EC2 patching best practice

1 — Use AWS Systems Manager Automation with AWSEC2-PatchLoadBalancerInstance

• This is a specific automation document provided by AWS.

• It contains the exact workflow needed:

  • Remove instance from ALB
  • Wait for in-flight requests
  • Apply patches
  • Reboot if needed
  • Re-register instance

• It solves the core problem of traffic disruption during patching.

💡 This is the mechanism for safe patching.

---

** 2 — Configure Systems Manager Maintenance Windows**

• This is about scheduling.

• Maintenance Windows allow you to:

  • Pick specific times for patching
  • Run automation documents (like AWSEC2-PatchLoadBalancerInstance)
  • Control which instances are patched, when, and in what order

• It solves the problem of coordinating and controlling when patching happens.

💡 This is the orchestration layer that runs the automation in Option 1 at a controlled time.

---

Analogy

Think of it like baking a cake:

• Option 1 = the recipe (exact steps to make the cake)
• Option 2 = the oven timer (when to start baking and how long)

They work best together:

• Option 1 does the actual patching work.
• Option 2 decides when that work should run.

---

Option	Purpose	Key Role
1	Automates patching process	Execution mechanism
2	Schedules and orchestrates automation	Timing control

---

💡 Best practice:

+------------------------------------------------------+
| Systems Manager Maintenance Window (Option 2)      |
| - Defines when patching happens                     |
| - Defines which instances are targeted              |
+------------------------------------------------------+
                          |
                          v
+------------------------------------------------------+
| Run Automation Document                             |
| AWSEC2-PatchLoadBalancerInstance (Option 1)        |
+------------------------------------------------------+
                          |
                          v
+------------------------+
| Remove EC2 Instance   |
| from ALB Target Group |
+------------------------+
                          |
                          v
+------------------------+
| Wait for In-flight    |
| Requests to Complete  |
+------------------------+
                          |
                          v
+------------------------+
| Apply Patches to EC2  |
| Instance               |
+------------------------+
                          |
                          v
+------------------------+
| Reboot Instance if    |
| Needed                 |
+------------------------+
                          |
                          v
+------------------------+
| Re-register EC2       |
| Instance to ALB       |
+------------------------+
                          |
                          v
+------------------------+
| End Maintenance       |
+------------------------+