Move AWS EC2 instance to another subnet or availability zone

When we move an EC2 instance from one subnet to another or to another availability zone the EC2 Metadata Service stops working on the instance. We get the error message:

Unable to get IAM security credentials from EC2 Instance Metadata Service.

To enable the EC2 Metadata Service again, we need to update the routing configuration on the instance. Follow the steps at

As a summary:

Check the Gateway Address matches the IP address range of the subnet. In a PowerShell window execute:

route print

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric      15

It should belong to the IPv4 CIDR of the subnet

If the Gateway Address does not belong to the IP address range of the subnet

  1. Confirm that the latest version of EC2Config (Windows Server 2012R2 and earlier) or EC2Launch (Windows Server 2016 or later) is installed on the instance.
  2. To apply the route to the instance, restart the EC2Config service (on Windows Server 2012R2 and earlier), or run the following command from an elevated PowerShell session (on Windows Server 2016 or later):
Import-Module c:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1 ; Add-Routes

Leave a comment

Your email address will not be published. Required fields are marked *