██FR█████ █INTELL███████████

EC2 patching best practice


This content originally appeared on DEV Community and was authored by Wakeup Flower

1 — Use AWS Systems Manager Automation with AWSEC2-PatchLoadBalancerInstance

  • This is a specific automation document provided by AWS.

  • It contains the exact workflow needed:

    • Remove instance from ALB
    • Wait for in-flight requests
    • Apply patches
    • Reboot if needed
    • Re-register instance

  • It solves the core problem of traffic disruption during patching.

💡 This is the mechanism for safe patching.

** 2 — Configure Systems Manager Maintenance Windows**

  • This is about scheduling.

  • Maintenance Windows allow you to:

    • Pick specific times for patching
    • Run automation documents (like AWSEC2-PatchLoadBalancerInstance)
    • Control which instances are patched, when, and in what order

  • It solves the problem of coordinating and controlling when patching happens.

💡 This is the orchestration layer that runs the automation in Option 1 at a controlled time.

Analogy

Think of it like baking a cake:

  • Option 1 = the recipe (exact steps to make the cake)
  • Option 2 = the oven timer (when to start baking and how long)

They work best together:

  • Option 1 does the actual patching work.
  • Option 2 decides when that work should run.
Option Purpose Key Role
1 Automates patching process Execution mechanism
2 Schedules and orchestrates automation Timing control

💡 Best practice:

+------------------------------------------------------+
| Systems Manager Maintenance Window (Option 2)      |
| - Defines when patching happens                     |
| - Defines which instances are targeted              |
+------------------------------------------------------+
                          |
                          v
+------------------------------------------------------+
| Run Automation Document                             |
| AWSEC2-PatchLoadBalancerInstance (Option 1)        |
+------------------------------------------------------+
                          |
                          v
+------------------------+
| Remove EC2 Instance   |
| from ALB Target Group |
+------------------------+
                          |
                          v
+------------------------+
| Wait for In-flight    |
| Requests to Complete  |
+------------------------+
                          |
                          v
+------------------------+
| Apply Patches to EC2  |
| Instance               |
+------------------------+
                          |
                          v
+------------------------+
| Reboot Instance if    |
| Needed                 |
+------------------------+
                          |
                          v
+------------------------+
| Re-register EC2       |
| Instance to ALB       |
+------------------------+
                          |
                          v
+------------------------+
| End Maintenance       |
+------------------------+


This content originally appeared on DEV Community and was authored by Wakeup Flower