AWS EC2 Guide
End-to-end guide for installing EderaON on an AWS EC2 instance.
Prerequisites
An EderaON account with an active license
AWS CLI installed and configured with permissions to launch EC2 instances
An SSH key pair in your target region. If you don’t have one:
aws ec2 create-key-pair --key-name edera-key --query 'KeyMaterial' --output text > edera-key.pem chmod 400 edera-key.pem
aws configure (or aws login for SSO) before proceeding. You’ll need your access key ID, secret, and default region.Launch an EC2 instance
EderaON requires UEFI boot mode. The following OS and instance type combinations are supported:
| OS | Instance Types | Notes |
|---|---|---|
| Ubuntu 24.04 LTS | m5.large or larger | Default AMI boots UEFI |
| Amazon Linux 2023 | m5.large or larger | Default AMI boots UEFI |
| CentOS Stream 9 | t3.large or larger | Use UEFI AMI from AWS Marketplace |
| RHEL 10 | t3.large or larger | Use UEFI AMI from AWS Marketplace |
Get your key name
The --key-name flag takes the key pair name as registered in AWS, not the local .pem filename. To look it up:
aws ec2 describe-key-pairs --query 'KeyPairs[*].KeyName' --output textGet your subnet ID
Any subnet in your VPC works for basic evaluation. To list available subnets:
aws ec2 describe-subnets --query 'Subnets[*].[SubnetId,AvailabilityZone]' --output tableSet up a security group
Your security group must allow inbound SSH (port 22) from your IP. To create one:
# Create the security group
aws ec2 create-security-group \
--group-name ederaon-sg \
--description "EderaON evaluation"
# Allow SSH from your current IP
aws ec2 authorize-security-group-ingress \
--group-name ederaon-sg \
--protocol tcp \
--port 22 \
--cidr $(curl -s https://checkip.amazonaws.com)/32To check the rules on an existing security group:
aws ec2 describe-security-groups --group-ids <YOUR_SG_ID> \
--query 'SecurityGroups[*].IpPermissions'Example: Ubuntu 24.04
aws ec2 run-instances \
--image-id ami-0d76b909de1a0595d \
--instance-type m5.large \
--key-name <YOUR_KEY_NAME> \
--security-group-ids <YOUR_SG_ID> \
--subnet-id <YOUR_SUBNET_ID> \
--associate-public-ip-address \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=ederaon-test}]'us-west-2. Find the latest Ubuntu 24.04 AMI for your region on Ubuntu Cloud Images.Connect to your instance
Once the instance is running, get its public IP:
aws ec2 describe-instances --filters "Name=tag:Name,Values=ederaon-test" \
--query 'Reservations[*].Instances[*].PublicIpAddress' --output textThen connect:
chmod 400 <YOUR_KEY_FILE>.pem
ssh -i <YOUR_KEY_FILE>.pem ubuntu@<INSTANCE_IP>chmod 400 is required — SSH will refuse to use a key file that is readable by others.For more SSH options, see the AWS guide to connecting via SSH.
Install Docker
SSH into your instance and install Docker:
sudo apt-get update && sudo apt-get install -y docker.io nftables
sudo systemctl start dockerInstall EderaON
Follow Step 3: Install from the Getting Started guide to run edera-check, authenticate, install, verify, and launch your first zone.
Clean up
When you’re done evaluating, terminate the instance and delete the security group:
aws ec2 terminate-instances --instance-ids <INSTANCE_ID>
aws ec2 delete-security-group --group-id <YOUR_SG_ID>Troubleshooting
Instance unreachable after reboot
If you can’t SSH after the installer reboots:
- Wait 2-3 minutes — Xen boot takes longer than a normal boot
- Check the EC2 serial console for boot errors
- Verify the instance is in UEFI boot mode (BIOS mode is not supported)
Daemon not starting
Check the daemon logs:
sudo journalctl -u protect-daemon -n 50Common issues:
- “no viable machine identifiers” — The instance may be in BIOS boot mode. Terminate and relaunch with a UEFI-compatible AMI.
- Xen not present (
/proc/xenmissing) — GRUB booted into the stock kernel instead of Xen. Checksudo grub-editenv listand verify the saved entry matches a Xen menu entry.
Need help?
- File an issue on GitHub