How can I associate an Application Load Balancer with my Lightsail instance?

6 minute read

I want to use the features of an Amazon Application Load Balancer on my Amazon Lightsail instance.

Short description

Use a Lightsail load balancer to add redundancy to your web application or to handle more web traffic. You can also use a Lightsail load balancer to install an Amazon provided SSL certificate for your website hosted in a Lightsail instance

A Lightsail load balancer has some limitations. An Application Load Balancer provides increased flexibility in these areas:

  • Load balancer health checks
  • End-to-end encryption of data in transit between the load balancer and the instance
  • Use of firewall services such as AWS WAF

To use these features for your website in Lightsail, you must associate an Application Load Balancer with the Lightsail instance. Use the following steps to set up Application Load Balancer.


Configure VPC peering in Lightsail

For instructions on how to configure VPC peering, see Set up Amazon VPC peering to work with AWS resources outside of Lightsail.

You must to activate VPC peering for the Region where your Lightsail instance is located. To do this, you must have a default Amazon VPC in that Region and the necessary AWS Identity and Access Management (IAM) permissions. For more information, see What are the minimum IAM permissions needed to set up communication between Amazon Lightsail and other AWS services using VPC peering?

To check whether you have a default VPC, see View your default VPC and default subnets.

If you don't have a default Amazon VPC, then create one. To learn more, see Create a default VPC.

(Optional) Generate an ACM certificate

To associate an ACM certificate with your domain and access websites that use HTTPS, see Requesting a public certificate using the console.

It's a best practice to give two names to the certificate. For example, and * This way, the same certificate can be used for both the main domain and for the subdomains, such as or Note that this solution doesn't cover a wildcard SSL certificate for two levels for the subdomain. For example:

It's a best practice to use DNS domain validation instead of email validation.

If you have issues with ownership validation of the domain with either DNS or email, see the following:

Configure the target group for the load balancer and register the target

For instructions, see Configure a target group.

When you configure your target, note the following:

  • Make sure to choose IP as the target type.
  • Keep the protocol as HTTP and port as 80 if you don't have an SSL certificate installed inside your Lightsail instance. Make sure that there aren't any HTTPs redirections configured inside your instance. Otherwise, you might get an infinite redirection loop error.
  • To encrypt the data in transit from the Application Load Balancer to your Lightsail instance, keep the protocol as HTTPS and the port as 443. Make sure that you have an SSL certificate installed in your instance to do this.
  • Choose the default VPC in the VPC section
  • In the Register target section, choose Other Private IP addresses under Network, and then specify the private IP address of your Lightsail instance. For information on how to find the private IP address of your Lightsail instance, see Private and public IPv4 addresses for instances.

Configure the load balancer

For instructions, see Configure a load balancer and a listener.

When you configure the load balancer, note the following:

  • Make sure that you choose the default VPC and at least two Availability Zones. You can choose any Availability Zones.
  • Choose a security group or create a new one. Make sure that the security group has port 80 open. Also, if you attach an ACM certificate with the load balancer, then open port 443.
  • Add a new HTTPS listener if you want to access your website with HTTPS through an ACM certificate.
  • Point both the HTTP and the HTTPS listener to the target group created in the previous step.

Update the DNS entries of the domain to point to the ALB DNS name

It's a best practice to use Amazon name servers and Amazon Route 53 for the domains that use Application Load Balancer with the website. AWS provides the DNS name for the load balancer, not the IP address. Most name servers don't support a hostname for apex domain, such as They only support this for subdomains such as or However, Route 53 provides the alias feature that allows you to directly point the apex domain,, to the load balancer DNS name.

Note: Even if you use Lightsail DNS for your domain, you must switch the DNS to Route 53. It's not possible to point the apex domain to the Application Load Balancer DNS name in Lightsail DNS.

To update the name servers of the domain to Amazon, if it doesn't use Amazon, see Making Route 53 the DNS service for a domain that's in use.

To get the DNS name for a load balancer, see Getting the DNS name for an Elastic Load Balancing load balancer.

To update your Route 53 hosted zone to point the domain to the load balancer DNS name, see Routing traffic to an Elastic Load Balancing load balancer.

Note: If there are already DNS records for the domain in Route 53 that point to an EC2 instance IP address, edit those records. Don't create new records.

Confirm the website loads correctly

Access the domain in your browser and confirm that the website loads correctly. Now that you have connected an Application Load Balancer with your Lightsail instance, you can use the features not present with Lightsail Load Balancer.

AWS OFFICIALUpdated 3 months ago