Create AWS EC2 Launch Templates Without Public IP Access

Learn how to create AWS EC2 launch templates and block public access by configuring your launch template settings.

Patrick Londa
Author
Jan 4, 2023
 • 
4
 min read
Share this post

Launch templates guide how your AWS EC2 Auto Scaling groups launch new instances. By default, the network interface settings on launch templates signals to the Auto Scaling group to auto-assign a public IP address to new instances. 

Depending on your use case, having public IP addresses assigned to your instances may pose an unacceptable security risk.

In this guide, we’ll show you how you can create launch templates that disable public IP address assignment using the AWS Console and the AWS CLI tool.

Setting a Launch Template to Never Assign Public IP Addresses

Before we start, if you are still using launch configurations currently instead of launch templates, you should migrate to launch templates. AWS is encouraging all customers to make this change because, unlike launch configurations, launch templates can be versioned and will support new instance types.

Now, let’s walk through the steps for creating a new launch template with public IP address assignment disabled. 

Using the AWS Console:

1. Open the EC2 console.

2. Go to the navigation pane, look for the Instances option, then choose Launch Templates.

3. Select Create launch template, then enter a name and description for the initial launch template version.

4. Go to Auto Scaling guidance. Select the checkbox there to let Amazon EC2 guide you in creating an Amazon EC2 Auto Scaling template.

5. Go to Launch template contents and fill out all required or optional fields as needed.

  • Application and OS Images (Amazon Machine Image)
  • Instance Type
  • Key pair (login)
  • Resource tags

6. Next, you’ll need to change the default network interface settings. Under Network settings, expand Advanced network configuration. Click Add network interface.

7. You’ll see settings like Device index, Network interface, Description, Subnet, and more. You will probably want to keep most of these set to their defaults. You can also specify Security groups here that are already configured for the VPCs where your Auto Scaling group will launch new instances.

8. For the Auto-assign public IP option, select Disable to override the subnet’s default setting of assigning public IPv4 addresses to new instances.

9. If you need to make other modifications, you can configure the following options under the advanced configuration settings.

10. Now that you’ve filled out your template details, select Create Launch template.

You’ve created your launch template successfully. To put it into practice, you can either select Create Auto Scaling group from the confirmation page, or update an existing Auto Scaling group to use your new launch template or new template version. We’ll show how to update an existing Auto Scaling group later in this post.

Using the AWS CLI:

To do this same task with the AWS CLI, you can use the create-launch-template command. You’ll be able to specify the same settings as if you used the console.

You can block public IP address assignment by specifying the AssociatePublicIpAddress parameter as false.

Here’s an example of using this command to create a launch template that does not assign a public IP address:

aws ec2 create-launch-template \
   --launch-template-name DemoTemplate \
   --version-description AutoScalingVersion1 \
   --launch-template-data '{"NetworkInterfaces":[{"DeviceIndex":0,"AssociatePublicIpAddress":false,"Groups":["sg-7c701922,sg-400309f8"],"DeleteOnTermination":true}],"ImageId":"ami-b49902de","InstanceType":"m4.large","TagSpecifications":[{"ResourceType":"instance","Tags":[{"Key":"environment","Value":"development"},{"Key":"purpose","Value":"webserver"}]},{"ResourceType":"volume","Tags":[{"Key":"environment","Value":"development"},{"Key":"cost-center","Value":"cc345"}]}],"BlockDeviceMappings":[{"DeviceName":"/dev/sda22","Ebs":{"VolumeSize":200}}]}' --region us-east-4

This command also uses the Groups parameter to specify that your Auto Scaling group launches new instances into VPCs related to that security group.

You’ll get an output that looks like this:

{
    "LaunchTemplate": {
        "LatestVersionNumber": 1,
        "LaunchTemplateId": "lt-0123c71c33a84e0akc",
        "LaunchTemplateName": "DemoTemplate",
        "DefaultVersionNumber": 1,
        "CreatedBy": "arn:aws:iam::123456789012:user/Jimmy",
        "CreateTime": "2021-04-30T18:16:06.000Z"
    }
}

Now that you have a new launch template version with public IP address assignment disabled, you can use the update-auto-scaling-group command to assign the new launch template version to the Auto Scaling group.

Here’s an example of that command:

aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name demo-asg \
    --launch-template LaunchTemplateId=lt-0123c71c33a84e0akc,Version='$Latest'

Checking Whether Launch Templates Assign Public IP Addresses with Blink

If you want to see which of your launch templates have public IP address assignment enabled, you can manually check the details of each, make updates one-by-one, and then update their related Auto Scaling group to use the new secured version. It’s very manual, time-intensive, and you’ll need to do it over and over again to ensure compliance.

With Blink, you can publish a no-code automation to regularly check if your launch templates have public IP assignment enabled. You can send a report with all the relevant launch templates to Slack, approve an action step to make network setting updates to the template, then update the related Auto Scaling group to reference the new version.

Get started with Blink and run security checks automatically today.