Setup Cloud Infrastructure in AWS Lightsail

Amazon Web Services (AWS) is one of the most popular cloud service provider in the world. It offers above 200 cloud services to the customers and is used by organization of all sizes. For our cloud deployment, we will be using one of the computing service from AWS called Lightsail, to build the server architecture and deploy our applications.

Amazon Lightsail is a very easy to use and cost effective service that can be used to deploy our applications. It's ideal for simple applications that needs to be quickly deployed to the cloud. To start with AWS, we need to first create an account. If you are new to AWS, go to the following link, create an account and verify it.

https://aws.amazon.com/resources/create-account/

AWS Create Account

Once your account is verified and is ready for use, login to the AWS dashboard. You will be redirected to the dashboard if login is successful.

AWS Dashboard

From the search console, search for Lightsail keyword and click on the appropriate search result.

AWS Lightsail search result

Clicking on the Lightsail search result will take you to the following screen:

AWS Lightsail dashboard

Now that we are ready to create Lightsail server instances, let's go through our server architecture once again:

- Total 4 server instances

- Server 1: NGINX web server
- Server 2: Application server with Node.js and docker
- Server 3: OpenVPN server
- Server 4: Database server with MySQL and redis

Since we have not worked with any databases till now, let's skip that and create other 3 server instances.

Create Lightsail Server Instance

  • Click on Create Instance button
  • First choose instance location - let's choose us-west-2 as our preferred region - (location where data center exists). You can choose any region that works for you. To change the AWS region, click on Change AWS region and availability zone link button.
    Region: us-west-2
  • We can also change the Availability zone that works for us. An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. You can choose any Availability zones that works for you. To change the AZ, click on the Change your Availability Zone link button. Let's choose us-west-2a as our AZ.

AZ: us-west-2a

AWS Region and Availability Zone

  • Choose the Operating System platform in which you want to run the application services. For this series, we will work on Linux distributions.
  • For selecting a blueprint, let's choose OS Only option. We will install all the necessary dependencies ourselves.
  • For Operating System, we have many options. Any one of the available options is good for us. Let's choose Amazon Linux 2 image for the OS.
AWS instance OS image
  • Launch Script is optional. Basically for linux instances, it's a bash script content, which can be used to automatically configure this server instance with all the necessary dependencies to run our application server. We will look into bash script later in detail.
AWS instance launch script
  • For SSH key pair, default key pair is already provided. However, for this series, let's go ahead with 3 different custom SSH key pairs.

    > Web server and Application server - 1st SSH key pair
    > Database server - 2nd SSH key pair
    > OpenVPN server - 3rd SSH key pair

    If we have multiple persons in the team with different roles & responsibilities, this will help us with fine-grained access control. Usually database servers in the production system are accessible to very few select persons. OpenVPN server is also accessible to the few persons, usually from Devops and security team. Web server and application server is usually accessible to most of the application developers.

Use following table to create 3 sets of SSH key pairs. Assign the SSH key pairs to the appropriate server instances.

Server SSH key pair Name
Web & Application travel-app
Database travel-app-db
OpenVPN travel-app-vpn

To create a SSH key pair, click on Change SSH key pair link button. Click on Create New button to create a new SSH key pair.

AWS instance launch script

After clicking on Generate key pair button, it shows the following prompt screen to notify us to download the key pair. This is the only time we are able to download this SSH key pair. Once you close this prompt screen, we cannot download the SSH key pair.

Click on Download private key and save it in a safe place. Repeat the process for other SSH key pairs as well.

AWS instance launch script
  • Enable automatic snapshots for backup purpose. Pick the time for taking snapshots of the server instance.
AWS SSH key pair list
  • Time to choose the server instances for our software deployment architecture. For this course, I will choose minimum capacity instances that we can get away with. You can choose lower or higher capacity servers. For production systems, we want higher capacity servers.

At the time of writing this article, following image shows the pricing plan:

AWS instance plan

Refer to the following table to create 3 server instances:

Server Instance plan
Web & Application $5 - 1 GB memory, 1vCPU, 40 GB SSD and 2TB data transfer
Database $10 - 2 GB memory, 1vCPU, 60 GB SSD and 3TB data transfer
OpenVPN $3.5 - 512 MB memory, 1vCPU, 20 GB SSD and 1TB data transfer
  • Give descriptive names to identify the server instances. I will give following names, looking at which we can easily identify the servers.
Server Name
Web travel-app-web-server
Application travel-app-application-server
Database travel-app-db-server
OpenVPN travel-app-vpn-server

  • For tags also, we can refer to the above table
AWS instance tags

  • Finally click on Create Instance button to create the server. Follow the same process to create all the server instances as well.

It will take few minutes to get all the server instances up and running.

AWS instance up and running

Now that we have all the three server instances up and running, it's time to configure all three as according to our server deployment architecture.

Note: In AWS Lightsail, We cannot create a server instance with only private ip attached to it. By default, both public ip and private ip address is attached to it. To create server instances with private ip only, we can use EC2 computing service. Even though a public ip address is attached to our application server and db server, we will configure security rules in such a way that the servers cannot be accessed from the internet.

Server 1 -          travel-app-vpn-server

  • Click on travel-app-vpn-server instance
AWS instance vpn server

Navigate through all the tabs to learn more on lightsail instance features.

  • Navigate to the Networking tab:

We will attach a static IP address to this server instance. Public Ip address changes every time you stop and then again start the server and that changes in public ip address can cause critical issues with delivery of services.With the help of static ip address, we can resolve this issue.

AWS instance static ip address

Click on Create Static Ip link button.

- For location, it will already assign the Region and Availability Zone as according to the instance configuration.
- Instance for attaching static ip address is already selected.
- Provide the identifying value for this static ip, you can refer to our above table used for identifying servers.

AWS instance static ip create

After you create your static ip, it will look like below image.  If you want to remove the static ip from the server instance, you can click on the Detach link button.

AWS instance static ip details

  • Again navigate to the Networking tab of vpn server instance details :

    You will now see static Ip address replacing the public ip address. We will use that static ip address for having ssh access to our web, application and db servers.

    Now, it's time to configure security rules using firewall. Refer to the following table for IPV4 firewall rules configuration:
Application Protocol Port or range/code Restricted to
SSH TCP 22 Any IPv4 address - 0.0.0.0/0, until openVPN server is up and running

Lightsail browser SSH/RDP
HTTPS TCP 443 Any IPv4 address - 0.0.0.0/0
Custom UDP 1194 Any IPv4 address - 0.0.0.0/0

We only need to open udp port 1194 or tcp port 443 based on our OpenVPN configuration.

AWS instance IPV4 firewall rules

  • Enable IPV6 networking if not already enabled. IPV6 networking is enabled by default.
  • Refer to the following table for IPV6 firewall rules configuration:

    - Remove SSH rules from IPV6 firewall rules. We will not allow SSH access to IPV6 addresses.
Application Protocol Port or range/code Restricted to
HTTPS TCP 443 Any IPv6 address
Custom UDP 1194 Any IPv6 address
AWS instance IPV6 firewall rules

Server 2 -          travel-app-web-server

  • Create a static IP address for the web server
AWS instance web server details
  • Refer to the following table for IPV4 firewall rules configuration:
Application Protocol Port or range/code Restricted to
SSH TCP 22 Static Ip address of OpenVPN server instance

Lightsail browser SSH/RDP
HTTP TCP 80 Any IPv4 address - 0.0.0.0/0
HTTPS TCP 443 Any IPv4 address - 0.0.0.0/0

AWS instance web server IPV4 firewall rules

To restrict the port access to some specific IP addresses, click on the edit icon in firewall rules section and then enable Restrict to Ip address checkbox. A source Ip address textbox will appear. Enter the IP address in the textbox and click on Save button. Only the specified Ip addresses will now have access to that configured port.

AWS instance web server IPV4 firewall rules with ip restriction

  • Enable IPV6 networking if not already enabled. IPV6 networking is enabled by default.
  • Refer to the following table for IPV6 firewall rules configuration:

    - Remove SSH rules from IPV6 firewall rules. We will not allow SSH access to IPV6 addresses.
Application Protocol Port or range/code Restricted to
HTTP TCP 80 Any IPv6 address
HTTPS TCP 443 Any IPv6 address -

AWS instance web server IPV6 firewall rules

Server 3 -          travel-app-application-server

  • No need of static Ip address for application server
AWS instance application server details
  • Refer to the following table for IPV4 firewall rules configuration:

    Remove already assigned HTTP firewall rule.
Application Protocol Port or range/code Restricted to
SSH TCP 22 Static Ip address of OpenVPN server instance

Lightsail browser SSH/RDP
Custom TCP 3000 Private IP address of web server(Nginx)

  • Disable IPV6 networking. IPV6 networking is enabled by default.
AWS instance application server networking details

Server 4 -          travel-app-db-server

  • No need of static Ip address for db server
  • Refer to the following table for IPV4 firewall rules configuration:

    Remove already assigned HTTP firewall rule.
Application Protocol Port or range/code Restricted to
SSH TCP 22 Static Ip address of OpenVPN server instance

Lightsail browser SSH/RDP
Custom TCP 6379 Private IP address of application server(Docker with Node.js)
Custom TCP 3306 Private IP address of application server(Docker with Node.js)
  • Disable IPV6 networking. IPV6 networking is enabled by default.

All of our servers are ready to be used for configuring necessary software dependencies and then run our application services. Kudos to you for getting through this. In our upcoming chapters, we will gradually add enhancements to our current server deployment architecture. The current one is the very basic implementation.

One thing to consider with lightsail instances is that, there is no auto scale feature available and also the upgrading/downgrading of the server instance is not straightforward. We have to create a snapshot of the running instance and then use that snapshot to either upgrade to higher capacity servers or downgrade to lower capacity servers.

In our next chapter, we will discuss about running Node.js server using docker containers in the cloud server.

Prev Chapter                                                                                          Next Chapter