I would like to auto-assign an EIP to an instance when it is started. I know I can write a script to stop/start the instance and assign the EIP I want using the EC2 tools, but that depends on me stopping/starting the server. In the case of an EC2 outage or hardware failure where Amazon stops/starts my instance, the EIP would not be reassigned.

I asked someone this question before and they cryptically mentioned that it could be done via script from inside the box after boot. Then they went offline so I could not follow up.

Is there any way to tie an EIP to an instance at boot time?

  • 3,735
  • 1
  • 17
  • 20

3 Answers3


You can do it with something like this, in the /etc/rc.local on the server in question:

ec2-associate-address --private-key /root/private_key.pem --cert /root/public_key.pem <eip-address> -i `curl
  • Beauty, thanks. I am new to EC2 and just becoming aware of the meta data repository. Very useful stuff. – jdw Sep 28 '11 at 22:21
  • The above is only an option if you are willing to put AWS credentials on the instance itself (often considered a security risk). – Eric Hammond Sep 29 '11 at 00:34
  • For a solution to the credentials issue, see http://serverfault.com/a/368537/2111 – timday Mar 11 '12 at 17:27

Use a VPC, then you won't have to worry about that problem.

Here is a bash i wrote to change EIP on any VPC Instance by using the friendly Name="tag", you can also specify a default region, or add it into the command.

#change vpc instance public IP address (EIP -> NIC|INSTANCE)
#usage "changeip [instance friendly tag=Name] [region]"
#example "changeip my.instnace us-west-1"
#dafault region is us-west-1 (you must include --region for $region default)
#for VPC instances only
function changeip {
    if [[ ! $1 ]]; then
        echo 'Error : You must provide tag name for instance'
        echo 'Example:  changeip [friendly name]'
    if [[ $2 ]]; then
        region='--region '$2
        echo 'Using region '$2
        region='--region us-west-1' #sets default region
        echo 'Using default '$region
    instance=$(ec2-describe-instances $region | grep Name | grep $name | cut -f3)
    if [[ ! $instance =~ ^('i-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Getting the instance id'
        echo $instance
    echo 'Applying to '$1 '=> '$instance
    echo 'Please wait....'
    ip_new=$(ec2-allocate-address $region -d vpc | cut -f2)
    if [[ ! $ip_new =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        echo 'Error : Getting a new IP address'
        echo $ip_new
    new_idas=$(ec2-describe-addresses $region $ip_new | cut -f 5) >> /dev/null
    if [[ ! $new_idas =~ ^('eipalloc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Getting New IP allocation id eipalloc'
        echo $new_idas
    ip_old=$(ec2-describe-addresses $region | grep $instance | cut -f2)
    if [[ ! $ip_old =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        echo 'Error : Getting old IP address'
        echo $ip_old
    id_dis=$(ec2-describe-addresses $region $ip_old | cut -f 6)
    if [[ ! $id_dis  =~ ^('eipassoc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Dissasociating Old IP'
        echo $id_dis
    id_release=$(ec2-describe-addresses $region $ip_old | cut -f 5) >> /dev/null
    if [[ ! $new_idas =~ ^('eipalloc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Release Old IP'
        echo $id_release
    ec2-disassociate-address $region -a $id_dis  >> /dev/null
    sleep 8
    ec2-release-address $region -a $id_release >> /dev/null
    ec2-associate-address $region -i $instance -a $new_idas >> /dev/null
    echo 'SUCCESS!'
    echo 'Old = '$ip_old
    echo 'New = '$ip_new
  • 204
  • 1
  • 3

Agree with Eric, that option is not wise in terms of security. Another option would be to have another machine, with credentials in it, in charge of responding to requests from other machines. E.g.: Machine with my credential is EC2-1. You launch perhaps 2 machines to run your web servers, EC2-2 and EC2-3. When they bootstrap, they can "signal" this to EC2-1, which in turn will run the API call to associate EC2-2 and EC2-3 to two Elastic IPs. This way, you have to make EC2-1 VERY secure, and you are not at risk with the other machines.



  • I thought about what @Erik Hammond mentioned last night and decided that putting my certs/keys on the servers in question was not acceptable because they are public web servers. However, this solution of having my servers call home to initiate an EIP association request fits very nicely with my infrastructure. I currently have a management server doing all sorts of tasks like this so it makes perfect sense for it to also do the EIP association. Thanks. – jdw Sep 29 '11 at 13:20