
|---|---|
| AMI (Amazon Machine Image) | A template containing the OS, application, and configuration used to launch EC2 instances. The only portable unit for cross-region EC2 migration. |
| EBS Snapshot | A point-in-time backup of an EBS volume stored in S3-backed infrastructure. AMIs reference one or more snapshots. |
| Instance Profile | An IAM container that passes an IAM role to an EC2 instance at launch. IAM is global, but the profile must be explicitly specified per launch. |
| copy-image | The EC2 API action that replicates an AMI (and its underlying snapshots) from one region to another. |
| KMS CMK (Customer Managed Key) | A region-scoped encryption key in AWS Key Management Service. Cross-region AMI copies of encrypted volumes require a KMS key in the target region. |
Next Steps
- 📖 AWS Docs: Copying an AMI
- 📖 AWS Docs: Create an AMI from an Amazon EBS-backed instance
- 🔁 For repeated cross-region deployments, consider codifying this process with AWS CloudFormation StackSets or HashiCorp Packer to build region-agnostic AMIs from the start.
- 🔒 If you manage many regions, evaluate AWS Image Builder for automated, multi-region AMI pipelines.
Comments
Post a Comment