Overview
The EC2 Instance resource deploys a managed EC2 instance backed by an Auto Scaling Group, with security groups and optional SSH access. Use it for workloads that need direct server access or custom configuration. IMDSv2 is required by default, the root EBS volume is encrypted by default, andAZRebalance is suspended to keep instances pinned to their subnet.
Resource Class
Basic Usage
Configuration Options
Core Properties
| Property | Type | Description | Default |
|---|---|---|---|
serviceName | string | Service identifier | Required |
instanceType | string | EC2 instance type | Required |
vpc | IVpc | VPC for deployment | Auto-created |
accountId | string | AWS account ID | Current account |
Capacity Configuration
| Property | Type | Description | Default |
|---|---|---|---|
minCapacity | number | Minimum instances (passed to the CDK ASG) | CDK default 1 |
maxCapacity | number | Maximum instances (passed to the CDK ASG) | CDK default 1 |
desiredCapacity | number | Initial instance count (passed to the CDK ASG) | CDK default |
spotCapacityPercentage | number | Percentage of spot instances | 0 |
minCapacity and maxCapacity forward straight to the CDK Auto Scaling Group without a Fjall-supplied fallback. When both are omitted, CDK’s default of 1 applies to each.
Instance Configuration
| Property | Type | Description | Default |
|---|---|---|---|
machineImage | IMachineImage | AMI to use | Latest Amazon Linux 2023 |
userData | UserData | User data script | - |
role | Role | IAM role for instance | - |
blockDevices | BlockDevice[] | EBS volume configuration | - |
enableSSH | boolean | Enable SSH access | false |
Network Configuration
| Property | Type | Description | Default |
|---|---|---|---|
subnetConfiguration | SubnetConfiguration[] | Custom subnet configuration | Standard public/private |
Machine Images
WhenmachineImage is omitted, the construct uses MachineImage.latestAmazonLinux2023().
Amazon Linux 2023 (default)
Ubuntu
Custom AMI
User Data Configuration
Basic Script
Complex Setup
Storage Configuration
Additional EBS Volumes
RAID Configuration
Security Configuration
SSH Access
Custom Security Rules
IAM Role Configuration
Therole prop accepts a standard CDK IAM Role from aws-cdk-lib/aws-iam.
Auto Scaling Configuration
Scaling Across AZs
Spot Instances
Methods
Get Security Group
Get Connections
Get VPC
Get Auto Scaling Group
The underlying ASG is private. Read it throughgetAutoScalingGroup(), for example to register it as a load balancer target.
Advanced Patterns
Web Server Fleet
Bastion Host
GPU Instance
Complete Example
Best Practices
- Use Systems Manager instead of SSH for production
- Enable IMDSv2 (enabled by default in this construct)
- Encrypt EBS volumes for sensitive data
- Use Auto Scaling even for single instances
- Apply least privilege IAM policies
- Monitor with CloudWatch and set alarms
- Use user data for repeatable configuration
Cost Optimisation
- Use Spot instances for fault-tolerant workloads
- Right-size instances based on CloudWatch metrics
- Enable detailed monitoring only when needed
- Use GP3 volumes instead of GP2 for better price/performance
- Consider Savings Plans for predictable workloads
Next Steps
Compute Factory
Build EC2 and ECS compute through the Fjall compute factory pattern.
Security Group
Control inbound and outbound traffic for your instances.
VPC
Configure the network your EC2 instances run in.
IAM Role
Grant least-privilege AWS permissions to your instances.