AWS Snowball Edge is no longer available to new customers. New customers should explore [AWS DataSync](https://aws.amazon.com/datasync/) for online transfers, [AWS Data Transfer Terminal](https://aws.amazon.com/data-transfer-terminal/) for secure physical transfers, or AWS Partner solutions. For edge computing, explore [AWS Outposts](https://aws.amazon.com/outposts/). # Using Amazon EKS Anywhere on AWS Snow Using Amazon EKS Anywhere on Snowball Edge Amazon EKS Anywhere on AWS Snow helps you to create and operate Kubernetes clusters on Snowball Edge. Kubernetes is open-source software that's used for automating deployment, scaling, and management of containerized applications. You can use Amazon EKS Anywhere on a Snowball Edge device with or without an external network connection. To use Amazon EKS Anywhere on a device without an external network connection, provide a container registry to run on the Snowball Edge device. For general information about Amazon EKS Anywhere, see the [Amazon EKS Anywhere documentation](https://anywhere.eks.amazonaws.com/docs/). Using Amazon EKS Anywhere on AWS Snow provides you with these capabilities: + Provision a Kubernetes (K8s) cluster with Amazon EKS Anywhere CLI (eksctl anywhere) on Snowball Edge compute-optimized devices. You can provision Amazon EKS Anywhere on a single Snowball Edge device or three or more devices for high availability. + Support for Cilium Container Network Interface (CNI). + Support for Ubuntu 20.04 as the node operating system. This diagram illustrates an Amazon EKS Anywhere cluster deployed on a Snowball Edge device. ![\[Diagram depicting Amazon EKS Anywhere on AWS Snow cluster deployed on a Snowball Edge device and relationships between components.\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/images/eskaarch.jpg) We recommend that you create your Kubernetes cluster with the latest available Kubernetes version supported by Amazon EKS Anywhere. For more information, see [Amazon EKS-Anywhere Versioning](https://anywhere.eks.amazonaws.com/docs/concepts/support-versions/). If your application requires a specific version of Kubernetes, use any version of Kubernetes offered in standard or extended support by Amazon EKS. Consider the release and support dates of Kubernetes versions when planning the lifecycle of your deployment. This will help you avoid the potential loss of support for the version of Kubernetes you intend to use. For more information, see [Amazon EKS Kubernetes release calendar](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar). For more information about Amazon EKS Anywhere on AWS Snow, see the [Amazon EKS Anywhere documentation](https://anywhere.eks.amazonaws.com/docs/). **Topics** + [ # Actions to complete before ordering a Snowball Edge device for Amazon EKS Anywhere on AWS Snow ](eksa-gettingstarted.md) + [ # Ordering a Snowball Edge device for use with Amazon EKS Anywhere on AWS Snow ](order-sbe.md) + [ # Configuring and running Amazon EKS Anywhere on Snowball Edge devices ](eksa-configuration.md) + [ # Configuring Amazon EKS Anywhere on AWS Snow for disconnected operation ](configure-disconnected.md) + [ # Creating and maintaining clusters on Snowball Edge devices ](maintain-eks-a-clusters-snow.md) # Actions to complete before ordering a Snowball Edge device for Amazon EKS Anywhere on AWS Snow At this time, Amazon EKS Anywhere is compatible with Snowball Edge compute-optimized devices. Before you order a Snowball Edge device, there are a few things you should do to prepare. + Build and supply an operating system image to use to create virtual machines on the device. + Your network must have a static IP address available for the K8s control plane endpoint and allow Address Resolution Protocol (ARP). + Your Snowball Edge device must have specific ports open. For more information about ports, see [Ports and protocols](https://anywhere.eks.amazonaws.com/docs/reference/ports/) in the Amazon EKS Anywhere documentation. **Topics** + [ ## Create an Ubuntu EKS Distro AMI for the Snowball Edge ](#create-eksd-ami) + [ ## Build a Harbor AMI for the Snowball Edge ](#existing-private-registry) ## Create an Ubuntu EKS Distro AMI for the Snowball Edge Create an Ubuntu EKS Distro AMI To create the Ubuntu EKS Distro AMI, see [Build Snow node images](https://anywhere.eks.amazonaws.com/docs/reference/artifacts/#build-snow-node-images). The name of the generated AMI will follow the pattern `capa-ami-ubuntu-20.04-version-timestamp`. For example, `capa-ami-ubuntu-20.04-v1.24-1672424524`. ## Build a Harbor AMI for the Snowball Edge Build a Harbor AMI Set up a Harbor private registry AMI to include on the Snowball Edge device so you can use Amazon EKS Anywhere on the device without an external network connection. If you won't be using Amazon EKS Anywhere while the Snowball Edge device is disconnected from the external network, or if you have a private Kubernetes registry in an AMI to use on the device, you can skip this section. To create the Harbor local registry AMI, see [Build a Harbor AMI](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/container-registry-ami-builder#build-harbor-ami). # Ordering a Snowball Edge device for use with Amazon EKS Anywhere on AWS Snow To order your Snowball Edge compute optimized, see [Creating a job to order a Snowball Edge device](create-job-common.md) in this guide and keep these items in mind during the ordering process: + In step 1, choose the **Local compute and storage only** job type. + In step 2, choose the **Snowball Edge Compute Optimized** device type. + In step 3, choose **Amazon EKS Anywhere on AWS Snow**, then choose the Kubernetes version that you need. **Note** In order to deliver the latest software, we may configure the device with a version of ESK Anywhere newer than the one that is currently available. For more info, [Versioning](https://anywhere.eks.amazonaws.com/docs/concepts/support-versions/) in the *Amazon EKS User Guide*. We recommend that you create your Kubernetes cluster with the latest available Kubernetes version supported by Amazon EKS Anywhere. For more information, see [Amazon EKS-Anywhere Versioning](https://anywhere.eks.amazonaws.com/docs/concepts/support-versions/). If your application requires a specific version of Kubernetes, use any version of Kubernetes offered in standard or extended support by Amazon EKS. Consider the release and support dates of Kubernetes versions when planning the lifecycle of your deployment. This will help you avoid the potential loss of support for the version of Kubernetes you intend to use. For more information, see [Amazon EKS Kubernetes release calendar](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar). + Choose AMIs to include on your device, including the EKS Distro AMI (see [Create an Ubuntu EKS Distro AMI for the Snowball Edge](eksa-gettingstarted.md#create-eksd-ami)) and, optionally, the Harbor AMI that you built (see [Build a Harbor AMI for the Snowball Edge](eksa-gettingstarted.md#existing-private-registry)). + If you need multiple Snowball Edge devices for high availability, choose the number of devices that you need from **High Availability**. After you receive your Snowball Edge device or devices, configure Amazon EKS Anywhere according to [Configuring and running Amazon EKS Anywhere on Snowball Edge devices](eksa-configuration.md). # Configuring and running Amazon EKS Anywhere on Snowball Edge devices Follow these procedures to configure and start Amazon EKS Anywhere on your Snowball Edge devices. Then, to configure Amazon EKS Anywhere to operate on disconnected devices, complete additional procedures before disconnecting those devices from the external network. For more information, see [Configuring Amazon EKS Anywhere on AWS Snow for disconnected operation](configure-disconnected.md). **Topics** + [ ## Initial setup for Amazon EKS Anywhere on Snowball Edge ](#initial-setup) + [ ## Configuring and running Amazon EKS Anywhere on Snowball Edge devices automatically ](#auto-eksa-configuration) + [ ## Configuring and running Amazon EKS Anywhere on Snowball Edge devices manually ](#manual-eksa-configuration) ## Initial setup for Amazon EKS Anywhere on Snowball Edge Initial setup Perform the initial setup on each Snowball Edge device by connecting the device to your local network, downloading the Snowball Edge client, getting credentials, and unlocking the device. **Perform initial setup** 1. Download and install the Snowball Edge client. For more information, see [Downloading and installing the Snowball Edge Client](using-client-commands.md#download-the-client). 1. Connect the device to your local network. For more information, see [Connecting a Snowball Edge to your local network](getting-started.md#getting-started-connect). 1. Get credentials to unlock your device. For more information, see [Getting credentials to access a Snowball Edge](getting-started.md#get-credentials). 1. Unlock the device. For more information, see [Unlocking the Snowball Edge](unlockdevice.md). You can also use a script tool instead of unlocking devices manually. See [Unlock devices](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/setup-tools#Unlock-devices). ## Configuring and running Amazon EKS Anywhere on Snowball Edge devices automatically Configuring and running Amazon EKS Anywhere automatically You can use sample script tools to set up the environment and run an Amazon EKS Anywhere admin instance or you can do so manually. To use the script tools, see [Unlock devices and setup environment for Amazon EKS Anywhere](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/setup-tools#Unlock-devices-and-setup-envorinment-for-EKS-Anywhere). After the environment is set up and the Amazon EKS Anywhere admin instance is running, if you need to configure Amazon EKS Anywhere to operate on the Snowball Edge device while disconnected from a network, see [Configuring Amazon EKS Anywhere on AWS Snow for disconnected operation](configure-disconnected.md). Otherwise, see [Creating and maintaining clusters on Snowball Edge devices](maintain-eks-a-clusters-snow.md). To manually set up the environment and run an Amazon EKS Anywhere admin instance, see [Configuring and running Amazon EKS Anywhere on Snowball Edge devices manually](#manual-eksa-configuration). ## Configuring and running Amazon EKS Anywhere on Snowball Edge devices manually Configuring and running Amazon EKS Anywhere manually Before configuring Amazon EKS Anywhere on a Snowball Edge device, set up a profile for the Snowball Edge Client. For more information, see [Configuring and using the Snowball Edge Client](using-client-commands.md). **Topics** + [ ### Create an Amazon EKS Anywhere IAM local user ](#create-role) + [ ### (Optional) Create and import a Secure Shell key on a Snowball Edge ](#create-ssh-key) + [ ### Run an Amazon EKS Anywhere admin instance on a Snowball Edge and transfer credential and certificate files to it ](#start-config-eksa-admin-instance) ### Create an Amazon EKS Anywhere IAM local user For best security practices, create a local IAM user for Amazon EKS Anywhere on the Snowball Edge device. You can do this by manually using the following procedures. **Note** Do this for each Snowball Edge device that you use. #### Create a local user on the Snowball Edge Use the `create-user` command to create the Amazon EKS Anywhere IAM user. ``` aws iam create-user --user-name user-name --endpoint http://snowball-ip:6078 --profile profile-name { "User": { "Path": "/", "UserName": "eks-a-user", "UserId": "AIDACKCEVSQ6C2EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/eks-a-user", "CreateDate": "2022-04-06T00:13:35.665000+00:00" } } ``` #### Create a policy for the local user on the Snowball Edge Create a policy document, use it to create an IAM policy, and attach that policy to the Amazon EKS Anywhere local user. **To create a policy document and attach it to the Amazon EKS Anywhere local user** 1. Create a policy document and save it to your computer. Copy the policy below to the document. 1. Use the `create-policy` command to create an IAM policy based on the policy document. The value of the `--policy-document` parameter should use the absolute path to the policy file. For example, `file:///home/user/policy-name.json` ``` aws iam create-policy --policy-name policy-name --policy-document file:///home/user/policy-name.json --endpoint http://snowball-ip:6078 --profile profile-name { "Policy": { "PolicyName": "policy-name", "PolicyId": "ANPACEMGEZDGNBVGY3TQOJQGEZAAAABP76TE5MKAAAABCCOTR2IJ43NBTJRZBU", "Arn": "arn:aws:iam::123456789012:policy/policy-name", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "IsAttachable": true, "CreateDate": "2022-04-06T04:46:56.907000+00:00", "UpdateDate": "2022-04-06T04:46:56.907000+00:00" } } ``` 1. Use the `attach-user-policy` command to attach the IAM policy to the Amazon EKS Anywhere local user. ``` aws iam attach-user-policy --policy-arn policy-arn --user-name user-name --endpoint http://snowball-ip:6078 --profile profile-name ``` #### Create an access key and a credential file on the Snowball Edge Create an access key for the Amazon EKS Anywhere IAM local user. Then, create a credential file and include in it the values of `AccessKeyId` and `SecretAccessKey` generated for the local user. The credential file will be used by the Amazon EKS Anywhere admin instance later. 1. Use the `create-access-key` command to create an access key for the Amazon EKS Anywhere local user. ``` aws iam create-access-key --user-name user-name --endpoint http://snowball-ip:6078 --profile profile-name { "AccessKey": { "UserName": "eks-a-user", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Status": "Active", "SecretAccessKey": "RTT/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "CreateDate": "2022-04-06T04:23:46.139000+00:00" } } ``` 1. Create a credential file. In it, save the `AccessKeyId` and `SecretAccessKey` values in the following format. ``` [snowball-ip] aws_access_key_id = ABCDEFGHIJKLMNOPQR2T aws_secret_access_key = AfSD7sYz/TBZtzkReBl6PuuISzJ2WtNkeePw+nNzJ region = snow ``` **Note** If you're working with multiple Snowball Edge devices, the order of the credentials in the file doesn’t matter, but the credentials for all devices do need to be in one file. #### Create a certificates file for the admin instance on the Snowball Edge The Amazon EKS Anywhere admin instance needs the certificates of the Snowball Edge devices in order to run on them. Create a certificates file holding the certificate to access Snowball Edge devices for use later by the Amazon EKS Anywhere admin instance. **To create a certificates file** 1. Use the `list-certificates` command to get certificates for each Snowball Edge device that you plan to use. ``` PATH_TO_Snowball_Edge_CLIENT/bin/snowballEdge list-certificates --endpoint https://snowball-ip --manifest-file path-to-manifest-file --unlock-code unlock-code { "Certificates" : [ { "CertificateArn" : "arn:aws:snowball-device:::certificate/xxx", "SubjectAlternativeNames" : [ "ID:JID-xxx" ] } ] } ``` 1. Use the value of `CertificateArn` as the value for the `--certificate-arn` parameter of the `get-certificate` command. ``` PATH_TO_Snowball_Edge_CLIENT/bin/snowballEdge get-certificate --certificate-arn ARN --endpoint https://snowball-ip --manifest-file path-to-manifest-file --unlock-code unlock-code ``` 1. Create a device certificate file. Put the output of `get-certificate` into the certificate file. Following is an example of how to save the output. **Note** If you're working with multiple Snowball Edge devices, the order of the credentials in the file doesn’t matter, but the credentials for all devices do need to be in one file. ``` -----BEGIN CERTIFICATE----- ZWtzYSBzbm93IHRlc3QgY2VydGlmaWNhdGUgZWtzYSBzbm93IHRlc3QgY2VydGlm aWNhdGVla3NhIHNub3cgdGVzdCBjZXJ0aWZpY2F0ZWVrc2Egc25vdyB0ZXN0IGNl cnRpZmljYXRlZWtzYSBzbm93IHRlc3QgY2VydGlmaWNhdGVla3NhIHNub3cgdGVz dCBjZXJ0aWZpY2F0ZQMIIDXDCCAkSgAwIBAgIJAISM0nTVmbj+MA0GCSqGSIb3DQ ... -----END CERTIFICATE----- ``` 1. Repeat [Create an Amazon EKS Anywhere IAM local user](#create-role) to create an IAM local user for Amazon EKS Anywhere on all Snowball Edge devices. ### (Optional) Create and import a Secure Shell key on a Snowball Edge Use this optional procedure to create a Secure Shell (SSH) key to access all Amazon EKS Anywhere node instances and to import the public key to all Snowball Edge devices. Keep and secure this key file. If you skip this procedure, Amazon EKS Anywhere will create and import an SSH key automatically when necessary. This key will be stored on the admin instance in `${PWD}/${CLUSTER_NAME}/eks-a-id_rsa`. **Create an SSH key and import it to the Amazon EKS Anywhere instance** 1. Use the `ssh-keygen` command to generate a SSH key. ``` ssh-keygen -t rsa -C "key-name" -f path-to-key-file ``` 1. Use the `import-key-pair` command to import the key from your computer to the Snowball Edge device. **Note** The value of the `key-name` parameter must be the same when you import the key to all devices. ``` aws ec2 import-key-pair --key-name key-name --public-key-material fileb:///path/to/key-file --endpoint http://snowball-ip:8008 --profile profile-name { "KeyFingerprint": "5b:0c:fd:e1:a0:69:05:4c:aa:43:f3:3b:3e:04:7f:51", "KeyName": "default", "KeyPairId": "s.key-85edb5d820c92a6f8" } ``` ### Run an Amazon EKS Anywhere admin instance on a Snowball Edge and transfer credential and certificate files to it #### Run an Amazon EKS Anywhere admin instance on a Snowball Edge Follow this procedure to manually run an Amazon EKS Anywhere admin instance, configure a Virtual Network Interface (VNI) for the admin instance, check the status of the instance, create an SSH key, and connect to the admin instance with it. You can use a sample script tool to automate creating an Amazon EKS Anywhere admin instance and transferring credential and certificate files to this instance. See [Create Amazon EKS Anywhere admin instance](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/setup-tools#Create-EKS-Anywhere-admin-instance). After the script tool completes, you can ssh into the instance and create clusters by referring to [Creating and maintaining clusters on Snowball Edge devices](maintain-eks-a-clusters-snow.md). If you want to set up the Amazon EKS Anywhere instance manually, use the following steps.. **Note** If you're using more than one Snowball Edge devices to provision the cluster, you can launch an Amazon EKS Anywhere admin instance on any of the Snowball Edge devices. **To run an Amazon EKS Anywhere admin instance** 1. Use the `create-key-pair` command to create a SSH key for the Amazon EKS Anywhere admin instance. The command saves the key to `$PWD/key-file-name`. ``` aws ec2 create-key-pair --key-name key-name --query 'KeyMaterial' --output text --endpoint http://snowball ip:8008 > key-file-name --profile profile-name ``` 1. Use the `describe-images` command to find the image name that begins with `eks-anywhere-admin` from the output. ``` aws ec2 describe-images --endpoint http://snowball-ip:8008 --profile profile-name ``` 1. Use the `run-instance` command to start an eks-a admin instance with the Amazon EKS Anywhere admin image. ``` aws ec2 run-instances --image-id eks-a-admin-image-id --key-name key-name --instance-type sbe-c.xlarge --endpoint http://snowball-ip:8008 --profile profile-name ``` 1. Use the `describe-instances` command to check the status of the Amazon EKS Anywhere instance. Wait until the command indicates the instances state is `running` before continuing. ``` aws ec2 describe-instances --instance-id instance-id --endpoint http://snowball-ip:8008 --profile profile-name ``` 1. From the output of the `describe-device` command, note the value of `PhysicalNetworkInterfaceId` for the physical network interface that is connected to your network. You will use this to create a VNI. ``` PATH_TO_Snowball_Edge_CLIENT/bin/snowballEdge describe-device --endpoint https://snowball-ip --manifest-file path-to-manifest-file --unlock-code unlock-code ``` 1. Create a VNI for the Amazon EKS Anywhere admin instance. Use the value of `PhysicalNetworkInterfaceId` as the value of the `physical-network-interface-id` parameter. ``` PATH_TO_Snowball_Edge_CLIENT/bin/snowballEdge create-virtual-network-interface --ip-address-assignment dhcp --physical-network-interface-id PNI --endpoint https://snowball-ip --manifest-file path-to-manifest-file --unlock-code unlock-code ``` 1. Use the value of `IpAddress` as the value of the `public-ip` parameter of the `associate-address` command to associate the public address to the Amazon EKS Anywhere admin instance. ``` aws ec2 associate-address --instance-id instance-id --public-ip VNI-IP --endpoint http://snowball-ip:8008 --profile profile-name ``` 1. Connect to the Amazon EKS Anywhere admin instance by SSH. ``` ssh -i path-to-key ec2-user@VNI-IP ``` #### Transfer certificate and credential files to the admin instance on the Snowball Edge After the Amazon EKS Anywhere admin instance is running, transfer the credentials and certificates of your Snowball Edge devices to the admin instance. Run the following command from the same directory where you saved the credentials and certificates files in [Create an access key and a credential file on the Snowball Edge](#create-eksa-iam-user-access-key) and [Create a certificates file for the admin instance on the Snowball Edge](#create-credentials-for-admin-instance). ``` scp -i path-to-key path-to-credentials-file path-to-certificates-file ec2-user@eks-admin-instance-ip:~ ``` Verify the contents of the files on the Amazon EKS Anywhere admin instance. Following are examples of the credential and certificate files. ``` [192.168.1.1] aws_access_key_id = EMGEZDGNBVGY3TQOJQGEZB5ULEAAIWHWUJDXEXAMPLE aws_secret_access_key = AUHpqjO0GZQHEYXDbN0neLNlfR0gEXAMPLE region = snow [192.168.1.2] aws_access_key_id = EMGEZDGNBVGY3TQOJQGEZG5O7F3FJUCMYRMI4KPIEXAMPLE aws_secret_access_key = kY4Cl8+RJAwq/bu28Y8fUJepwqhDEXAMPLE region = snow ``` ``` -----BEGIN CERTIFICATE----- ZWtzYSBzbm93IHRlc3QgY2VydGlmaWNhdGUgZWtzYSBzbm93IHRlc3QgY2VydGlm aWNhdGVla3NhIHNub3cgdGVzdCBjZXJ0aWZpY2F0ZWVrc2Egc25vdyB0ZXN0IGNl cnRpZmljYXRlZWtzYSBzbm93IHRlc3QgY2VydGlmaWNhdGVla3NhIHNub3cgdGVz dCBjZXJ0aWZpY2F0ZQMIIDXDCCAkSgAwIBAgIJAISM0nTVmbj+MA0GCSqGSIb3DQ ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- KJ0FPl2PAYPEjxr81/PoCXfZeARBzN9WLUH5yz1ta+sYUJouzhzWuLJYA1xqcCPY mhVlkRsN4hVdlBNRnCCpRF766yjdJeibKVzXQxoXoZBjrOkuGwqRy3d3ndjK77h4 OR5Fv9mjGf7CjcaSjk/4iwmZvRSaQacb0YG5GVeb4mfUAuVtuFoMeYfnAgMBAAGj azBpMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/bRcnBRuSM5+FcYFa8HfIBomdF ... -----END CERTIFICATE----- ``` # Configuring Amazon EKS Anywhere on AWS Snow for disconnected operation Complete this additional configuration of Amazon EKS Anywhere on the Snowball Edge device while it's connected to a network to prepare Amazon EKS Anywhere to run in an environment without an external network connection. To configure Amazon EKS Anywhere for disconnected use with your own local, private Kubernetes registry, see [Registry Mirror configuration](https://anywhere.eks.amazonaws.com/docs/reference/clusterspec/optional/registrymirror/) in the EKS Anywhere documentation. If you created a Harbor private registry AMI, follow the procedures in this section. **Topics** + [ ## Configure the Harbor registry on a Snowball Edge device ](#configure-harbor-snow) + [ ## Use the Harbor registry on the Amazon EKS Anywhere admin instance on a Snowball Edge ](#use-local-registry-eksa-instance) ## Configure the Harbor registry on a Snowball Edge device See [Configure Harbor on a Snowball Edge device](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/container-registry-ami-builder#configure-harbor-on-a-snowball-edge-device). ## Use the Harbor registry on the Amazon EKS Anywhere admin instance on a Snowball Edge See [Import Amazon EKS Anywhere container images to the local Harbor registry on a Snowball Edge device](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/container-registry-ami-builder#import-eks-anywhere-container-images-to-the-local-harbor-registry-on-a-snowball-device). # Creating and maintaining clusters on Snowball Edge devices Creating and maintaining clusters ## Best practices for creating clusters on a Snowball Edge To create an Amazon EKS Anywhere cluster, refer to [Create Snow clusters](https://anywhere.eks.amazonaws.com/docs/getting-started/production-environment/snow-getstarted/). Keep the following best practices in mind when creating Amazon EKS Anywhere clusters on Snowball Edge devices: + Before creating a cluster in a static IP address range, ensure that there are no other clusters on your Snowball Edge device using the same IP address range. + Before creating a cluster with DHCP addressing on your Snowball Edge device, ensure that all static IP address ranges in use for clusters are not in the DHCP pool subnet. + When creating more than one cluster, wait until one cluster is successfully provisioned and running before you create another one. ## Upgrading clusters on a Snowball Edge To upgrade an Amazon EKS Anywhere admin AMI or EKS Distro AMI, contact AWS Support. Support will provide a Snowball Edge update containing the upgraded AMI. Then, download and install the Snowball Edge update. See [Downloading updates to Snowball Edge devices](download-updates.md) and [Installing updates to Snowball Edge devices](install-updates.md). After you upgrade your Amazon EKS Anywhere AMI, you need to start a new Amazon EKS Anywhere admin instance. See [Run an Amazon EKS Anywhere admin instance on a Snowball Edge](eksa-configuration.md#start-admin-instance). Then, copy key files, the cluster folder, credentials, and certificates from the previous admin instance to the upgraded instance. These are in a folder that's named for the cluster. ## Cleaning up cluster resources on a Snowball Edge If you create multiple clusters on your Snowball Edge devices and don't delete them correctly or if there is a problem in the cluster and the cluster creates replacement nodes after resuming, there will be resource leak. A sample script tool is available for you to modify and use to clean your Amazon EKS Anywhere admin instance and your Snowball Edge devices. See [Amazon EKS Anywhere on AWS Snow cleanup tools](https://github.com/aws-samples/aws-snow-tools-for-eks-anywhere/tree/main/cleanup-tools#eks-anywhere-on-snow-cleanup-tools).