Setup Cloud Infrastructure in AWS Lightsail
Amazon Web Services (AWS) is one of the most popular cloud service provider in the world. It offers above 200 cloud services to the customers and is used by organization of all sizes. For our cloud deployment, we will be using one of the computing service from AWS called Lightsail, to build the server architecture and deploy our applications.
Amazon Lightsail is a very easy to use and cost effective service that can be used to deploy our applications. It's ideal for simple applications that needs to be quickly deployed to the cloud. To start with AWS, we need to first create an account. If you are new to AWS, go to the following link, create an account and verify it.
https://aws.amazon.com/resources/create-account/

Once your account is verified and is ready for use, login to the AWS dashboard. You will be redirected to the dashboard if login is successful.

From the search console, search for Lightsail keyword and click on the appropriate search result.

Clicking on the Lightsail search result will take you to the following screen:

Now that we are ready to create Lightsail server instances, let's go through our server architecture once again:
- Total 4 server instances
- Server 1: NGINX web server
- Server 2: Application server with Node.js and docker
- Server 3: OpenVPN server
- Server 4: Database server with MySQL and redis
Since we have not worked with any databases till now, let's skip that and create other 3 server instances.
Create Lightsail Server Instance
- Click on Create Instance button
- First choose instance location - let's choose us-west-2 as our preferred region - (location where data center exists). You can choose any region that works for you. To change the AWS region, click on Change AWS region and availability zone link button.
Region: us-west-2 - We can also change the Availability zone that works for us. An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. You can choose any Availability zones that works for you. To change the AZ, click on the Change your Availability Zone link button. Let's choose us-west-2a as our AZ.
AZ: us-west-2a

- Choose the Operating System platform in which you want to run the application services. For this series, we will work on Linux distributions.
- For selecting a blueprint, let's choose OS Only option. We will install all the necessary dependencies ourselves.
- For Operating System, we have many options. Any one of the available options is good for us. Let's choose Amazon Linux 2 image for the OS.

- Launch Script is optional. Basically for linux instances, it's a bash script content, which can be used to automatically configure this server instance with all the necessary dependencies to run our application server. We will look into bash script later in detail.

- For SSH key pair, default key pair is already provided. However, for this series, let's go ahead with 3 different custom SSH key pairs.
> Web server and Application server - 1st SSH key pair
> Database server - 2nd SSH key pair
> OpenVPN server - 3rd SSH key pair
If we have multiple persons in the team with different roles & responsibilities, this will help us with fine-grained access control. Usually database servers in the production system are accessible to very few select persons. OpenVPN server is also accessible to the few persons, usually from Devops and security team. Web server and application server is usually accessible to most of the application developers.
Use following table to create 3 sets of SSH key pairs. Assign the SSH key pairs to the appropriate server instances.
Server | SSH key pair Name |
---|---|
Web & Application | travel-app |
Database | travel-app-db |
OpenVPN | travel-app-vpn |
To create a SSH key pair, click on Change SSH key pair link button. Click on Create New button to create a new SSH key pair.

After clicking on Generate key pair button, it shows the following prompt screen to notify us to download the key pair. This is the only time we are able to download this SSH key pair. Once you close this prompt screen, we cannot download the SSH key pair.
Click on Download private key and save it in a safe place. Repeat the process for other SSH key pairs as well.

- Enable automatic snapshots for backup purpose. Pick the time for taking snapshots of the server instance.

- Time to choose the server instances for our software deployment architecture. For this course, I will choose minimum capacity instances that we can get away with. You can choose lower or higher capacity servers. For production systems, we want higher capacity servers.
At the time of writing this article, following image shows the pricing plan:

Refer to the following table to create 3 server instances:
Server | Instance plan |
---|---|
Web & Application | $5 - 1 GB memory, 1vCPU, 40 GB SSD and 2TB data transfer |
Database | $10 - 2 GB memory, 1vCPU, 60 GB SSD and 3TB data transfer |
OpenVPN | $3.5 - 512 MB memory, 1vCPU, 20 GB SSD and 1TB data transfer |
- Give descriptive names to identify the server instances. I will give following names, looking at which we can easily identify the servers.
Server | Name |
---|---|
Web | travel-app-web-server |
Application | travel-app-application-server |
Database | travel-app-db-server |
OpenVPN | travel-app-vpn-server |
- For tags also, we can refer to the above table

- Finally click on Create Instance button to create the server. Follow the same process to create all the server instances as well.
It will take few minutes to get all the server instances up and running.

Now that we have all the three server instances up and running, it's time to configure all three as according to our server deployment architecture.
Note: In AWS Lightsail, We cannot create a server instance with only private ip attached to it. By default, both public ip and private ip address is attached to it. To create server instances with private ip only, we can use EC2 computing service. Even though a public ip address is attached to our application server and db server, we will configure security rules in such a way that the servers cannot be accessed from the internet.
Server 1 - travel-app-vpn-server
- Click on travel-app-vpn-server instance

Navigate through all the tabs to learn more on lightsail instance features.
- Navigate to the Networking tab:
We will attach a static IP address to this server instance. Public Ip address changes every time you stop and then again start the server and that changes in public ip address can cause critical issues with delivery of services.With the help of static ip address, we can resolve this issue.

Click on Create Static Ip link button.
- For location, it will already assign the Region and Availability Zone as according to the instance configuration.
- Instance for attaching static ip address is already selected.
- Provide the identifying value for this static ip, you can refer to our above table used for identifying servers.

After you create your static ip, it will look like below image. If you want to remove the static ip from the server instance, you can click on the Detach link button.

- Again navigate to the Networking tab of vpn server instance details :
You will now see static Ip address replacing the public ip address. We will use that static ip address for having ssh access to our web, application and db servers.
Now, it's time to configure security rules using firewall. Refer to the following table for IPV4 firewall rules configuration:
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
SSH | TCP | 22 | Any IPv4 address - 0.0.0.0/0, until openVPN server is up and running
Lightsail browser SSH/RDP |
HTTPS | TCP | 443 | Any IPv4 address - 0.0.0.0/0 |
Custom | UDP | 1194 | Any IPv4 address - 0.0.0.0/0 |
We only need to open udp port 1194 or tcp port 443 based on our OpenVPN configuration.

- Enable IPV6 networking if not already enabled. IPV6 networking is enabled by default.
- Refer to the following table for IPV6 firewall rules configuration:
- Remove SSH rules from IPV6 firewall rules. We will not allow SSH access to IPV6 addresses.
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
HTTPS | TCP | 443 | Any IPv6 address |
Custom | UDP | 1194 | Any IPv6 address |

Server 2 - travel-app-web-server
- Create a static IP address for the web server

- Refer to the following table for IPV4 firewall rules configuration:
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
SSH | TCP | 22 | Static Ip address of OpenVPN server instance
Lightsail browser SSH/RDP |
HTTP | TCP | 80 | Any IPv4 address - 0.0.0.0/0 |
HTTPS | TCP | 443 | Any IPv4 address - 0.0.0.0/0 |

To restrict the port access to some specific IP addresses, click on the edit icon in firewall rules section and then enable Restrict to Ip address checkbox. A source Ip address textbox will appear. Enter the IP address in the textbox and click on Save button. Only the specified Ip addresses will now have access to that configured port.

- Enable IPV6 networking if not already enabled. IPV6 networking is enabled by default.
- Refer to the following table for IPV6 firewall rules configuration:
- Remove SSH rules from IPV6 firewall rules. We will not allow SSH access to IPV6 addresses.
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
HTTP | TCP | 80 | Any IPv6 address |
HTTPS | TCP | 443 | Any IPv6 address - |

Server 3 - travel-app-application-server
- No need of static Ip address for application server

- Refer to the following table for IPV4 firewall rules configuration:
Remove already assigned HTTP firewall rule.
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
SSH | TCP | 22 | Static Ip address of OpenVPN server instance
Lightsail browser SSH/RDP |
Custom | TCP | 3000 | Private IP address of web server(Nginx) |
- Disable IPV6 networking. IPV6 networking is enabled by default.

Server 4 - travel-app-db-server
- No need of static Ip address for db server
- Refer to the following table for IPV4 firewall rules configuration:
Remove already assigned HTTP firewall rule.
Application | Protocol | Port or range/code | Restricted to |
---|---|---|---|
SSH | TCP | 22 | Static Ip address of OpenVPN server instance
Lightsail browser SSH/RDP |
Custom | TCP | 6379 | Private IP address of application server(Docker with Node.js) |
Custom | TCP | 3306 | Private IP address of application server(Docker with Node.js) |
- Disable IPV6 networking. IPV6 networking is enabled by default.
All of our servers are ready to be used for configuring necessary software dependencies and then run our application services. Kudos to you for getting through this. In our upcoming chapters, we will gradually add enhancements to our current server deployment architecture. The current one is the very basic implementation.
One thing to consider with lightsail instances is that, there is no auto scale feature available and also the upgrading/downgrading of the server instance is not straightforward. We have to create a snapshot of the running instance and then use that snapshot to either upgrade to higher capacity servers or downgrade to lower capacity servers.
In our next chapter, we will discuss about running Node.js server using docker containers in the cloud server.