CtrlK
BlogDocsLog inGet started
Tessl Logo

giuseppe-trisciuoglio/developer-kit

Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.

89

Quality

89%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Overview
Quality
Evals
Security
Files

constraints.mdplugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-ec2/references/

CloudFormation EC2 Constraints and Warnings

Resource Limits

  • Instance Limits: Maximum number of EC2 instances per region varies by account
  • ENI Limits: Each instance type has maximum ENI limits
  • Security Groups: Maximum 500 security groups per VPC
  • EBS Volumes: Maximum number of EBS volumes per account is 20 by default

Instance Constraints

  • Instance Type Availability: Not all instance types available in all regions/AZs
  • Instance Replacement: Changing instance type requires instance replacement
  • Tenancy Changes: Changing between default and dedicated tenancy requires replacement
  • Host Resource Group: Dedicated Hosts have specific allocation and utilization constraints

Storage Constraints

  • EBS Volume Limits: EBS volume size varies by volume type (gp3 up to 16 TB)
  • IOPS Limits: Provisioned IOPS (io1/io2) has specific IOPS per GB limits
  • Snapshot Costs: EBS snapshots incur storage costs even after source volume deletion
  • Throughput: Volume throughput limits vary by volume type and size

Network Constraints

  • ENI Limits: Each instance type has maximum ENI and IP address per ENI limits
  • Public IP Assignment: Public IP addresses are released on instance stop
  • Elastic IP Limits: Each account has limited number of Elastic IPs
  • Security Group Rules: Maximum 60 inbound and 60 outbound rules per security group

Security Constraints

  • Key Pairs: Key pairs cannot be recovered if lost; instance access lost
  • IAM Roles: Instance profile roles cannot be changed after instance creation
  • Password Authentication: Password authentication for EC2 is disabled by default; use key pairs
  • Metadata Service: IMDSv2 should be enabled; IMDSv1 has security vulnerabilities

Cost Considerations

  • Instance Costs: Instances incur costs while running; stopped instances may still incur EBS costs
  • EBS Costs: EBS volumes incur costs per GB-month even if not attached
  • Data Transfer: Data transfer out to internet incurs significant costs
  • Load Balancer Costs: ALBs/ELBs/NLBs incur hourly and per-GB data processing costs
  • Elastic IP: Unattached Elastic IPs incur small hourly costs

Availability Constraints

  • Spot Instances: Spot instances can be terminated with 2-minute notice
  • Reserved Instances: Reserved instances require commitment and have specific term limits
  • Availability Zones: Not all instance types available in all AZs
  • Capacity Limits: On-Demand capacity limits may prevent launching instances during high demand

CloudFormation-Specific Constraints

  • Stack Size: Maximum 500 resources per stack
  • Template Size: Maximum 51,200 bytes for templates uploaded directly to CloudFormation
  • Parameter Limits: Maximum 200 parameters per template
  • Mapping Limits: Maximum 100 mappings per template
  • Output Limits: Maximum 60 outputs per template
  • Resource Naming: Some resources require unique names within an account/region

Troubleshooting Common Issues

Instance Launch Failures

  • Invalid AMI ID: Verify AMI exists in the target region
  • Insufficient Capacity: Try different instance type or AZ
  • Security Group Rules: Ensure necessary ports are open
  • Key Pair Missing: Verify key pair exists in the region
  • IAM Permissions: Check EC2 role has required permissions

Network Connectivity Issues

  • Subnet Configuration: Verify subnet has route to internet gateway
  • Security Group Ingress: Check inbound rules allow required traffic
  • Network ACLs: Ensure NACLs allow traffic
  • Public IP Assignment: Verify subnet has MapPublicIpOnLaunch enabled

Stack Update Failures

  • Resource Conflicts: Check for name collisions with existing resources
  • Dependency Issues: Verify all referenced resources exist
  • IAM Permissions: Ensure CloudFormation has necessary permissions
  • Rollback Configuration: Consider disabling rollback for debugging

Best Practices for Avoiding Constraints

Capacity Planning

# Use multiple instance types for Spot Fleet
LaunchSpecifications:
  - InstanceType: t3.micro
    ImageId: !Ref AmiId
    WeightedCapacity: 1
  - InstanceType: t3.small
    ImageId: !Ref AmiId
    WeightedCapacity: 2
  - InstanceType: t3a.micro
    ImageId: !Ref AmiId
    WeightedCapacity: 1

Multi-AZ Deployment

# Deploy instances across multiple AZs
Resources:
  Instance1:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      SubnetId: !Ref Subnet1

  Instance2:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: !Select [1, !GetAZs '']
      SubnetId: !Ref Subnet2

Cost Optimization

# Use Spot Instances for non-critical workloads
Parameters:
  UseSpotInstances:
    Type: String
    Default: false
    AllowedValues:
      - true
      - false

Conditions:
  UseSpot: !Equals [!Ref UseSpotInstances, true]

Resources:
  SpotInstance:
    Type: AWS::EC2::SpotFleet
    Condition: UseSpot
    Properties:
      SpotFleetRequestConfigData:
        AllocationStrategy: capacity-optimized

Security Hardening

# Enable IMDSv2 for enhanced security
Resources:
  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      MetadataOptions:
        HttpTokens: required
        HttpPutResponseHopLimit: 1
        HttpEndpoint: enabled

Monitoring and Alerts

Set up CloudWatch alarms for critical metrics:

# CPU Utilization Alarm
CPUAlarm:
  Type: AWS::CloudWatch::Alarm
  Properties:
    AlarmDescription: Alarm if CPU > 90%
    MetricName: CPUUtilization
    Namespace: AWS/EC2
    Statistic: Average
    Period: 300
    EvaluationPeriods: 2
    Threshold: 90
    ComparisonOperator: GreaterThanThreshold

# Status Check Alarm
StatusCheckAlarm:
  Type: AWS::CloudWatch::Alarm
  Properties:
    AlarmDescription: Alarm for instance status checks
    MetricName: StatusCheckFailed
    Namespace: AWS/EC2
    Statistic: Average
    Period: 300
    EvaluationPeriods: 1
    Threshold: 1
    ComparisonOperator: GreaterThanOrEqualToThreshold

plugins

developer-kit-aws

skills

aws-cloudformation

aws-cloudformation-ec2

references

best-practices.md

constraints.md

ec2-instances.md

examples.md

load-balancers.md

reference.md

security-iam.md

template-structure.md

SKILL.md

README.md

CHANGELOG.md

context7.json

CONTRIBUTING.md

README_CN.md

README_ES.md

README_IT.md

README.md

tessl.json

tile.json