How can I associate an Application Load Balancer with my Lightsail instance?

6 minute read

I want to use the features of an Amazon Application Load Balancer on my Amazon Lightsail instance. How do I do that?

Short description

You can use a Lightsail load balancer to add redundancy to your web application or to handle more web traffic. You can also use a Lightsail load balancer to install an Amazon provided SSL certificate for your website hosted in a Lightsail instance

However, the Lightsail load balancer has limitations when compared to the Amazon Application Load Balancer. Some of the areas Application Load Balancer provides increased flexibility include the following:

  • Flexibility in load balancer health checks.
  • End-to-end encryption of data in transit between the load balancer and the instance.
  • Use of firewall services such as AWS WAF, and so on.

If you want to use these features for your website in Lightsail, you can associate an Application Load Balancer with the Lightsail instance. To set up Application Load Balancer, do the following:

  1. Configure Amazon VPC peering in Lightsail to allow the instance to connect to AWS resources such as Application Load Balancer.
  2. (Optional) Generate an AWS Certificate Manager (ACM) SSL certificate if you want to associate it with your website.
  3. Configure the Load Balancer with the target in the target group set to the Lightsail instance's private IP address.
  4. Point your domain to the new load balancer in DNS.


Configure VPC peering in Lightsail

For instructions on configuring VPC peering, see Set up Amazon VPC peering to work with AWS resources outside of Lightsail.

You must to activate VPC peering for the Region where your Lightsail instance is located. To do this, you must have a default Amazon VPC in that Region and the necessary AWS Identity and Access Management (IAM) permissions. For more information, see What are the minimum IAM permissions needed to set up communication between Lightsail and other AWS services using VPC peering?

To check whether you have a default VPC, see View your default VPC and default subnets.

If you don’t have a default Amazon VPC, then you can create one. To learn more, see Create a default VPC.

(Optional) Generate an ACM certificate

To associate an ACM certificate with your domain and access websites using HTTPS, see Requesting a public certificate using the console.

It's a best practice to give two names to the certificate. For example, and * By doing this, the same certificate can be used for the main domain and for subdomains, such as or Keep in mind that this doesn't cover a Wildcard SSL certificate for two levels for the subdomain, for example

It's also a best practice to use DNS domain validation instead of email validation. DNS validation has multiple benefits over email validation.

If you have issues validating the ownership of the domain using either DNS or email, see the following:

Configure the target group for the load balancer and register the target

For instructions, see Configure a target group.

When configuring your target, keep the following in mind:

  • Make sure to choose IP as the target type.
  • Keep the protocol as HTTP and port as 80 if you don't have an SSL certificate installed inside your Lightsail instance. Make sure that there aren't any HTTPs redirections configured inside your instance. Otherwise, this might cause an infinite redirection loop error.
  • Keep the protocol as HTTPS and the port as 443. If you want to encrypt the data in transit from the Application Load Balancer to your Lightsail instance. Make sure that you have an SSL certificate installed in your instance for this.
  • Choose the default VPC in the VPC section
  • In the Register target section, choose Other Private IP addresses under Network and specify the private IP address of your Lightsail instance. For information on obtaining the private IP address of your Lightsail instance, see Private and public IPv4 addresses for instances.

Configure the load balancer

For instructions, see Configure a load balancer and a listener.

When configuring the load balancer, keep the following in mind:

  • Make sure that you choose the default VPC and at least two Availability Zones. You can choose any Availability Zones.
  • Choose a security group or create a new one. Make sure that the security group has port 80 open. Also, open port 443 if you're attaching an ACM certificate with the load balancer.
  • Add a new HTTPS listener if you want to access your website with HTTPS using an ACM certificate.
  • Point both the HTTP and the HTTPS listener to the target group created in the previous step.

Update the DNS entries of the domain to point to the ALB DNS name

It's a best practice to use Amazon name servers and Amazon Route 53 for the domains that use Application Load Balancer with the website. This is because AWS provides the DNS name for the load balancer, not the IP address. Most name servers don't support adding a hostname for apex domain, such as They only support this for subdomains such as or However, Route 53 provides the alias feature that allows you to directly point the apex domain,, to the load balancer DNS name.

Note: Even if you use Lightsail DNS for your domain, you must switch the DNS to Route 53. This is because it's not possible to point the apex domain to the Application Load balancer DNS name in Lightsail DNS.

To update the name servers of the domain to Amazon, if it's not already using Amazon, see Making Route 53 the DNS service for a domain that's in use.

To get the DNS name for a load balancer, see Getting the DNS name for an ELB load balancer.

To update your Route 53 hosted zone to point the domain to the load balancer DNS name, see Routing traffic to an ELB load balancer.

Note: If there are already DNS records for the domain in Route 53 that are pointing to an EC2 instance IP address, edit those records instead of adding new records.

Final check

Access the domain in your browser and confirm that the website is loading correctly. Now that you have connected an Application Load Balancer with your Lightsail instance, you can use its different features that aren't present with Lightsail Load Balancer. You can also set up firewall services such as AWS WAF.

AWS OFFICIALUpdated a year ago