AWS – EC2 Instance

Open the EC2 console and select Instances on the left panel to display the status of the newly created SwissPKI instance. It’s state should be either Starting or Running.


Security Group

From the same panel, click on the SwissPKI instance in order to display its description. Then locate the parameter Security Groups and click on the link to display the details of the group.

Select the tab Inbound, click on button Edit and define the following rules:

  • Allow SSH clients to connect from an external IP address to the SwissPKI instance
  • Allow load balancers to connect to the web application on port 9090 (HTTP)
  • Allow the web application to connect to the database on port 3306
  • Allow clients to connect to the load balancer through on port 443 (HTTPS)


These rules define that ports 22 and 443 should be accessible from anywhere while ports 9090 and 3306 should remain accessible only for applications inside the security group.


For the purpose of this guide, the first and last rules only allow a single external IP address to connect.

Load Balancer

From the left panel, select Load Balancers and click on button Create Load Balancer.

Step 1 – Type


Select the Application Load Balancer for HTTP HTTPS.

Step 2 – Configuration


Basic Configuration
  • Choose a unique name for your load balancer
  • Select scheme internet-facing
  • Select IP address type IPV4.


  • Add a HTTPS listener on port 443


Availability Zones
  • Select at least two availability zones
Step 3 – Security Settings


In order to use HTTPS for the listener, you must provide an SSL certificate. The load balancer uses the certificate to decrypt requests from clients before sending them in clear to the SwissPKI instance on the internal network. You can use a certificate from the AWS Certificate Manager (ACM) or import your own to the IAM profile.


For this example we import our own self-signed certificate. The private key, certificate and certificate chain must be specified in PEM format. Note that the private key must not be protected by a password.

Step 4 – Security Group


Choose the same security group you use for the SwissPKI instance.

Step 5 – Routing


Define how requests are routed from the load balancer to the SwissPKI instance.


Target Group
  • Define a new target group
  • Choose a name for the new group
  • Choose Instance as target type
  • Choose protocol HTTP
  • Choose port 9090


HTTP:9090 are the default protocol and port number the SwissPKI is listening on.


Health Checks

In order for the load balancer to check whether the application is responding or not, we specify the URL of the logout page.

  • Protolol HTTP
  • Path /logout


Advanced health check settings
  • Set Healthy threashold to 2
  • Keep default values for other parameters
Step 6 – Targets


The load balancer only send requests to registered targets. Under section Instances, select the SwissPKI instance and click on button Add to registered.

Step 7 – Review


Review the settings and click on button Create.