# Virtual private server instances in Lightsail
Your Lightsail instance is a virtual private server (also called a *virtual machine*). When you create your instance, you choose an image that has an operating system (OS) on it. You can also choose an instance image that has an application or development stack on it, including the base OS.
For a complete list of operating systems, applications, and development frameworks, see [Choose a Lightsail instance image](compare-options-choose-lightsail-instance-image.md).
See the following topics for more information about instances:
**Topics**
+ [Create an instance](how-to-create-amazon-lightsail-instance-virtual-private-server-vps.md)
+ [Blueprints](compare-options-choose-lightsail-instance-image.md)
+ [Bundles](amazon-lightsail-bundles.md)
+ [Instance firewalls](understanding-firewall-and-port-mappings-in-amazon-lightsail.md)
+ [Burst capacity and performance](amazon-lightsail-viewing-instance-burst-capacity.md)
+ [Instance management](managing-your-instance-using-lightsail.md)
+ [Delete instances](delete-an-amazon-lightsail-instance.md)
+ [SSH and connecting to instances](understanding-ssh-in-amazon-lightsail.md)
+ [Instance Metadata Service](amazon-lightsail-instance-metadata.md)
# Create a Lightsail instance
This section covers the following topics related to creating instances in Amazon Lightsail:
**Topics**
+ [Create Linux/Unix instances with apps on Lightsail](getting-started-with-amazon-lightsail.md)
+ [Create Windows Server instances in Lightsail](get-started-with-windows-based-instances-in-lightsail.md)
# Create Linux/Unix instances with apps on Lightsail
**Did you know?**
Lightsail stores seven daily snapshots and automatically replaces the oldest with the newest when you enable automatic snapshots for your instance. For more information, see [ Configure automatic snapshots for Lightsail instances and disks ](https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-automatic-snapshots.html) .
Create a Linux/Unix-based Amazon Lightsail instance (a virtual private server) running an application like WordPress or a development stack like LAMP. After your instance starts running, you can connect to it via SSH without leaving Lightsail. Here's how.
To create a Windows-based instance, see [Get started with Windows-based instances in Amazon Lightsail](get-started-with-windows-based-instances-in-lightsail.md).
## Create a Linux-based instance
1. On the home page, choose **Create instance**.
1. Select a location for your instance (an AWS Region and Availability Zone).
Choose **Change AWS Region and Availability Zone** to create your instance in another location.
1. Optionally, you can change the Availability Zone.
Choose **Change your Availability Zone**.
1. Choose the Linux platform.
1. Pick an application (**Apps \$1 OS**) or an operating system (**OS Only**).
To learn more about Lightsail instance images, see [Choose an Amazon Lightsail instance image](compare-options-choose-lightsail-instance-image.md).
1. Choose your instance plan.
Choose whether your instance uses dual-stack (IPv4 and IPv6), or IPv6-only networking. Some Lightsail blueprints don't support IPv6-only networking at this time. To see which blueprints support IPv6-only networking see [Review the Lightsail instance blueprint offerings](compare-options-choose-lightsail-instance-image.md).
You can try the \$15 USD Lightsail plan free for one month (up to 750 hours). We will credit one free month to your account. Learn more on our [Lightsail pricing page](http://www.amazonlightsail.com/pricing/).
**Note**
As part of the AWS Free Tier, you can get started with Amazon Lightsail for free on select instance bundles. For more information, see **AWS Free Tier** on the [Amazon Lightsail Pricing page](https://aws.amazon.com/lightsail/pricing).
1. Enter a name for your instance.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. (Optional) Choose **Add new tag** to add a tag to your instance. Repeat this step as needed to add additional tags. For more information on tag usage, see [Tags](amazon-lightsail-tags.md).
1. For **Key**, enter a tag key.
![\[A tag with only the tag key specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-only-tags.png)
1. (Optional) For **Value**, enter a tag value.
![\[A tag with the tag key and tag value specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-and-value-tags.png)
1. Choose **Create instance**.
For advanced creation options, see [Use a launch script to configure your Amazon Lightsail instance when it starts up](lightsail-how-to-configure-server-additional-data-shell-script.md) or [Set up SSH for your Linux/Unix-based Lightsail instances](lightsail-how-to-set-up-ssh.md).
Within minutes, your Lightsail instance is ready and you can connect to it via SSH, without leaving Lightsail\$1
## Connect to your instance
1. On the Lightsail home page, choose the menu on the right of your instance's name, and then choose **Connect**.
![\[Instance connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-connect-to-your-instance.png)
Alternately, you can open your instance management page, choose the **Connect** tab, then choose **Connect using SSH**.
![\[Instance connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-connect-to-your-instance-from-instance-management-page.png)
**Note**
To connect to your instance using an SSH client such as PuTTY, you can follow this procedure: [Set up PuTTY to connect to your Lightsail instance](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
1. Now you can type commands into the terminal and manage your Lightsail instance without setting up an SSH client.
![\[Browser-based SSH terminal.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-bitnami-terminal-window.png)
## Next steps
Now that you can connect to your instance, what you do next depends on how you plan to use it. For example:
+ [Configure and manage Lightsail WordPress instances](wordpress-tutorials.md) if you're creating a blog.
+ [Create a static IP address](lightsail-create-static-ip.md) for your instance to keep the same IP address each time you restart your Lightsail instance.
+ [Create a snapshot of your instance](lightsail-how-to-create-a-snapshot-of-your-instance.md) as a backup.
# Create Windows Server instances in Lightsail
**Did you know?**
Lightsail stores seven daily snapshots and automatically replaces the oldest with the newest when you enable automatic snapshots for your instance. For more information, see [ Configure automatic snapshots for Lightsail instances and disks ](https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-automatic-snapshots.html) .
Create Lightsail instances that run the Windows Server operating system (OS). We have three OS blueprints available: Windows Server 2022, Windows Server 2019, and Windows Server 2016. In addition, we have blueprints that come preconfigured with SQL Server 2022, 2019, and 2016 Express.
This topic provides information about choosing your software, creating your Windows Server-based instance, and connecting to it.
Learn more about [Windows Server on AWS](https://aws.amazon.com/windows/)
## Choose a Windows Server-based instance
There are three options for creating a Windows Server-based instance in Lightsail.
**Windows Server 2022**
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. With Lightsail, you can run any compatible Windows-based solution on the high-performance, reliable, cost-effective AWS Cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software.
[Learn more about the Windows Server 2022 image](https://aws.amazon.com/marketplace/pp/prodview-dq4sxno5vuy7m)
**Windows Server 2019**
Unless you need to run Windows Server 2016 or Windows Server 2019 for some reason, we recommend using the latest version of Windows Server 2022.
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. Lightsail enables you to run any compatible Windows-based solution on AWS' high-performance, reliable, cost-effective, cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web-service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software.
[Learn more about the Windows Server 2019 image](https://aws.amazon.com/marketplace/pp/B07QZ4XZ8F)
**Windows Server 2016**
Unless you need to run Windows Server 2016 or Windows Server 2019 for some reason, we recommend using the latest version of Windows Server 2022.
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. Lightsail enables you to run any compatible Windows-based solution on AWS' high-performance, reliable, cost-effective, cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web-service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software.
[Learn more about the Windows Server 2016 image](https://aws.amazon.com/marketplace/pp/B01M7SJEU7)
**SQL Server Express 2022**
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2022.
[Learn more about the SQL Server Express 2022 image](https://aws.amazon.com/marketplace/pp/prodview-c2jz4lr4h2yc6)
**SQL Server Express 2019**
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2022.
[Learn more about the SQL Server Express 2019 image](https://aws.amazon.com/marketplace/pp/prodview-xbikutlmywslu)
**SQL Server Express 2016**
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2016.
[Learn more about the SQL Server Express image](https://aws.amazon.com/marketplace/pp/B01MAZHH98)
## Create a Windows Server-based instance
You can create a Windows Server-based instance using the Lightsail console or by using the AWS Command Line Interface (AWS CLI).
**To create an instance using the console**
1. Sign in to Lightsail, and then go to the home page.
1. Choose **Create instance**.
1. Select an AWS Region where you want to create your Windows Server-based Lightsail instance.
For example, `Ohio (us-east-2)`.
1. Select the **Microsoft Windows** platform.
1. To choose the Windows Server 2022, Windows Server 2019, Windows Server 2016 blueprint, choose **OS Only**.
To choose the SQL Server Express blueprint, choose **Apps \$1 OS**.
1. Choose your instance plan.
Choose whether your instance uses dual-stack (IPv4 and IPv6), or IPv6-only networking. Some Lightsail blueprints don't support IPv6-only networking at this time. To see which blueprints support IPv6-only networking see [Review the Lightsail instance blueprint offerings](compare-options-choose-lightsail-instance-image.md).
A plan also includes a low, predictable cost and a machine configuration (RAM, SSD, vCPU), as well as data transfer.
**Note**
Some instance plans aren't available for some blueprints. For example, the SQL Server Express blueprint requires that you use a plan with at least 4 GB of memory and 80 GB of SSD storage.
1. Enter a name for your instance.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. (Optional) Choose **Add new tag** to add a tag to your instance. Repeat this step as needed to add additional tags. For more information on tag usage, see [Tags](amazon-lightsail-tags.md).
1. For **Key**, enter a tag key.
![\[A tag with only the tag key specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-only-tags.png)
1. (Optional) For **Value**, enter a tag value.
![\[A tag with the tag key and tag value specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-and-value-tags.png)
1. Choose **Create instance**.
**To create an instance using the AWS CLI**
1. If you haven't done so already, install and configure the AWS CLI.
For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a command prompt or a terminal window.
1. If you haven't done so already, configure the AWS CLI using `aws configure` and select the AWS Region where you want to create your Lightsail resources.
1. Type the following AWS CLI command to create a \$144 USD per month Windows Server 2022 instance running in the Ohio region:
```
aws lightsail create-instances --instance-names InstanceName --availability-zone us-east-2a --blueprint-id windows_server_2022 --bundle-id medium_win_3_0
```
In the command, replace *InstanceName* with the name of your new instance.
If successful, you will see the following output from the AWS CLI.
```
{
"operations": [
{
"status": "Started",
"resourceType": "Instance",
"isTerminal": false,
"statusChangedAt": 1508086226.4,
"location": {
"availabilityZone": "us-east-2a",
"regionName": "us-east-2"
},
"operationType": "CreateInstance",
"resourceName": "my-windows-instance",
"id": "344acdc8-f9c4-4eda-8232-12345EXAMPLE",
"createdAt": 1508086225.467
}
]
}
```
**Note**
To get a list of available blueprints, use the [get-blueprints](http://docs.aws.amazon.com/cli/latest/reference/lightsail/get-blueprints.html) command. To get a list of available bundles, use the [get-bundles](http://docs.aws.amazon.com/cli/latest/reference/lightsail/get-bundles.html) command. Learn more about getting the password for your instance using the [get-instance-access-details](http://docs.aws.amazon.com/cli/latest/reference/lightsail/get-instance-access-details.html) command.
## Connect to your instance
Once you create your Windows Server-based Lightsail instance, you can connect to it using either the browser-based RDP client or the remote desktop client of your choice.
**Note**
After you create your instance, you may need to wait up to 15 minutes before you can connect to it.
**To connect using the Lightsail browser-based RDP client**
1. On the home page, choose the **Connect using RDP** icon next to your instance.
![\[Lightsail connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-to-windows-instance-using-rdp-connection-shortcut.png)
1. Alternately, you can connect to your instance from the shortcut menu or the instance management page.
**To connect using your own RDP client**
1. To get your IP address, go to the Lightsail home page.
1. Copy the IP address to the clipboard.
1. Open an RDP client such as **Remote Desktop Connection** in Windows.
1. Paste the IP address into the **Computer** field.
1. Choose **Show Options**, and then type `Administrator` for your **User name**.
![\[Remote Desktop Connection application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/remote-desktop-connection-windows-server-based-instance-lightsail.png)
1. Choose **Connect**.
1. To get your password, go to the instance management page in Lightsail.
You can get to the instance management page by choosing the name of your instance (or choosing **Manage** from the shortcut menu) on the Lightsail home page.
1. Choose **Show default password**.
1. Copy the default password to the clipboard.
1. Paste your password into **Remote Desktop Connection**, and then choose **Remember me** to prevent this dialog box from appearing in the future.
![\[Remote Desktop Connection settings.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/remote-desktop-connection-enter-credentials-lightsail-windows.png)
1. Choose **OK**.
1. Choose **Don't ask me again for connections to this computer**, and then choose **Yes**.
## Next steps
Now that you can connect to your instance, what you do next depends on how you plan to use it. For example:
+ [Create a static IP address](lightsail-create-static-ip.md) for your instance to keep the same IP address each time you restart your Lightsail instance.
+ [Create a snapshot of your Lightsail Windows Server instance](prepare-windows-based-instance-and-create-snapshot.md).
Follow the step-by-step instructions to create instances running Linux and Unix distributions like Amazon Linux, Ubuntu, Debian, or Windows Server operating systems like Windows Server 2022, 2019, and 2016.
For Linux and Unix instances, you can choose from various application blueprints like WordPress, LAMP, LEMP, or select an operating system only. For Windows Server instances, you can choose from Windows Server blueprints or SQL Server Express blueprints.
The guide covers selecting the AWS Region and Availability Zone, choosing the instance plan (bundle) with the desired compute and storage resources, configuring networking options like IPv4 and IPv6, naming the instance, and adding tags. After creating the instance, you can connect to it using the Lightsail browser-based SSH or RDP clients, or use your own SSH or RDP client with the provided connection details. By following this guide, you can quickly launch and access Linux and Unix or Windows Server instances in Lightsail, tailored to your specific requirements.
# Review the Lightsail instance blueprint offerings
Lightsail provides several options for you to create your virtual private server. This topic helps you decide which operating system (OS), application, or development stack is right for your project. We organized the applications by functional area (such as CMS and ecommerce).
## Operating systems
Lightsail has several Linux/Unix-based or Windows-based operating systems to choose from.
** **Windows Server 2022** **
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. With Lightsail, you can run any compatible Windows-based solution on the high-performance, reliable, cost-effective AWS Cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software. For end of support information, see the [https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2022](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2022) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [Windows Server 2022](https://aws.amazon.com/marketplace/pp/prodview-dq4sxno5vuy7m).
** **Windows Server 2019** **
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. Lightsail enables you to run any compatible Windows-based solution on the high-performance, reliable, cost-effective AWS cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software. For end of support information, see the [https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2019](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2019) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [Windows Server 2019](https://aws.amazon.com/marketplace/pp/B07QZ4XZ8F).
** **Windows Server 2016** **
Lightsail running Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. Lightsail enables you to run any compatible Windows-based solution on the high-performance, reliable, cost-effective AWS cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web service hosting, data processing, distributed testing, ASP.NET application hosting, and any other application requiring Windows software. For end of support information, see the [https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016](https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [Windows Server 2016](https://aws.amazon.com/marketplace/pp/B01M7SJEU7).
****Amazon Linux 2023****
Amazon Linux 2023 (AL2023) is the next generation of Amazon Linux, ideal for general purpose workloads on AWS. AL2023 will be supported for five years after it is generally available. AL2023 locks to a specific version of the Amazon Linux package repository, giving you control over how and when you absorb updates. AL2023 also provides the ability to get frequent updates and comes with features to help you meet your compliance needs.
Lightsail instances launched from AL2023 will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [Amazon Linux 2023](https://aws.amazon.com/linux/amazon-linux-2023/).
** **Amazon Linux 2** **
Amazon Linux 2 will reach End of Long Term Support on June 30, 2026. You will not be able to create new Lightsail instances with this blueprint on or after June 30, 2026. For more information, see the [Amazon Linux 2 website](https://aws.amazon.com/amazon-linux-2/faqs/).
Amazon Linux 2 is the previous generation of Amazon Linux, a Linux server operating system from AWS. It provides a secure, stable, and high performance execution environment to develop and run cloud and enterprise applications. With Amazon Linux 2, you get an application environment that offers long term support with access to the latest innovations in Linux. Amazon Linux 2 is provided at no additional charge. For end of support information, see [Amazon Linux 2 FAQs](https://aws.amazon.com/amazon-linux-2/faqs/).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [ Amazon Linux 2](https://aws.amazon.com/amazon-linux-2).
** **AlmaLinux OS 9** **
AlmaLinux OS 9 is an open source, community owned and governed, forever-free enterprise Linux distribution, focused on long-term stability, providing a robust production-grade platform. AlmaLinux is compatible with RHEL® and pre-Stream CentOS. For end of support information, see the [https://almalinux.org](https://almalinux.org) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [AlmaLinux OS 9](https://aws.amazon.com/marketplace/pp/prodview-ykmb6re2rcouy).
** **CentOS Stream 9** **
CentOS Stream 9 is the next major release of the CentOS Stream distribution. CentOS Stream 9 is a continuously delivered distribution that tracks just ahead of Red Hat Enterprise Linux (RHEL) development, positioned as a midstream between Fedora Linux and RHEL. It's designed to be functionally compatible with RHEL and provides a stable, predictable, manageable and reproducible Linux environment. For end of support information, see the [CentOS](https://www.centos.org/) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more at the [https://www.centos.org/centos-stream/](https://www.centos.org/centos-stream/) website.
** **Debian 11, 12, and 13** **
Debian 11 will reach End of Long Term Support on August 31, 2026. You will not be able to create new Lightsail instances with this blueprint on or after August 31, 2026. For more information, see the [Debian website](https://wiki.debian.org/LTS).
Debian is a free operating system, developed by thousands of volunteers from all over the world who collaborate over the internet. The Debian project's key strengths are its volunteer base, its dedication to the Debian Social Contract and Free Software, and its commitment to provide the best operating system possible. This new release is another important step in that direction. For end of support information, see the [Debian website](https://wiki.debian.org/DebianReleases).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more at the [https://www.debian.org/doc/](https://www.debian.org/doc/) website.
** **FreeBSD 13, 14, and 15** **
FreeBSD 13 will reach End of Life on April 30, 2026. You will not be able to create new Lightsail instances with this blueprint on or after April 30, 2026. For more information, see the [FreeBSD website](https://www.freebsd.org/releases/13.5R/announce/).
FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years. FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS file system, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest websites and most pervasive embedded networking and storage systems. For end of support information, see the [https://www.freebsd.org/security/#sup](https://www.freebsd.org/security/#sup) website.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more at the [https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/](https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/) website.
** **openSUSE 15** **
The openSUSE distribution is a stable, easy to use and complete multipurpose Linux distribution. It is aimed towards users and developers working on the desktop or server. It is great for beginners, experienced users and ultra geeks alike, in short, it is perfect for everybody\$1 For end of support information, see the [https://en.opensuse.org/](https://en.opensuse.org/) website.
Password authentication is disabled by default for this operating system. This means that even if you create an instance from a snapshot of an instance with password authentication enabled, the new instance will have password authentication disabled. For more information about password authentication in SUSE Linux, see [document 3404214](https://www.suse.com/support/kb/doc/?id=000016192) in the SUSE documentation.
To log in to your instance with password authentication disabled, you can use the browser-based SSH client on the Lightsail console or a key pair. For more information about logging in, see [Connect to Linux or Unix instances on Lightsail](lightsail-how-to-connect-to-your-instance-virtual-private-server.md) or [Connect to Lightsail Linux or Unix instances with the SSH command](amazon-lightsail-ssh-using-terminal.md).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more at the [https://www.opensuse.org/](https://www.opensuse.org/) website.
** **Ubuntu 22 and 24** **
Ubuntu Server is a Debian-based Linux operating system used for virtual servers. A default installation of Ubuntu contains a wide range of software that includes LibreOffice, Firefox, Thunderbird, and Transmission. You can install many additional software packages, such as Evolution, GIMP, Pidgin, and Synaptic by using the APT-based package management tool (`apt-get`). For end of support information, see the [https://wiki.ubuntu.com/Releases](https://wiki.ubuntu.com/Releases) website.
Lightsail instances created with the Ubuntu 24 blueprint will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more at the [https://help.ubuntu.com/community/CommunityHelpWiki](https://help.ubuntu.com/community/CommunityHelpWiki) website.
## Database applications
The following database applications are available in Lightsail:
** **SQL Server 2022 Express** **
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2022.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [SQL Server 2022 Express](https://aws.amazon.com/marketplace/pp/prodview-c2jz4lr4h2yc6).
** **SQL Server 2019 Express** **
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2022.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [SQL Server 2019 Express](https://aws.amazon.com/marketplace/pp/prodview-xbikutlmywslu).
** **SQL Server 2016 Express** **
SQL Server 2016 Express will reach End of Extended Support on July 14, 2026. You will not be able to create new Lightsail instances with this blueprint on or after July 14, 2026. For more information, see the [Microsoft website](https://learn.microsoft.com/en-us/lifecycle/products/sql-server-2016).
SQL Server Express is a relational database management system that is free to download, distribute, and use. It comprises a database specifically targeted for embedded and smaller-scale applications. This Lightsail image runs on a base OS of Windows Server 2016.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about [SQL Server 2016 Express](https://aws.amazon.com/marketplace/pp/B01MAZHH98).
## CMS applications
The following content management system (CMS) applications are available in Lightsail:
** **WordPress** **
The WordPress blueprint provides a complete production environment with PHP, MariaDB, phpMyAdmin, and WordPress. Lightsail packages blueprints to be secure and up-to-date using industry best practices.
Lightsail instances launched from WordPress will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
[Deploy and manage WordPress on Lightsail](amazon-lightsail-quick-start-guide-wordpress.md)
Learn more about the [WordPress stack](https://wordpress.org/) at the *WordPress* website.
** **WordPress certified by Bitnami** **
Bitnami WordPress is a preconfigured, ready-to-use image for running WordPress on Lightsail. WordPress is a popular web publishing platform for building blogs and websites. You can customize it by using a wide selection of themes, extensions, plugins, and widgets.
WordPress features a full theme system, which enables you to change the look and feel of your site with a few clicks. You can also use existing free or commercial WordPress themes. WordPress is in full compliance with the standards of the [https://www.w3.org/](https://www.w3.org/).
[Deploy and manage WordPress on Lightsail](amazon-lightsail-quick-start-guide-wordpress.md)
Learn more about [WordPress](https://bitnami.com/stack/wordpress) at the *Bitnami* website.
** **WordPress Multisite** **
The WordPress Multisite blueprint provides a complete production environment with PHP, MariaDB, phpMyAdmin, and WordPress. Lightsail packages blueprints to be secure and up-to-date using industry best practices.
Lightsail instances launched from WordPress Multisite will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
[Set up WordPress Multisite on Lightsail](amazon-lightsail-quick-start-guide-wordpress-multisite.md)
Learn more about [WordPress Multisite](https://developer.wordpress.org/advanced-administration/multisite/) at the *WordPress* website.
** **WordPress Multisite certified by Bitnami** **
WordPress Multisite enables administrators to host and manage multiple websites from the same WordPress instance. These websites can all have unique domain names and can be customized by their owners, while sharing assets such as themes and plugins that are made available by the server admin. Updates to all sites can be pushed at once, ensuring that they are always kept safe and secure.
WordPress Multisite is great for organizations such as universities, corporations, and agencies that need to enable many people to host their own websites while giving overall control to a central administrator.
[Set up WordPress Multisite on Lightsail](amazon-lightsail-quick-start-guide-wordpress-multisite.md)
Learn more about [WordPress Multisite](https://bitnami.com/stack/wordpress-multisite) at the *Bitnami* website.
** **cPanel & WebHost Manager (WHM)** **
cPanel & WHM is a suite of tools built for Linux OS that gives you the ability to automate web hosting tasks by using a simple graphical user interface. Its goal is to make managing servers easier for you and managing websites easier for your customers.
[Host websites, email, and services with cPanel & WHM on Lightsail](amazon-lightsail-quick-start-guide-cpanel.md)
Learn more about [cPanel & WHM](https://cpanel.net/products/cpanel-whm-features/) at the *cPanel* website.
** **PrestaShop packaged by Bitnami** **
PrestaShop is one of the most prolific ecommerce solutions in the world. It is free and open source software, with a community of over 1 million active members. It is designed to get your online store up and running quickly, with a preconfigured theme so that you can start selling almost immediately along with a Live Configurator for easily customizing the look of your site. PrestaShop features multi-store support, customizable URLs, multiple payment gateway options (including PayPal and Stripe), and marketplace integration with Amazon, eBay, Facebook and more.
[Set up a PrestaShop website on Lightsail](amazon-lightsail-quick-start-guide-prestashop.md)
Learn more about [https://prestashop.com](https://prestashop.com) at the *PrestaShop* website.
** **Ghost packaged by Bitnami** **
Ghost is a publishing platform that is suitable for everything from personal blogs to major news websites. Built on Node.js, its modern technology stack makes it versatile and flexible for developers seeking to integrate with other applications and tools, while maintaining ease of use for content creators.
[Deploy a Ghost website on Lightsail](amazon-lightsail-quick-start-guide-ghost.md)
Learn more about [Bitnami Ghost](https://bitnami.com/stack/ghost) at the *Bitnami* website.
** **Joomla\$1 packaged by Bitnami** **
Bitnami Joomla\$1 is a preconfigured, ready-to-use image for running Joomla\$1 on Lightsail. Joomla\$1 is a CMS that you can use to build a variety of websites or portals. These include personal, corporate, small business, nonprofit, and other organizational websites.
Joomla\$1 also features a registration system that enables users to configure personal options. Authentication is an important part of user management, and Joomla\$1 supports multiple protocols, including LDAP, OpenID, and others. Joomla\$1 supports many different languages and offers guidance for using them for the website and the administration panel. Also, the **Banner Manager** makes it easy to set up and manage banners on your site. You can track metrics, including setting impression numbers, special URLs, and more.
[Get started with Joomla\$1 on Lightsail](amazon-lightsail-quick-start-guide-joomla.md)
Learn more about [Joomla\$1](https://bitnami.com/stack/joomla) at the *Bitnami* website.
** **Drupal packaged by Bitnami** **
Bitnami Drupal is a preconfigured, ready-to-use image for running Drupal on Lightsail. Drupal is a content management platform that helps users easily publish, manage, and organize content. It's used for community web portals, discussion sites, corporate websites, and more. You can easily extend Drupal by plugging in modules. Drupal is built for high performance, is scalable to many servers, and has easy integration with REST, JSON, SOAP, and other formats.
There are thousands of add-on modules and designs available for Drupal free of charge. Drupal is also available in multiple languages.
[Set up and customize your Drupal website on Lightsail](amazon-lightsail-quick-start-guide-drupal.md)
Learn more about [Drupal](https://bitnami.com/stack/drupal) at the *Bitnami* website.
## Application stacks and servers
Lightsail has multiple application stacks and servers for a wide variety of development projects. Each image uses Linux/Unix as the base operating system.
** **OpenClaw** **
OpenClaw is an open-source autonomous AI agent (formerly Clawdbot/Moltbot). It runs continuously in the background on your own server, connecting to messaging platforms like Slack, Telegram, WhatsApp, and Discord as its primary interface. OpenClaw features proactive task execution, multi-channel integration, and the ability to run code, manage files, and browse the web.
Lightsail instances launched from OpenClaw will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
[Get started with OpenClaw on Lightsail](amazon-lightsail-quick-start-guide-openclaw.md)
Learn more about [OpenClaw](https://openclaw.ai) at the *OpenClaw* website.
** **LAMP stack (PHP 8) packaged by Bitnami** **
The Bitnami LAMP stack simplifies the development and deployment of PHP applications. It includes ready-to-run versions of Apache, MySQL, PHP, and phpMyAdmin, and also the other software required to run each of those components. Bitnami LAMP stack is completely integrated and configured, so you will be ready to start developing your application as soon as you create your instance in Lightsail. Bitnami LAMP stack is regularly updated to ensure that you always have access to the latest stable releases for each bundled component.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
[Deploy and manage a LAMP stack on Lightsail](amazon-lightsail-quick-start-guide-lamp.md)
Learn more about the [Bitnami LAMP stack](https://bitnami.com/stack/lamp) at the *Bitnami* website.
** **LAMP** **
The LAMP blueprint provides a complete production environment with PHP, Apache, and MariaDB on Linux. This blueprint also includes phpMyAdmin, PHP core modules, and Composer.
Lightsail instances launched from LAMP will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
[Deploy and manage a LAMP stack on Lightsail](amazon-lightsail-quick-start-guide-lamp.md)
** **Django packaged by Bitnami** **
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Python is a dynamic object-oriented programming language that can be used for many kinds of software development. The Bitnami Django Stack greatly simplifies the deployment of Django and its runtime dependencies and includes ready-to-run versions of Python, Django, MySQL, and Apache.
Learn more about the [Bitnami Django stack](https://bitnami.com/stack/django) at the *Bitnami* website.
** **Node.js packaged by Bitnami** **
Bitnami Node.js is a preconfigured, ready-to-use image for running Node.js on Lightsail. Node.js is a platform built on Chrome's JavaScript runtime for easily creating fast, scalable network applications. It uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js is well suited for data-intensive, real-time applications.
[Deploy and manage a Node.js stack on Lightsail](amazon-lightsail-quick-start-guide-nodejs.md)
Learn more about the [Node.js stack](https://bitnami.com/stack/nodejs) at the *Bitnami* website.
** **Node.js** **
The Node.js blueprint provides a complete production environment with MariaDB and Node.js. Lightsail packages blueprints to be secure and up-to-date using industry best practices.
Lightsail instances launched from Node.js will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
[Deploy and manage a Node.js stack on Lightsail](amazon-lightsail-quick-start-guide-nodejs.md)
Learn more about the [Node.js stack](https://nodejs.org/en/learn/getting-started/introduction-to-nodejs) at the *Node.js* website.
** **MEAN stack packaged by Bitnami** **
Bitnami MEAN stack provides a complete development environment for MongoDB and Node.js that you can deploy in one click. It includes the latest stable release of MongoDB, Express, Angular, Node.js, Git, PHP, and RockMongo.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
Learn more about the [MEAN stack](https://bitnami.com/stack/mean) at the *Bitnami* website.
** **GitLab CE Packaged by Bitnami** **
Bitnami GitLab Community Edition (CE) is a preconfigured, ready-to-use image for running GitLab on Lightsail. GitLab is self-hosted Git management software that is fast, secure, and based on Ruby on Rails. GitLab CI (also included) is an open source Continuous Integration (CI) server closely integrated with Git and GitLab.
With GitLab, you keep your code secure on your own server, manage repositories, users, and access permissions. It's self-contained, so you can duplicate or move the installation to different servers easily.
[Set up and configure a GitLab CE instance on Lightsail](amazon-lightsail-quick-start-guide-gitlab.md)
Learn more about the [GitLab stack](https://bitnami.com/stack/gitlab) at the *Bitnami* website.
** **Nginx (LEMP stack) packaged by Bitnami** **
Bitnami NGINX Stack provides a complete PHP, MySQL, and NGINX development environment that you can launch in one click. It also bundles phpMyAdmin, SQLite, ImageMagick, FastCGI, Memcache, GD, CURL, PEAR, PECL, and other components.
NGINX is an asynchronous server and its main advantage is scalability. The NGINX stack is also known as LEMP (Linux, NGINX, MySQL, and PHP).
[Deploy and manage an Nginx web server on Lightsail](amazon-lightsail-quick-start-guide-nginx.md)
Learn more about the [NGINX stack](https://bitnami.com/stack/nginx) at the *Bitnami* website.
** **Nginx** **
The Nginx blueprint provides a complete production environment with PHP, MariaDB, phpMyAdmin, and NGINX. Lightsail packages blueprints to be secure and up-to-date using industry best practices.
Lightsail instances launched from Nginx will have Instance Metadata Service Version 2 (IMDSv2) enforced by default. For more information, see [How Instance Metadata Service Version 2 works](amazon-lightsail-configuring-instance-metadata-service.md).
This blueprint is compatible with a Lightsail IPv6-only instance plan.
[Deploy and manage an Nginx web server on Lightsail](amazon-lightsail-quick-start-guide-nginx.md)
Learn more about the [NGINX stack](https://nginx.org/en/) at the *NGINX* website.
** **Plesk Hosting Stack on Ubuntu**, **Plesk Hosting Stack on Ubuntu (BYOL)****
On August 1, 2024, Plesk transitioned to a paid license model. The following licensing behaviors apply to Lightsail instances running Plesk:
+ Starting on February 1, 2025, a paid license is required for any instance that uses the older **Plesk Hosting Stack on Ubuntu** blueprint.
+ Instances launched with the **Plesk Hosting Stack on Ubuntu (BYOL)** blueprint have a 30-day trial license. After 30 days, you must purchase a license from Plesk to continue using the Plesk application.
For more information, see [Purchase a Plesk license](https://docs.aws.amazon.com/lightsail/latest/userguide/set-up-and-configure-plesk-stack-on-lightsail.html#amazon-lightsail-purchase-plesk-license).
Build, secure, and run websites and applications on Lightsail and AWS using the Hosting Stack powered by Plesk. This includes all your web-based server management and security tools, plus WordPress automation in a graphical user interface. It simplifies the work of web professionals and provides the scalability, security, and performance that your customers need.
[Set up and configure Plesk](set-up-and-configure-plesk-stack-on-lightsail.md).
Learn more about the [Plesk stack](https://docs.plesk.com/en-US/current/administrator-guide/about-plesk.70559/) at the *Plesk* website.
** **Ruby on Rails** **
The Ruby on Rails blueprint comes pre-configured with Rails on Amazon Linux 2023, eliminating the need for manual framework installation and setup. The Ruby on Rails blueprint enables you to deploy a robust, scalable, and cost-effective solution for building modern web applications on Lightsail.
[Set up Ruby on Rails on Lightsail](amazon-lightsail-quick-start-guide-rubyonrails.md)
Learn more about [Ruby on Rails](https://guides.rubyonrails.org/getting_started.html) and [Amazon Linux 2023](https://aws.amazon.com/linux/amazon-linux-2023/).
## Ecommerce applications
Lightsail currently has one ecommerce application image: Magento. This Magento image uses Linux/Unix (Ubuntu) as the base operating system.
**Magento packaged by Bitnami**
Bitnami Magento is a preconfigured, ready-to-use image for running Magento on Lightsail. You can build engaging, responsive, and secure sites using Magento. Magento is a feature-rich, flexible ecommerce solution that includes transaction options, multistore functionality, loyalty programs, product categorization, shopper filtering, promotion rules, and more.
You can use Magento to create a highly customized ecommerce site that reflects your brand. Magento integrates with your business operations, so you can manage your ecommerce site as your business needs.
[Set up and configure Magento on Lightsail](amazon-lightsail-quick-start-guide-magento.md)
Learn more about the [Magento stack](https://bitnami.com/stack/magento) at the *Bitnami* website.
## Project management applications
Lightsail currently has one project management application image, Redmine. This image uses Linux/Unix (Ubuntu) as the base operating system.
**Redmine packaged by Bitnami**
Bitnami Redmine is a preconfigured, ready-to-use image for running Redmine on Lightsail. Redmine is a flexible project management web application. It includes support for multiple projects, role-based access control, Gantt charts and calendars, management of news, documents, and files, per-project wikis and forums, SCM integration, and more.
This blueprint is compatible with a Lightsail IPv6-only instance plan.
[Configure and secure a Redmine instance on Lightsail](amazon-lightsail-quick-start-guide-redmine.md)
Learn more about the [Redmine stack](https://bitnami.com/stack/redmine) at the *Bitnami* website.
# Lightsail instance bundles
Lightsail offers a variety of instance bundles (also known as instance plans) to meet different workload requirements. Each bundle provides compute power (vCPUs), memory (RAM), storage, and a data transfer allowance. Bundles are billed on an on-demand hourly rate, so you pay only for what you use. For every bundle you use, we charge you the fixed hourly price, up to the maximum monthly plan cost.
General purpose plans provide a balanced mix of compute, memory, and networking resources suitable for the majority of applications, such as web and application servers, virtual desktops, microservices, databases, and batch processing. Memory optimized plans provide a higher memory-to-CPU ratio that benefits workloads such as in-memory caching, real-time big data analytics, or high-performance databases. Compute optimized plans provide a higher CPU-to-memory ratio that benefits compute-intensive workloads such as batch processing, video encoding, and dedicated game servers.
Each bundle will include public IP addressing. It will provide either a public IPv4 address, a public IPv4 address with an IPv6 address (known as dual-stack), or just an IPv6 address (known as IPv6 only). The bundle price varies depending on whether it includes a public IPv4 address.
**Topics**
+ [Linux/Unix bundles (with public IPv4 addressing)](#linux-unix-bundles)
+ [Linux/Unix bundles (IPv6-only)](#linux-unix-ipv6-bundles)
+ [Windows bundles (with public IPv4 addressing)](#windows-bundles)
+ [Windows bundles (IPv6-only)](#windows-ipv6-bundles)
## Linux/Unix bundles (with public IPv4 addressing)
The following table lists the specifications for Linux/Unix instance bundles that include an IPv4 address.
| Bundle name | Price (USD/month) | vCPUs | Memory | Storage | Data transfer \$1 |
| --- | --- | --- | --- | --- | --- |
| Nano-0.5GB Linux with public IPv4 | \$15.00 | 2 | 0.5 GB | 20 GB | 1 TB |
| Micro-1GB Linux with public IPv4 | \$17.00 | 2 | 1 GB | 40 GB | 2 TB |
| Small-2GB Linux with public IPv4 | \$112.00 | 2 | 2 GB | 60 GB | 3 TB |
| Medium-4GB Linux with public IPv4 | \$124.00 | 2 | 4 GB | 80 GB | 4 TB |
| Large-8GB Linux with public IPv4 | \$144.00 | 2 | 8 GB | 160 GB | 5 TB |
| Xlarge-16GB Linux with public IPv4 | \$184.00 | 4 | 16 GB | 320 GB | 6 TB |
| 2Xlarge-32GB Linux with public IPv4 | \$1164.00 | 8 | 32 GB | 640 GB | 7 TB |
| 4Xlarge-64GB Linux with public IPv4 | \$1384.00 | 16 | 64 GB | 1,280 GB | 8 TB |
| 8Xlarge-128GB Linux with public IPv4 | \$1884.00 | 32 | 128 GB | 1,280 GB | 9 TB |
| 12Xlarge-192GB Linux with public IPv4 | \$11,324.00 | 48 | 192 GB | 1,280 GB | 10 TB |
| 16Xlarge-256GB Linux with public IPv4 | \$11,764.00 | 64 | 256 GB | 1,280 GB | 10 TB |
| Memory-optimized Large-16GB Linux with public IPv4 | \$174.00 | 2 | 16 GB | 160 GB | 5 TB |
| Memory-optimized Xlarge-32GB Linux with public IPv4 | \$1144.00 | 4 | 32 GB | 320 GB | 6 TB |
| Memory-optimized 2Xlarge-64GB Linux with public IPv4 | \$1294.00 | 8 | 64 GB | 640 GB | 7 TB |
| Memory-optimized 4Xlarge-128GB Linux with public IPv4 | \$1584.00 | 16 | 128 GB | 1,280 GB | 8 TB |
| Memory-optimized 8Xlarge-256GB Linux with public IPv4 | \$11174.00 | 32 | 256 GB | 1,280 GB | 9 TB |
| Memory-optimized 12Xlarge-384GB Linux with public IPv4 | \$11,764.00 | 48 | 384 GB | 1,280 GB | 10 TB |
| Memory-optimized 16Xlarge-512GB Linux with public IPv4 | \$12,344.00 | 64 | 512 GB | 1,280 GB | 10 TB |
| Compute-optimized Large-4GB Linux with public IPv4 | \$142.00 | 2 | 4 GB | 160 GB | 5 TB |
| Compute-optimized Xlarge-8GB Linux with public IPv4 | \$184.00 | 4 | 8 GB | 320 GB | 6 TB |
| Compute-optimized 2Xlarge-16GB Linux with public IPv4 | \$1168.00 | 8 | 16 GB | 640 GB | 7 TB |
| Compute-optimized 4Xlarge-32GB Linux with public IPv4 | \$1336.00 | 16 | 32 GB | 1,280 GB | 8 TB |
| Compute-optimized 9Xlarge-72GB Linux with public IPv4 | \$1844.00 | 36 | 72 GB | 1,280 GB | 9 TB |
| Compute-optimized 12Xlarge-96GB Linux with public IPv4 | \$11,126.00 | 48 | 96 GB | 1,280 GB | 10 TB |
| Compute-optimized 18Xlarge-144GB Linux with public IPv4 | \$11,688.00 | 72 | 144 GB | 1,280 GB | 10 TB |
\$1 The data transfer allowance can vary by Region. For more information, see [How does my data transfer allowance for instances vary by AWS Region?](amazon-lightsail-faq-data-transfer-allowance.md#data-transfer-allowance-how-do-data-transfer-allowances-vary-by-region).
## Linux/Unix bundles (IPv6-only)
The following table lists the specifications for Linux/Unix instance bundles with only an IPv6 address.
| Bundle name | Price (USD/month) | vCPUs | Memory | Storage | Data transfer \$1 |
| --- | --- | --- | --- | --- | --- |
| Nano-0.5GB Linux IPv6-only | \$13.50 | 2 | 0.5 GB | 20 GB | 1 TB |
| Micro-1GB Linux IPv6-only | \$15.00 | 2 | 1 GB | 40 GB | 2 TB |
| Small-2GB Linux IPv6-only | \$110.00 | 2 | 2 GB | 60 GB | 3 TB |
| Medium-4GB Linux IPv6-only | \$120.00 | 2 | 4 GB | 80 GB | 4 TB |
| Large-8GB Linux IPv6-only | \$140.00 | 2 | 8 GB | 160 GB | 5 TB |
| Xlarge-16GB Linux IPv6-only | \$180.00 | 4 | 16 GB | 320 GB | 6 TB |
| 2Xlarge-32GB Linux IPv6-only | \$1160.00 | 8 | 32 GB | 640 GB | 7 TB |
| 4Xlarge-64GB Linux IPv6-only | \$1380.00 | 16 | 64 GB | 1,280 GB | 8 TB |
| 8Xlarge-128GB Linux IPv6-only | \$1880.00 | 32 | 128 GB | 1,280 GB | 9 TB |
| 12Xlarge-192GB Linux IPv6-only | \$11,320.00 | 48 | 192 GB | 1,280 GB | 10 TB |
| 16Xlarge-256GB Linux IPv6-only | \$11,760.00 | 64 | 256 GB | 1,280 GB | 10 TB |
| Memory-optimized Large-16GB Linux IPv6-only | \$170.00 | 2 | 16 GB | 160 GB | 5 TB |
| Memory-optimized Xlarge-32GB Linux IPv6-only | \$1140.00 | 4 | 32 GB | 320 GB | 6 TB |
| Memory-optimized 2Xlarge-64GB Linux IPv6-only | \$1290.00 | 8 | 64 GB | 640 GB | 7 TB |
| Memory-optimized 4Xlarge-128GB Linux IPv6-only | \$1580.00 | 16 | 128 GB | 1,280 GB | 8 TB |
| Memory-optimized 8Xlarge-256GB Linux IPv6-only | \$11170.00 | 32 | 256 GB | 1,280 GB | 9 TB |
| Memory-optimized 12Xlarge-384GB Linux IPv6-only | \$11,760.00 | 48 | 384 GB | 1,280 GB | 10 TB |
| Memory-optimized 16Xlarge-512GB Linux IPv6-only | \$12,340.00 | 64 | 512 GB | 1,280 GB | 10 TB |
| Compute-optimized Large-4GB Linux IPv6-only | \$138.00 | 2 | 4 GB | 160 GB | 5 TB |
| Compute-optimized Xlarge-8GB Linux IPv6-only | \$180.00 | 4 | 8 GB | 320 GB | 6 TB |
| Compute-optimized 2Xlarge-16GB Linux IPv6-only | \$1164.00 | 8 | 16 GB | 640 GB | 7 TB |
| Compute-optimized 4Xlarge-32GB Linux IPv6-only | \$1332.00 | 16 | 32 GB | 1,280 GB | 8 TB |
| Compute-optimized 9Xlarge-72GB Linux IPv6-only | \$1840.00 | 36 | 72 GB | 1,280 GB | 9 TB |
| Compute-optimized 12Xlarge-96GB Linux IPv6-only | \$11,122.00 | 48 | 96 GB | 1,280 GB | 10 TB |
| Compute-optimized 18Xlarge-144GB Linux IPv6-only | \$11,684.00 | 72 | 144 GB | 1,280 GB | 10 TB |
\$1 The data transfer allowance can vary by Region. For more information, see [How does my data transfer allowance for instances vary by AWS Region?](amazon-lightsail-faq-data-transfer-allowance.md#data-transfer-allowance-how-do-data-transfer-allowances-vary-by-region).
## Windows bundles (with public IPv4 addressing)
The following table lists the specifications for Windows instance bundles that include an IPv4 address.
| Bundle name | Price (USD/month) | vCPUs | Memory | Storage | Data transfer \$1 |
| --- | --- | --- | --- | --- | --- |
| Nano-0.5GB Windows with public IPv4 | \$19.50 | 2 | 0.5 GB | 30 GB | 1 TB |
| Micro-1GB Windows with public IPv4 | \$114.00 | 2 | 1 GB | 40 GB | 2 TB |
| Small-2GB Windows with public IPv4 | \$122.00 | 2 | 2 GB | 60 GB | 3 TB |
| Medium-4GB Windows with public IPv4 | \$144.00 | 2 | 4 GB | 80 GB | 4 TB |
| Large-8GB Windows with public IPv4 | \$174.00 | 2 | 8 GB | 160 GB | 5 TB |
| Xlarge-16GB Windows with public IPv4 | \$1124.00 | 4 | 16 GB | 320 GB | 6 TB |
| 2Xlarge-32GB Windows with public IPv4 | \$1244.00 | 8 | 32 GB | 640 GB | 7 TB |
| 4Xlarge-64GB Windows with public IPv4 | \$1574.00 | 16 | 64 GB | 1,280 GB | 8 TB |
| 8Xlarge-128GB Windows with public IPv4 | \$11,254.00 | 32 | 128 GB | 1,280 GB | 9 TB |
| 12Xlarge-192GB Windows with public IPv4 | \$11,884.00 | 48 | 192 GB | 1,280 GB | 10 TB |
| 16Xlarge-256GB Windows with public IPv4 | \$12,504.00 | 64 | 256 GB | 1,280 GB | 10 TB |
| Memory-optimized Large-16GB Windows with public IPv4 | \$1134.00 | 2 | 16 GB | 160 GB | 5 TB |
| Memory-optimized Xlarge-32GB Windows with public IPv4 | \$1264.00 | 4 | 32 GB | 320 GB | 6 TB |
| Memory-optimized 2Xlarge-64GB Windows with public IPv4 | \$1524.00 | 8 | 64 GB | 640 GB | 7 TB |
| Memory-optimized 4Xlarge-128GB Windows with public IPv4 | \$11044.00 | 16 | 128 GB | 1,280 GB | 8 TB |
| Memory-optimized 8Xlarge-256GB Windows with public IPv4 | \$12,104.00 | 32 | 256 GB | 1,280 GB | 9 TB |
| Memory-optimized 12Xlarge-384GB Windows with public IPv4 | \$13,164.00 | 48 | 384 GB | 1,280 GB | 10 TB |
| Memory-optimized 16Xlarge-512GB Windows with public IPv4 | \$14,204.00 | 64 | 512 GB | 1,280 GB | 10 TB |
| Compute-optimized Large-4GB Windows with public IPv4 | \$1100.00 | 2 | 4 GB | 160 GB | 5 TB |
| Compute-optimized Xlarge-8GB Windows with public IPv4 | \$1200.00 | 4 | 8 GB | 320 GB | 6 TB |
| Compute-optimized 2Xlarge-16GB Windows with public IPv4 | \$1400.00 | 8 | 16 GB | 640 GB | 7 TB |
| Compute-optimized 4Xlarge-32GB Windows with public IPv4 | \$1800.00 | 16 | 32 GB | 1,280 GB | 8 TB |
| Compute-optimized 9Xlarge-72GB Windows with public IPv4 | \$11,888.00 | 36 | 72 GB | 1,280 GB | 9 TB |
| Compute-optimized 12Xlarge-96GB Windows with public IPv4 | \$12,518.00 | 48 | 96 GB | 1,280 GB | 10 TB |
| Compute-optimized 18Xlarge-144GB Windows with public IPv4 | \$13,776.00 | 72 | 144 GB | 1,280 GB | 10 TB |
\$1 The data transfer allowance can vary by Region. For more information, see [How does my data transfer allowance for instances vary by AWS Region?](amazon-lightsail-faq-data-transfer-allowance.md#data-transfer-allowance-how-do-data-transfer-allowances-vary-by-region).
## Windows bundles (IPv6-only)
The following table lists the specifications for Windows instance bundles with only an IPv6 address.
| Bundle name | Price (USD/month) | vCPUs | Memory | Storage | Data transfer \$1 |
| --- | --- | --- | --- | --- | --- |
| Nano-0.5GB Windows IPv6-only | \$18.00 | 2 | 0.5 GB | 30 GB | 1 TB |
| Micro-1GB Windows IPv6-only | \$112.00 | 2 | 1 GB | 40 GB | 2 TB |
| Small-2GB Windows IPv6-only | \$120.00 | 2 | 2 GB | 60 GB | 3 TB |
| Medium-4GB Windows IPv6-only | \$140.00 | 2 | 4 GB | 80 GB | 4 TB |
| Large-8GB Windows IPv6-only | \$170.00 | 2 | 8 GB | 160 GB | 5 TB |
| Xlarge-16GB Windows IPv6-only | \$1120.00 | 4 | 16 GB | 320 GB | 6 TB |
| 2Xlarge-32GB Windows IPv6-only | \$1240.00 | 8 | 32 GB | 640 GB | 7 TB |
| 4Xlarge-64GB Windows IPv6-only | \$1570.00 | 16 | 64 GB | 1,280 GB | 8 TB |
| 8Xlarge-128GB Windows IPv6-only | \$11,250.00 | 32 | 128 GB | 1,280 GB | 9 TB |
| 12Xlarge-192GB Windows IPv6-only | \$11,880.00 | 48 | 192 GB | 1,280 GB | 10 TB |
| 16Xlarge-256GB Windows IPv6-only | \$12,500.00 | 64 | 256 GB | 1,280 GB | 10 TB |
| Memory-optimized Large-16GB Windows IPv6-only | \$1130.00 | 2 | 16 GB | 160 GB | 5 TB |
| Memory-optimized Xlarge-32GB Windows IPv6-only | \$1260.00 | 4 | 32 GB | 320 GB | 6 TB |
| Memory-optimized 2Xlarge-64GB Windows IPv6-only | \$1520.00 | 8 | 64 GB | 640 GB | 7 TB |
| Memory-optimized 4Xlarge-128GB Windows IPv6-only | \$11,040.00 | 16 | 128 GB | 1,280 GB | 8 TB |
| Memory-optimized 8Xlarge-256GB Windows IPv6-only | \$12,100.00 | 32 | 256 GB | 1,280 GB | 9 TB |
| Memory-optimized 12Xlarge-384GB Windows IPv6-only | \$13,160.00 | 48 | 384 GB | 1,280 GB | 10 TB |
| Memory-optimized 16Xlarge-512GB Windows IPv6-only | \$14,200.00 | 64 | 512 GB | 1,280 GB | 10 TB |
| Compute-optimized Large-4GB Windows IPv6-only | \$196.00 | 2 | 4 GB | 160 GB | 5 TB |
| Compute-optimized Xlarge-8GB Windows IPv6-only | \$1196.00 | 4 | 8 GB | 320 GB | 6 TB |
| Compute-optimized 2Xlarge-16GB Windows IPv6-only | \$1396.00 | 8 | 16 GB | 640 GB | 7 TB |
| Compute-optimized 4Xlarge-32GB Windows IPv6-only | \$1796.00 | 16 | 32 GB | 1,280 GB | 8 TB |
| Compute-optimized 9Xlarge-72GB Windows IPv6-only | \$11,884.00 | 36 | 72 GB | 1,280 GB | 9 TB |
| Compute-optimized 12Xlarge-96GB Windows IPv6-only | \$12,514.00 | 48 | 96 GB | 1,280 GB | 10 TB |
| Compute-optimized 18Xlarge-144GB Windows IPv6-only | \$13,772.00 | 72 | 144 GB | 1,280 GB | 10 TB |
\$1 The data transfer allowance can vary by Region. For more information, see [How does my data transfer allowance for instances vary by AWS Region?](amazon-lightsail-faq-data-transfer-allowance.md#data-transfer-allowance-how-do-data-transfer-allowances-vary-by-region).
# Control instance traffic with firewalls in Lightsail
The firewall in the Amazon Lightsail console acts as a virtual firewall that controls the traffic allowed to connect to your instance through its public IP address. Each instance that you create in Lightsail has two firewalls; one for IPv4 addresses and another for IPv6 addresses. Each firewall contains a set of rules that filter traffic coming into the instance. Both firewalls are independent of each other; you must configure firewall rules separately for IPv4 and IPv6. Edit your instance's firewall, at any time, by adding and deleting rules to allow or restrict traffic.
## Lightsail firewalls
Each Lightsail instance has two firewalls; one for IPv4 addresses and another for IPv6 addresses. All internet traffic into and out of your Lightsail instance passes through its firewalls. An instance's firewalls control the internet traffic that is allowed to flow into your instance. However, they don't control the traffic that flows out of it—the firewalls allow all outbound traffic. Edit your instance's firewalls, at any time, by adding and deleting rules to allow or restrict incoming traffic. Note that both firewalls are independent of each other; you must configure firewall rules separately for IPv4 and IPv6.
Firewall rules are always permissive; you can't create rules that deny access. You add rules to your instance's firewalls to allow traffic to reach your instance. When you add a rule to your instance's firewall, you specify the protocol to use, the port to open, and the IPv4 and IPv6 addresses that are allowed to connect to your instance, as shown in the following example (for IPv4). You can also specify an application layer protocol type, which is a preset that specifies the protocol and port range for you based on the service that you plan to use on your instance.
![\[IPv4 firewall in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/firewall-rule-example.png)
**Important**
Firewall rules affect only traffic that flows in through the public IP address of an instance. It does not affect traffic that flows in through the private IP address of an instance, which can originate from Lightsail resources in your account, in the same AWS Region, or resources in a peered virtual private cloud (VPC), in the same AWS Region.
Firewall rules, and their configurable parameters are explained in the next few sections of this guide.
## Create firewall rules
Create a firewall rule to enable a client to establish a connection with your instance, or with an application running on your instance. For example, to enable all web browsers to connect to the WordPress application on your instance, you configure a firewall rule that enables the Transmission Control Protocol (TCP) over port 80 from any IP address. If this rule is already configured on your instance's firewall, then you can delete it to block web browsers from being able to connect to the WordPress application on your instance.
**Important**
You can use the Lightsail console to add up to 30 source IP addresses at a time. To add up to 60 IP addresses at a time, use the Lightsail API, AWS Command Line Interface (AWS CLI), or an AWS SDK. This quota is enforced separately for IPv4 rules and IPv6 rules. For example, a firewall can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. We recommend you consolidate individual IP addresses into CIDR ranges. For more information, see the [Specify source IP addresses](#specifying-source-ip-addresses) section of this guide.
You can also enable an SSH client to connect to your instance, to perform administrative tasks on the server, by configuring a firewall rule that enables TCP over port 22 only from the IP address of the computer that needs to establish a connection. In this case, you would not want to allow any IP address to establish an SSH connection to your instance; since doing so could lead to a security risk on your instance.
**Note**
The firewall rule examples described in this section may exist in your instance's firewall by default. For more information, see [Default firewall rules](#default-lightsail-firewall-rules) later in this guide.
If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you add a rule that allows access to TCP port 22 (SSH) from IP address 192.0.2.1. Then, you add another rule that allows access to TCP port 22 from everyone. As a result, everyone has access to TCP port 22.
## Specify protocols
A protocol is the format in which data is transmitted between two computers. Lightsail allows you to specify the following protocols in a firewall rule:
+ **Transmission Control Protocol (TCP)** is primarily used for establishing and maintaining a connection between clients and the application running on your instance, until the exchange of data is complete. It is a widely used protocol, and one which you might often specify in your firewall rules. TCP guarantees that no transmitted data is missing, and that all of the data that's sent makes it to the intended recipient. It is ideal use is for network applications that need high reliability, and for which transmission time is relatively less critical, such as web browsing, financial transactions, and text messaging. These use-cases will lose significant value if parts of the data is lost.
+ **User Datagram Protocol (UDP)** is primarily used for establishing low-latency and loss-tolerating connections between clients and the application running on your instance. It is ideal use is for network applications in which perceived latency is critical, such as gaming, voice, and video communications. These use-cases can suffer some data loss without adversely affecting perceived quality.
+ **Internet Control Message Protocol (ICMP)** is primarily used to diagnose network communication issues, such as to determine if data is reaching its intended destination in a timely manner. It is ideal use is for the Ping utility, which you can use to test the speed of the connection between your local computer and your instance. It reports how long it takes data to reach your instance and come back to your local computer.
**Note**
When you add an ICMP rule to the IPv6 firewall of your instance using the Lightsail console, the rule is automatically configured to use ICMPv6. For more information, see [Internet Control Message Protocol for IPv6](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6) on *Wikipedia*.
+ **All** is used to allow all protocol traffic to flow into your instance. Specify this protocol when you're unsure which protocol to specify. This includes all internet protocols; not just the ones specified above. For more information, see [Protocol Numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) on the *Internet Assigned Numbers Authority website*.
## Specifying ports
Similar to physical ports on your computer, which allow your computer to communicate with peripherals like your keyboard and mouse, network ports serve as internet communications endpoints for your instance. When a computer seeks to connect with your instance, it will expose a port to establish the communication.
The ports that you can specify in a firewall rule can range from 0 to 65535. When you create a firewall rule to enable a client to establish a connection with your instance, you specify the protocol that will be used (covered earlier in this guide), and the port numbers through which the connection can be established. You can also specify the IP addresses that are allowed to establish a using the protocol and port; this is covered in the next section of this guide.
Here are some of the commonly used ports along with the services that use them:
+ Data transfer over File Transfer Protocol (FTP) uses port 20.
+ Command control over FTP uses port 21.
+ Secure Shell (SSH) uses port 22.
+ Telnet remote login service, and unencrypted text messages uses port 23.
+ Simple Mail Transfer Protocol (SMTP) email routing uses port 25.
**Important**
To enable SMTP on your instance, you must also configure reverse DNS for your instance. Otherwise, your email might be limited over TCP port 25. For more information, see [Configuring reverse DNS for an email server on your Amazon Lightsail instance](amazon-lightsail-configuring-reverse-dns.md).
+ Domain Name System (DNS) service uses port 53.
+ Hypertext Transfer Protocol (HTTP) used by web browsers to connect to websites uses port 80.
+ Post Office Protocol (POP3) used by email clients to retrieve email from a server uses port 110.
+ Network News Transfer Protocol (NNTP) uses port 119.
+ Network Time Protocol (NTP) uses port 123.
+ Internet Message Access Protocol (IMAP) used to manage digital mail uses port 143.
+ Simple Network Management Protocol (SNMP) uses port 161.
+ HTTP Secure (HTTPS) HTTP over TLS/SSL used by web browsers to establish an encrypted connection to websites uses port 443.
For more information, see [Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) on the *Internet Assigned Numbers Authority website*.
## Specify application layer protocol types
You can specify an application layer protocol type when you create a firewall rule, which are presets that specify the rule's protocol and port range for you based on the service that you want to enable on your instance. This way, you don't have to search for the common protocol and ports to use for services like SSH, RDP, HTTP, and others. You can simply choose those application layer protocol types, and the protocol and port is specified for you. If you prefer to specify your own protocol and port, then you can choose the **Custom rule** application layer protocol type, which gives you control of those parameters.
**Note**
You can specify the application layer protocol type only by using the Lightsail console. You cannot specify the application layer protocol type using the Lightsail API, AWS Command Line Interface (AWS CLI), or SDKs.
The following application layer protocol types are available in the Lightsail console:
+ **Custom** – Choose this option to specify your own protocol and ports.
+ **All protocols** – Choose this option to specify all protocols, and specify your own ports.
+ **All TCP** – Choose this option to use the TCP protocol but you're unsure of which port to open. This enables the TCP over all ports (0-65535).
+ **All UDP** – Choose this option to use the UDP protocol but you're unsure of which port to open. This enables the UDP over all ports (0-65535).
+ **All ICMP** – Choose this option to specify all ICMP types and codes.
+ **Custom ICMP** – Choose this option to use the ICMP protocol and define an ICMP type and code. For more information about ICMP types and codes, see [Control Messages](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages) on *Wikipedia*.
+ **DNS** – Choose this option when you want to enable DNS on your instance. This enables TCP and UDP over ports 53.
+ **HTTP** – Choose this option when you want to enable web browsers to connect to a website that is hosted on your instance. This enables TCP over port 80.
+ **HTTPS** – Choose this option when you want to enable web browsers to establish an encrypted connection to a website that is hosted on your instance. This enables TCP over port 443.
+ **MySQL/Aurora** – Choose this option to enable a client to connect to a MySQL or Aurora database hosted on your instance. This enables TCP over port 3306.
+ **Oracle-RDS** – Choose this option to enable a client to connect to an Oracle or RDS database hosted on your instance. This enables TCP over port 1521.
+ **Ping (ICMP)** – Choose this option to enable your instance to respond to requests using the Ping utility. On the IPv4 firewall, this enables ICMP type 8 (echo) and code -1 (all codes). On the IPv6 firewall, this enables ICMP type 129 (echo reply) and code 0.
+ **RDP** – Choose this option to enable an RDP client to connect to your instance. This enables TCP over port 3389.
+ **SSH** – Choose this option to enable an SSH client to connect to your instance. This enables TCP over port 22.
## Specify source IP addresses
By default, firewall rules allow all IP addresses to connect to your instance through the specified protocol and port. This is ideal for traffic such as web browsers over HTTP and HTTPS. However, this poses a security risk for traffic such as SSH and RDP, since you would not want to allow all IP addresses to be able to connect to your instance using those applications. For that reason, you can choose to restrict a firewall rule to an IPv4 or IPv6 address or range of IP addresses.
+ **For the IPv4 firewall** - You can specify a single IPv4 address (for example, 203.0.113.1), or a range of IPv4 addresses. In the Lightsail console, the range can be specified using a dash (for example, 192.0.2.0-192.0.2.255) or in CIDR block notation (for example, 192.0.2.0/24). For more information about CIDR block notation, see [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) on *Wikipedia*.
+ **For the IPv6 firewall** - You can specify a single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334), or a range of IPv6 addresses. In the Lightsail console, the IPv6 range can be specified using only CIDR block notation (for example, 2001:db8::/32). For more information about IPv6 CIDR block notation, see [IPv6 CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv6_CIDR_blocks) on *Wikipedia*.
## Default Lightsail firewall rules
When you create a new instance, its IPv4 and IPv6 firewalls are preconfigured with the following set of default rules that allow basic access to your instance. The default rules are different depending on the type of instance that you create. These rules are listed as application, protocol, port, and source IP address (for example, application - protocol - port - source IP address).
**AlmaLinux, Amazon Linux 2, Amazon Linux 2023, CentOS, Debian, FreeBSD, openSUSE, and Ubuntu (base operating systems)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
**WordPress, Ghost, Joomla\$1, PrestaShop, and Drupal (CMS applications)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
**cPanel & WHM (CMS application)**
SSH - TCP - 22 - all IP addresses
DNS (UDP) - UDP - 53 - all IP addresses
DNS (TCP) - TCP - 53 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
Custom - TCP - 2078 - all IP addresses
Custom - TCP - 2083 - all IP addresses
Custom - TCP - 2087 - all IP addresses
Custom - TCP - 2089 - all IP addresses
**LAMP, Django, Node.js, MEAN, GitLab, and Nginx (development stacks)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
**Magento (eCommerce application)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
**Redmine (project management application)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
**Plesk (hosting stack)**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
HTTPS - TCP - 443 - all IP addresses
Custom - TCP - 53 - all IP addresses
Custom - UDP - 53 - all IP addresses
Custom - TCP - 8443 - all IP addresses
Custom - TCP - 8447 - all IP addresses
**Windows Server 2022, Windows Server 2019, and Windows Server 2016**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
RDP - TCP - 3389 - all IP addresses
**SQL Server Express 2022, SQL Server Express 2019, and SQL Server Express 2016**
SSH - TCP - 22 - all IP addresses
HTTP - TCP - 80 - all IP addresses
RDP - TCP - 3389 - all IP addresses
# Add firewall rules to Lightsail instances
You can add rules to the IPv4 and IPv6 firewalls of your Amazon Lightsail instance to control the traffic that is allowed to connect to it. When you add a firewall rule, you can specify the application layer protocol type, protocol, ports, and the source IPv4 or IPv6 addresses that are allowed to connect to your instance. For more information about firewalls, see [Firewalls and ports](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).
## Add and edit instance firewall rules
Complete the following steps to add or edit firewall rules in the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Instances**.
1. Choose the name of the instance for which you want to add or edit a firewall rule.
1. Choose the **Networking** tab on your instance's management page.
The **Networking** tab displays your instance's public and private IP addresses, and the configured IPv4 or IPv6 firewalls for your instance.
**Note**
The IPv6 firewall is displayed only if you have enabled IPv6 for the instance. For more information, see [Enable or disable IPv6](amazon-lightsail-enable-disable-ipv6.md).
1. Complete one of the following steps depending on whether the source IP for the rule is an IPv4 or IPv6 address:
+ To add an IPv4 firewall rule, scroll down to the **IPv4 Firewall** section of the page, and choose **Add rule**.
+ To add an IPv6 firewall rule, scroll down to the **IPv6 Firewall** section of the page and choose **Add rule**.
You can also choose **Edit** (pencil icon) next to an existing rule on either of the firewalls to edit it.
1. Choose an application layer protocol type in the **Application** drop-down menu.
When you choose an application layer protocol type, a set of protocol and port presets are specified for you. Example values are **Custom**, **All TCP**, **All UDP**, **Custom ICMP**, **SSH**, and **RDP**.
You can configure the following optional settings depending on the application layer protocol type you select:
+ (Optional) If you choose the **Custom** option, then you can select a value in the **Protocol** drop-down menu. The available protocol values are **TCP** and **UDP**.
You can also enter a single port number or range of port numbers (for example, 7000-8000) in the **Port** field.
+ (Optional) If you choose the **Custom ICMP** option, then you can specify an ICMP type in the **Type** field, and an ICMP code in the **Code** field. For more information about ICMP types and codes, see [Control Messages](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages) on *Wikipedia*.
**Note**
When you add an ICMP rule to the IPv6 firewall of your instance using the Lightsail console, the rule is automatically configured to use ICMPv6. For more information, see [Internet Control Message Protocol for IPv6](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6) on *Wikipedia*.
+ (Optional) Select **Restrict to IP address** to restrict access for the specified protocol and port to a specific IP address or range of IP addresses. Leave this option unselected to allow all IP addresses for the specified protocol and port.
You can enter a single IPv4 address (for example, `203.0.113.1`), or a range of IPv4 addresses. The range can be specified using a dash (for example, `192.0.2.0-192.0.2.255`) or in CIDR block notation (for example, `192.0.2.0/24`). For more information about CIDR block notation, see [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) on *Wikipedia*.
+ (Optional) If you choose the **SSH** or **RDP** application layer protocol type, and then choose **Restrict to IP address**, you can choose **Allow Lightsail browser SSH/RDP** to allow connection to your instance using the browser-based SSH and RDP clients available in the Lightsail console. Leave this option unselected to block access through those browser-based clients.
1. Choose **Create** to add the rule to the firewall.
The firewall rule is added after a few moments.
# Delete firewall rules
In addition to adding and editing firewall rules, you might also want to delete existing rules for your Amazon Lightsail instances. Removing firewall rules can be necessary if you no longer require certain inbound traffic to be allowed to your instance. The process for deleting IPv4 and IPv6 firewall rules is straightforward and can be done directly through the Lightsail console. Complete the following steps to delete instance firewalls rule in the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Instances**.
1. Choose the name of the instance for which you want to delete a firewall rule.
1. Choose the **Networking** tab on your instance's management page.
1. Complete one of the following steps depending on whether the source IP for the rule is an IPv4 or IPv6 address:
+ To delete an IPv4 firewall rule, scroll down to the **IPv4 Firewall** section of the page, and choose **Delete** (the trash icon) next to an existing rule to delete it.
+ To delete an IPv6 firewall rule, scroll down to the **IPv6 Firewall** section of the page, and choose **Delete** (the trash icon) next to an existing rule to delete it.
**Important**
Firewall rules affect only traffic that flows in through the public IP address of an instance. It does not affect traffic that flows in through the private IP address of an instance, which can originate from Lightsail resources in your account, in the same AWS Region, or resources in a peered virtual private cloud (VPC), in the same AWS Region. For example, if you delete the SSH rule (TCP port 22) from the instance firewall, other instances in the same Lightsail account, and in the same AWS Region, can continue to connect to it using SSH by specifying the private IP address of the instance.
The firewall rule is deleted after a few moments.
# Firewall rules reference for Lightsail instances
You can add rules to an Amazon Lightsail instance's firewall that reflects the role of the instance. For example, an instance that's configured as a web server needs firewall rules that allow inbound HTTP and HTTPS access. A database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL. For more information about firewalls, see [Instance firewalls in Lightsail](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).
This guide provides examples of the kinds of firewall rules that you can add to an instance firewall for specific kinds of access. The rules are listed as application, protocol, port, and source IP address (for example, application - protocol - port - source IP address), unless otherwise stated.
**Contents**
+ [Web server rules](#firewall-web-server-rules)
+ [Rules to connect to your instance from your computer](#firewall-connect-to-instance)
+ [Database server rules](#firewall-database-server-rules)
+ [DNS server rules](#firewall-dns-server)
+ [SMTP email](#firewall-smtp)
## Web server rules
The following inbound rules allow HTTP and HTTPS access.
**Note**
Some Lightsail instances have the following firewall rules configured by default. For more information, see [Firewalls and ports](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).
**HTTP**
HTTP - TCP - 80 - all IP addresses
**HTTPS**
HTTPS - TCP - 443 - all IP addresses
## Rules to connect to your instance from your computer
To connect to your instance, you add a rule that allows SSH access (for Linux instances) or RDP access (for Windows instances).
**Note**
All Lightsail instances have either of the following firewall rules configured by default. For more information, see [Firewalls and ports](understanding-firewall-and-port-mappings-in-amazon-lightsail.md).
**SSH**
SSH - TCP - 22 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
**RDP**
RDP - TCP - 3389 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
## Database server rules
The following inbound rules are examples of rules that you might add for database access, depending on what type of database you're running on your instance.
**SQL Server**
Custom - TCP - 1433 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
**MySQL/Aurora**
MySQL/Aurora - TCP - 3306 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
**PostgreSQL**
PostgreSQL - TCP - 5432 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
**Oracle-RDS**
Oracle-RDS - TCP - 1521 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
**Amazon Redshift**
Custom - TCP - 5439 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
## DNS server rules
If you've set up your instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.
**DNS (TCP)**
DNS (TCP) - TCP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network
**DNS (UDP)**
DNS (UDP) - UDP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network
## SMTP email
To enable SMTP on your instance, you must configure the following firewall rule.
**Important**
After configuring the following rule, you must also configure reverse DNS for your instance. Otherwise, your email may be limited over TCP port 25. For more information, see [Configure reverse DNS for an email server](amazon-lightsail-configuring-reverse-dns.md).
**SMTP**
Custom - TCP - 25 - The IP addresses of the hosts that communicate with your instance
# Detect Lightsail instance bursting for optimal performance
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
Amazon Lightsail instances provide a baseline amount of CPU performance, but also have the ability to temporarily provide additional CPU performance above the baseline as needed. This is referred to as bursting. The baseline performance and ability to burst are governed by the following instance metrics:
+ **CPU utilization** – The percentage of allocated compute units that are in use on your instance. This metric identifies the processing power used to run applications on your instance.
+ **CPU burst capacity percentage** – The percentage of CPU performance available to your instance.
+ **CPU burst capacity minutes** – The amount of time available for your instance to burst at 100% CPU utilization.
With the following topics, you will learn how to monitor these metrics to maximize the availability of your instance.
**Topics**
+ [CPU performance](baseline-cpu-performance.md)
+ [Burst capacity accrual](cpu-burst-capacity-accrual.md)
+ [Identify instance bursts](identifying-instance-burst.md)
+ [Monitor burst capacity](monitoring-cpu-burst-capacity.md)
+ [View burst capacity](viewing-instance-burst-capacity.md)
+ [Troubleshoot high CPU](troubleshooting-high-cpu-utilization.md)
# Understand baseline CPU performance and burst capacity accrual for Lightsail instances
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
Lightsail instances continuously earn (at a millisecond-level resolution) a set rate of CPU burst capacity per hour, which is also consumed when your instance's CPU utilization is greater than 0%. The accounting process for whether burst capacity is accrued or consumed also happens at a millisecond-level resolution, so you don't have to worry about overspending CPU burst capacity; a short burst of CPU uses a small fraction of burst capacity.
If your instance uses fewer CPU resources than is required for baseline performance (such as when it is idle), the unspent CPU burst capacity is accrued in the form of CPU burst capacity percentage and minutes. If your instance needs to burst above the baseline performance level, it spends the accrued CPU burst capacity. The more CPU burst capacity that your instance has accrued, the more time it can burst beyond its baseline when more performance is needed.
## Baseline CPU performance
The following table outlines the performance baselines for dual-stack instance plans in Lightsail. While the price for an IPv6-only plan is different, the performance baselines are the same.
| Instance plan | vCPUs | Memory | Storage | Performance baseline |
| --- | --- | --- | --- | --- |
| Linux or Unix \$15 and Windows \$19.50 | 2 | 512 MB | 20 GB | 5% |
| Linux or Unix \$17 and Windows \$114 | 2 | 1 GB | 40 GB | 10% |
| Linux or Unix \$112 and Windows \$122 | 2 | 2 GB | 60 GB | 20% |
| Linux or Unix \$124 and Windows \$144 | 2 | 4 GB | 80 GB | 20% |
| Linux or Unix \$144 and Windows \$174 | 2 | 8 GB | 160 GB | 30% |
| Linux or Unix \$184 and Windows \$1124 | 4 | 16 GB | 320 GB | 40% |
| Linux or Unix \$1164 and Windows \$1244 | 8 | 32 GB | 640 GB | 40% |
| \$1 Linux or Unix \$1384 and Windows \$1574 | 16 | 64 GB | 1,280 GB | 40% |
| \$1 Linux or Unix \$1884 and Windows \$11,254 | 32 | 128 GB | 1,280 GB | 40% |
| \$1 Linux or Unix \$11,324 and Windows \$11,884 | 48 | 192 GB | 1,280 GB | 40% |
| \$1 Linux or Unix \$11,764 and Windows \$12,504 | 64 | 256 GB | 1,280 GB | 40% |
| |
| --- |
| \$1 These instance plans burst automatically as needed and don't utilize burst capacity. |
These performance baselines are per vCPU. The CPU utilization metric graph in the Lightsail console averages the CPU utilization and baseline for instances with more than one vCPU. For example, a Linux or Unix-based \$144 USD/month instance has two vCPUs and an averaged CPU utilization baseline of 30%. Therefore, if:
+ One vCPU operates at 50% and the other at 0%, a 25% averaged CPU utilization is displayed on the graph. This puts the instance's CPU utilization below its 30% baseline, and in the sustainable zone.
+ One vCPU operates at 30%, and the other at 20%, a 25% averaged CPU utilization is displayed on the graph. This puts the instance's CPU utilization below its 30% baseline, and in the sustainable zone.
+ One vCPU operates at 35% and the other at 25%, a 30% averaged CPU utilization is displayed on the graph. This puts the instance's CPU utilization at the 30% baseline.
+ One vCPU operates at 100% and the other at 90%, a 95% averaged CPU utilization is displayed on the graph. This puts the instance's CPU utilization above its 30% baseline, and in the burstable zone.
For more information about the sustainable and burstable zones, see [Identify when your instance bursts](identifying-instance-burst.md) later in this guide.
## Previous generation CPU performance
The following table outlines the performance baselines for Lightsail instances that were created prior to **June 29, 2023**. These performance baselines are per vCPU.
| Instance plan | vCPUs | Memory | Storage | Performance baseline |
| --- | --- | --- | --- | --- |
| Linux or Unix \$15 and Windows \$19.50 | 1 | 512 MB | 20 GB | 5% |
| Linux or Unix \$17 and Windows \$114 | 1 | 1 GB | 40 GB | 10% |
| Linux or Unix \$112 and Windows \$122 | 1 | 2 GB | 60 GB | 20% |
| Linux or Unix \$124 and Windows \$144 | 2 | 4 GB | 80 GB | 20% |
| Linux or Unix \$144 and Windows \$174 | 2 | 8 GB | 160 GB | 30% |
| Linux or Unix \$184 and Windows \$1124 | 4 | 16 GB | 320 GB | 22.5% |
| Linux or Unix \$1164 and Windows \$1244 | 8 | 32 GB | 640 GB | 17% |
# View CPU burst capacity accrual for Lightsail instances
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
Amazon Lightsail instance plans accrue 4.17% of CPU burst capacity per hour, except for Linux or Unix \$1380 and larger plans, and Windows \$1570 and larger plans. The maximum CPU burst capacity that can be accrued is equivalent to the amount of CPU burst capacity percentage that can be earned in a 24-hour period. Your instance stops accruing CPU burst capacity when the CPU burst capacity percentage reaches 100%.
**Important**
**Linux or Unix \$1380** and **Windows \$1570** and larger instance plans – These plans don't accrue CPU burst capacity. They will burst automatically, as needed.
**Instances created before June 29, 2023** – CPU burst capacity does not persist if your instance is stopped. If you stop your instance, it loses all accrued burst capacity.
**Instances created on or after June 29, 2023** – CPU burst capacity persists for seven days between instance stops and starts.
Accrued CPU burst capacity on a running instance does not expire.
![\[CPU burst capacity accrual and consumption\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-cpu-burst-capacity-consumption.png)
Lightsail instances receive additional CPU burst capacity at launch, this is called launch CPU burst capacity. Launch CPU burst capacity allows instances to burst immediately after launch before they have accrued additional burst capacity. Launch CPU burst capacity does not count towards the burst capacity limit. If your instance has not spent its launch CPU burst capacity, and remains idle over a 24-hour period while accruing more burst capacity, its CPU burst capacity (percentage) metric graph will appear as over 100%.
Additionally, some Lightsail instances start in launch mode, which temporarily removes some of the performance limitations that are typically present on burstable instances. Launch mode allows you to run resource-intensive scripts at launch without affecting the overall performance of your instance.
# Identify when your Lightsail instance bursts
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
On the CPU utilization metric graph for your instances, you will see a sustainable zone, and a burstable zone. In the following CPU utilization metric graph example, the performance baseline is 10% because the instance uses the Linux or Unix-based \$17 USD/month instance plan.
![\[Sustainable and burstable zones on the CPU utilization graph\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/cpu-utilization-burstable-zone.png)
Your Lightsail instance can operate in the sustainable zone indefinitely with no impact to the operation of your system. Your instance may begin operating in the burstable zone when under heavy load, such as when compiling code, installing new software, running a batch job, or serving peak load requests. While operating in the burstable zone, your instance is consuming a higher amount of CPU cycles. Therefore, it can only operate in this zone for a limited period of time.
The period of time your instance can operate in the burstable zone is dependent on how far into the burstable zone it is. An instance operating in the lower end of the burstable zone can burst for a longer period of time than an instance operating in the higher end of the burstable zone. However, an instance that is anywhere in the burstable zone for a sustained period of time will eventually use up all the CPU capacity until it operates in the sustainable zone again. Therefore, it is important to also monitor the remaining CPU burst capacity, which is described in the following section of this guide.
# Monitor CPU burst capacity for your Lightsail instance
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
The CPU overview page in the Lightsail console displays your instance's CPU utilization in comparison to its available CPU burst capacity. In the following CPU overview example, the CPU burst capacity percentage has increased because the instance has continuously operated below its baseline in the sustainable zone.
![\[CPU overview page in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/cpu-overview-page.png)
The remaining CPU burst capacity graph view can be switched between CPU burst capacity percentage and minutes. Your instance consumes more CPU burst capacity when operating in the bursting zone. The CPU burst capacity minutes metric is the amount of time available for your instance to burst at 100% CPU utilization, It is consumed at the same rate as your instance's current CPU utilization percentage when operating in the burstable zone. For example, a Linux or Unix-based \$17 USD/month instance has a CPU utilization baseline of 10%, and accrues 6 minutes of CPU burst capacity minutes per hour. Therefore, if the instance operates at:
+ 100% CPU utilization in the burstable zone for a 60-minute period, then it consumes CPU burst capacity minutes at a 100% rate in that period. The instance consumes 60 minutes of CPU burst capacity, and accrues 6 minutes, for a net consumption of 54 minutes.
+ 50% CPU utilization in the burstable zone for a 60-minute period, then it consumes CPU burst capacity minutes at a 50% rate in that period. The instance consumes 30 minutes of CPU burst capacity, and accrues 6 minutes, for a net consumption of 24 minutes.
+ 10% CPU utilization at the instance's baseline for a 60-minute period, then it consumes CPU burst capacity minutes at a 10% rate in that period. The instance consumes 6 minutes of CPU burst capacity, and accrues 6 minutes. When an instance operates at its baseline, the CPU burst capacity minutes doesn't increase or decrease.
+ 5% CPU utilization in the sustainable zone for a 60-minute period, then it consumes CPU burst capacity minutes at a 5% rate in that period. The instance consumed 3 minutes of CPU burst capacity, and accrued 6 minutes, for a net accrual of 3 minutes.
Alternately, if the instance has accrued 60 minutes of CPU burst capacity, then it can operate at 100% CPU utilization for 60 minutes, at 50% for 120 minutes, or at 25% at 150 minutes.
# View CPU utilization and burst capacity for Lightsail instances
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
Complete the following steps to access the CPU overview page, and view your instance's CPU utilization and remaining CPU burst capacity.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose the name of the instance for which you want to view CPU utilization and burst capacity.
1. Choose the **Metrics** tab on the instance management page.
![\[Metrics tab in the instance management page\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/cpu-utilization-metrics-tab.png)
1. Choose **CPU overview** in the drop-down menu under the **Metrics graphs** heading.
![\[CPU overview option in the metrics tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/cpu-utilization-cpu-overview.png)
The page displays **Average CPU utilization per 5 minutes** and **Remaining CPU burst capacity** graphs.
**Note**
The **Remaining CPU burst capacity** graph might display a **Launch mode** zone for a short period of time after you create an instance. Some Lightsail instances start in launch mode, which temporarily removes some of the performance limitations that are typically present on burstable instances. Launch mode allows you to run resource-intensive scripts at launch without affecting the overall performance of your instance.
![\[CPU overview page in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/cpu-overview-page.png)
1. You can perform the following actions on the metric graphs:
+ For the burst capacity graph, select **Show capacity as percentage of total** to change the view from burst capacity minutes available to burst capacity percentage available.
+ Change the view of the graph to show data for 1 hour, 6 hours, 1 day, 1 week, and 2 weeks.
+ Pause your cursor on a data point to view detailed information about that data point.
+ Add an alarm to be notified when CPU utilization and burst capacity crosses a threshold you specify. Alarms cannot be added in the CPU overview page. You must add them in the individual CPU utilization, CPU burst capacity percentage, and CPU burst capacity minutes metric graph pages. For more information, see [Alarms](amazon-lightsail-alarms.md) and [Create instance metric alarms](amazon-lightsail-adding-instance-health-metric-alarms.md).
# Troubleshoot high CPU utilization for your Lightsail instance
**Did you know?**
You can change your instance bundle to a larger size when you create an instance from an instance snapshot. For more information, see [ Upsize a Lightsail instance, storage, or database from snapshots ](https://docs.aws.amazon.com/lightsail/latest/userguide/how-to-create-larger-instance-from-snapshot-using-console.html) .
Your instance will use all of its burst capacity if it operates in the bursting zone frequently, or for extended periods of time. This can signify that your instance is under-provisioned. It could also be that a service is running too frequently, or your instance is running unnecessary software.
Investigate what is causing your instance to burst using tools like top on Linux/Unix instances, and Task Manager on Windows Server instances. These tools show you the services that are consuming resources on your instance. Determine which services are consuming the most resources, and identify if they can be disabled without impacting the workload of your instance. By disabling services, or uninstalling software, you should be able to lower the bursting of your instance, and avoid having to up-size your instance.
If your instance is truly under-provisioned, and you cannot lower its CPU utilization, then you can mitigate burst capacity consumption by adding more processing power. You do this by creating a snapshot of your instance, and then creating a new instance from the snapshot using a larger Lightsail instance plan. For example, use the Linux or Unix-based \$124 USD per month plan on your new instance instead of the Linux or Unix-based \$112 USD per month plan used on the previous instance. When your new instance is up and running, make changes to your workload's DNS as necessary to swap the old instance with the new one. Delete your old under-provisioned instance after traffic starts routing to your new instance. For more information, see [Snapshots](understanding-snapshots-in-amazon-lightsail.md).
# Connect to and manage your Lightsail instance
This guide covers the following topics related to managing and connecting to your Amazon Lightsail instances:
**Topics**
+ [Start, stop, or reboot your Lightsail instance](lightsail-how-to-start-stop-or-restart-your-instance-virtual-private-server.md)
+ [Force stop stuck Lightsail instances](amazon-lightsail-force-stop-instance.md)
+ [Enable enhanced networking for Amazon EC2 instances](amazon-lightsail-updating-ec2-instances.md)
+ [Extend the file system of your Windows Server instance in Lightsail](extending-windows-server-storage-space-in-amazon-lightsail.md)
+ [Configure Linux/Unix instances with launch scripts in Lightsail](lightsail-how-to-configure-server-additional-data-shell-script.md)
+ [Configure Windows Lightsail instances with PowerShell and batch scripts](create-powershell-script-that-runs-when-you-create-windows-based-instance-in-lightsail.md)
+ [Secure Windows Server instances on Lightsail](best-practices-for-securing-windows-based-lightsail-instances.md)
# Start, stop, or reboot your Lightsail instance
When Amazon Lightsail creates your instance, your machine goes into a **Pending** state before it starts **Running**. After your instance is running, you can reboot it or stop and then start it. The cycle looks like this:
![\[Instance states\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-state-cycle.png)
You can see the instance state when you manage your instance or view your instance on the home page.
**Important**
The default public IPv4 address that is assigned to your instance when you create it will change when you stop and start your instance. You can optionally create and attach a static IPv4 address to your instance. The static IPv4 address replaces the default public IPv4 address of your instance, and it stays the same when you stop and start your instance. For more information, see [Create a static IP and attach it to an instance](lightsail-create-static-ip.md).
## Reboot your instance while it's running
+ On the home page, choose the instance you want to reboot, or choose **Reboot** from the manage instance menu.
![\[Reboot your instance from the manage instance menu\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-restart-instance-from-manage-instance-menu.png)
If you're viewing your instance from the instance management page, choose **Reboot**, and then choose **Confirm** when prompted.
**Note**
To **Reboot** your instance, it must be in a **Running** state.
## Stop a running instance
+ On the home page, choose the instance you want to stop, or choose **Stop** from the manage instance menu.
![\[Stop your instance from the manage instance menu\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-stop-instance-from-manage-instance-menu.png)
If you're viewing your instance from the instance management page, choose **Stop**, and then choose **Confirm** when prompted.
**Note**
To **Stop** your instance, it must be in a **Running** state.
## Start your instance after it's stopped
+ On the home page, choose the instance you want to start, or choose **Start** from the manage instance menu.
![\[Start your instance from the manage instance menu\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-start-instance-from-manage-instance-menu.png)
If you're viewing your instance from the instance management page, choose **Start**.
**Note**
To **Start** your instance, it must be in a **Stopped** state.
# Force stop stuck Lightsail instances
Rarely, an instance can get stuck in the `Stopping` state. If this happens, there might be an issue with the underlying hardware that hosts your Amazon Lightsail instance. In this guide, you’ll learn how to force stop an instance that's stuck in the `stopping` state. For more information about instance states, see [Start, Stop, or Restart your Lightsail instance](lightsail-how-to-start-stop-or-restart-your-instance-virtual-private-server.md).
## How to force stop an instance
You can use the Lightsail console to force stop your instance, but only while the instance is in the `stopping` state. Alternatively, you can use the AWS Command Line Interface (AWS CLI) to force stop an instance while the instance is in any state except `shutting-down` and `terminated`. A force stop can take a few minutes to complete. If the instance hasn’t stopped after 10 minutes, force stop it again.
When an instance is forced to stop, it doesn't have an opportunity to flush file system caches or file system metadata. After you force stop an instance, you should perform file system checks and repair procedures.
The following procedure explains the different ways that you can force stop a Lightsail instance.
**Force stop an instance in the Lightsail console**
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Choose the **Instances** tab.
1. Locate the instance that's stuck in the `Stopping` state. Then, choose the actions menu icon (⋮) displayed next to the instance name.
![\[Lightsail instance actions menu.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-force-stop-actions-menu.png)
1. Choose **Force stop** in the dropdown list that appears.
![\[Lightsail instance actions menu force stop option.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-force-stop-choose-am-option.png)
Alternatively, you can choose the instance name to access the instance management page. Then, choose the **Force stop** button.
![\[Lightsail instance management page force stop button.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-force-stop-button-instance.png)
1. Review the considerations for this operation. To proceed, choose **Force stop**.
![\[Lightsail instance management page force stop button.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-force-stop-considerations-modal.png)
**Force stop an instance with the AWS CLI**
1. Before you begin, you need to install the AWS CLI. To learn more, see [Installing the AWS Command Line Interface](http://docs.aws.amazon.com/cli/latest/userguide/installing.html). Be sure to [configure the AWS CLI](lightsail-how-to-set-up-and-configure-aws-cli.md) after you install it.
1. Use the [stop-instance](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lightsail/stop-instance.html) command and the `--force` parameter as follows:
`aws lightsail stop-instance --instance-name Wordpress-1 --force`
# Enable enhanced networking for Amazon EC2 instances
Some Lightsail instances are incompatible with the current generation EC2 instance types (T3, M5, C5, or R5) because they are not enabled for enhanced networking. If your source Lightsail instance is incompatible, you will need to choose a previous generation instance type (T2, M4, C4, or R4) when creating an EC2 instance from your exported snapshot. These instance type options are presented to you when creating an EC2 instance using the **Create an Amazon EC2 instance** page in the Lightsail console.
**Note**
For more information about enhanced networking, see [Enhanced Networking on Linux](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html) or [Enhanced Networking on Windows](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/enhanced-networking.html) in the Amazon EC2 documentation.
To use the latest generation EC2 instance types when the source Lightsail instance is incompatible, you need to create the new EC2 instance using a previous generation instance type (T2, M4, C4, or R4), update the networking driver on your instance, and then upgrade the instance to the desired current generation instance type.
## Prerequisites
You must create an Amazon EC2 instance from an exported Lightsail snapshot. If your Lightsail instance is incompatible, you’ll choose a previous generation instance type (T2, M4, C4, or R4) when creating the Amazon EC2 instance. To learn more, see [Creating Amazon EC2 instances from exported snapshots in Lightsail](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md).
After your new EC2 instance is up and running, continue to the [Enable Enhanced Networking with the Elastic Network Adapter](#enabling-enhanced-networking-with-elastic-network-adapter) section of this guide to learn how to enable enhanced networking.
## Enable Enhanced Networking with the Elastic Network Adapter
After your new instance is up and running, see one of the following guides in the Amazon EC2 documentation to enable enhanced networking with the Elastic Network Adapter (ENA):
+ [Enabling Enhanced Networking with the ENA on Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html)
+ [Enabling Enhanced Networking with the ENA on Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/enhanced-networking-ena.html)
## Upgrade your instance type
After you have enabled enhanced networking, you can upgrade the instance type by following the instructions in one of the following guides:
+ For Windows Server instances — [Migrating to Latest Generation Instance Types](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/migrating-latest-types.html)
+ For Linux or Unix instances — [Changing the Instance Type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html)
# Extend the file system of your Windows Server instance in Lightsail
After you use a snapshot to create a new Windows Server instance with a larger plan, you may see that the available storage space is lower than that specified by the plan. This is typically because the additional storage space provided by the larger plan has not been allocated; therefore, it’s not being used by the active volume. The steps in this topic show you how to extend the file system of your Windows Server instance to use the maximum storage space available.
**Note**
This scenario happens only when you create a Windows Server instance using a snapshot that was created before running the System Preparation (Sysprep) utility. For more information, see [Create a snapshot of your Windows Server instance](prepare-windows-based-instance-and-create-snapshot.md).
**To extend the file system for a Windows Server instance**
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose the RDP client icon for the instance you want to connect to.
![\[Open the browser-based RDP client with quick connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-to-windows-instance-using-rdp-connection-shortcut.png)
The browser-based RDP client window opens, as shown in the following example:
![\[Browser-based RDP client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-web-based-rdp-client.png)
1. On the taskbar, choose the Windows icon, then choose one of the following options:
1. On Windows Server 2022, Windows Server 2019 and Windows Server 2016 instances, choose **Start**, then choose **Windows Administrative Tools**.
1. Choose **Computer Management**.
1. In the left pane of the Computer Management console, choose **Disk Management**.
1. On the **Actions** menu, choose **Rescan Disks**.
You may see unallocated space associated with a disk. Extend the active volume on the disk to use the unallocated space.
![\[Unallocated disk space in Windows Disk Management\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-unallocated-space.png)
1. Right-click the active volume on the same disk as the unallocated space, then choose **Extend Volume**.
![\[Extend volume in Windows Disk Management\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-extend-volume.png)
1. When the Extend Volume wizard opens, choose **Next**.
1. In the **Select the amount of space in MB** field, enter the number of megabytes by which to extend the volume. Normally, you set this to the maximum unallocated space. The value you enter is the amount of space that you are adding, not the final size of the volume.
![\[Select unallocated space in the Windows Extend Volume wizard\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-select-unallocated-space.png)
1. Complete the Extend Volume wizard.
The active volume is extended to use the unallocated space that you specified. The following example shows all of the unallocated space chosen.
![\[Allocated disk space in Windows Disk Management\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-allocated-space.png)
# Configure Linux/Unix instances with launch scripts in Lightsail
When you create a Linux or Unix-based instance, you can add a launch script to add or update software, or configure your instance in some other way. To configure a Windows-based instance with additional data, see [Configure your new Lightsail instance using Windows PowerShell](create-powershell-script-that-runs-when-you-create-windows-based-instance-in-lightsail.md).
**Note**
Depending on the machine image you choose, the command to get software on your instance varies. Amazon Linux uses `yum`, while Debian and Ubuntu both use `apt-get`. WordPress and other application images use `apt-get` because they run Debian as their operating system. FreeBSD and openSUSE require additional user configuration to use custom tools such as `freebsd-update` or `zypper` (openSUSE).
## Example: Configure an Ubuntu server to install Node.js
The following example updates the package list and then installs Node.js through the `apt-get` command.
1. On the **Create an instance** page, choose **Ubuntu** on the **OS Only** tab.
1. Scroll down and choose **Add launch script**.
1. Type the following:
```
# update package list
apt-get update -y
# install some of my favorite tools
apt-get install nodejs -y
```
**Note**
Commands you send to configure your server are run as root, so you don't need to include `sudo` before your commands.
1. Choose **Create instance**.
## Example: Configure a WordPress server to download and install a plugin
The following example updates the package list, and then downloads and installs the [BuddyPress plugin](https://wordpress.org/plugins/buddypress/) for WordPress.
1. On the **Create an instance** page, choose **WordPress**.
1. Choose **Add launch script**.
1. Type the following:
```
# update package list
apt-get update
# download wordpress plugin
wget "https://downloads.wordpress.org/plugin/buddypress.14.0.0.zip"
apt-get install unzip
# unzip into wordpress plugin directory
unzip buddypress.14.0.0.zip -d /bitnami/wordpress/wp-content/plugins
```
1. Choose **Create instance**.
# Configure Windows Lightsail instances with PowerShell and batch scripts
When you create a Windows-based instance, you can configure it using a Windows PowerShell script or any other batch script. This is a one-time script that runs right after your instance launches. This topic shows the syntax of the scripts and provides an example to get you started. We also show you how to test your script to see if it ran successfully.
## Create an instance that launches and runs a PowerShell script
The following procedure installs a tool called *chocolatey* on a new instance, right after the instance launches.
1. In the left navigation pane, choose **Create instance**.
1. Choose the AWS Region and Availability Zone where you want to create your instance.
1. Under **Select a platform**, choose **Microsoft Windows**.
1. Choose **OS Only**, and then choose **Windows Server 2022**, **Windows Server 2019**, **Windows Server 2016**.
1. Choose **Add launch script**.
1. Type the following:
```
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
```
**Note**
You must always wrap your PowerShell scripts in `` tags. You can enter non-PowerShell commands or batch scripts using `` tags or without any tags at all.
1. Enter a name for your instance.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. (Optional) Choose **Add new tag** to add a tag to your instance. Repeat this step as needed to add additional tags. For more information on tag usage, see [Tags](amazon-lightsail-tags.md).
1. For **Key**, enter a tag key.
![\[A tag with only the tag key specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-only-tags.png)
1. (Optional) For **Value**, enter a tag value.
![\[A tag with the tag key and tag value specified in the Lightsail create instance workflow.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-key-name-and-value-tags.png)
1. Choose **Create instance**.
## Verify that your script ran successfully
You can log in to your instance to verify that the script ran successfully. It can take up to 15 minutes for a Windows-based instance to be ready to accept RDP connections. Once it's ready, log in using the browser-based RDP client or configure your own RDP client. For more information, see [Connect to your Windows-based instance](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
1. Once you can connect to your Lightsail instance, open a command prompt (or open Windows Explorer).
1. Change to the `Log` directory by typing the following:
```
cd C:\ProgramData\Amazon\EC2-Windows\Launch\Log
```
1. Open `UserdataExecution.log` in a text editor, or type the following: `type UserdataExecution.log`.
You should see the following in your log file.
```
2017/10/11 20:32:12Z: tag was provided.. running powershell content
2017/10/11 20:32:13Z: Message: The output from user scripts: iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
2017/10/11 20:32:13Z: Userdata execution done
```
# Secure Windows Server instances on Lightsail
In this article, we provide tips and tricks to help you avoid security risks when using your Lightsail instance running Windows Server.
## About Lightsail passwords
When you create a Windows Server-based instance, Lightsail randomly generates a long password that is hard to guess. You use this password uniquely with your new instance. You can use the default password to connect quickly to your instance using remote desktop (RDP). You are always logged in as the **Administrator** on your Lightsail instance.
## Manage your password
You can change the password on your Windows Server-based instance. This might be useful if you want to use a remote desktop client to access your Lightsail instance. Lightsail never stores a password you generate.
**Note**
You can use either the Lightsail-generated password or your own custom password with the browser-based RDP client in Lightsail. If you use a custom password, you will be prompted for your password every time you log in. It's easier to use the Lightsail-generated default password with the browser-based RDP client if you want quick access to your instance.
Use the Windows Server password manager to change your password securely. Press `Ctrl` \$1 `Alt` \$1 `Del`, and then choose **Change a password**. Be sure to keep a record of your password, because Lightsail doesn't store your password. If you need to retrieve your password, see the following: [Change the Administrator password for a Windows-based instance](use-non-default-key-with-windows-based-instance-in-lightsail.md).
If you change your password from the unique, default password, be sure to use a strong password. You should avoid passwords that are based on names or dictionary words, or repeating sequences of characters.
## Security patching
We recommend keeping your Windows Server-based Lightsail instances updated with the latest security patches. Be sure your server is configured to download and install updates. The following procedure tells you how to do this directly on your Lightsail instance running Windows Server.
1. On your Windows Server-based instance, open a command prompt.
1. Type `sconfig`, and then press `Enter`.
Windows Update Settings (number 5) are at `Automatic` by default.
![\[Server configuration in Windows Server 2016\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/configure-server-windows-based-lightsail.png)
1. To download and install new updates, type `6`, and then press `Enter`.
1. Type `A` to search for **(A)ll updates** in the new command window, and then press `Enter`.
1. Type `A` again to install **(A)ll updates**, and then press `Enter`.
When finished, you see a message with the installation results and more instructions (if those apply).
![\[Successfully downloaded and updated Windows Server 2016 security patch\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/download-install-updates-configure-server-windows-based-lightsail.png)
## Enable the Account Lockout Policy in Windows Server
You can configure Windows Server to temporarily or indefinitely disable accounts when a certain number of unsuccessful login attempts has been reached. For example, you can lock out someone who attempts to log in to your instance using three unsuccessful passwords.
For more information, see [Account Lockout Policy](https://technet.microsoft.com/en-us/library/hh994563(v=ws.11).aspx) in the *Windows Server documentation*.
## Ports and firewall settings
By default, we open the following ports on your Windows Server-based instances.
![\[Firewall settings\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/windows-ports-firewall-open-by-default.png)
The ports you enable are exposed to the world and can't be restricted by source IP. To restrict access to your instance, you can turn off these ports and only enable them when you need to access your instance. Here's how:
1. Find the instance you want to manage in Lightsail, and then choose **Manage**.
1. Choose **Networking**.
1. On the **Networking** page for your instance, choose **Edit rules**.
1. Delete the RDP/TCP/3389 rule by choosing the orange "x" next to the rule.
![\[Close your RDP port by deleting this rule\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/windows-ports-firewall-delete-rdp-port.png)
1. Choose **Save**.
Follow the step-by-step instructions to learn how to control the state of your instances, force stop instances that are stuck, update instances for enhanced networking, extend the file system of Windows Server instances, configure instances at launch using scripts, and secure your Windows Server instances.
The guide covers both Linux or Unix and Windows Server instances, providing tips and best practices for tasks such as installing software, updating configurations, managing passwords, enabling security patches, and configuring firewall settings. By following this guide, you can effectively manage and secure your Lightsail instances, ensuring optimal performance, security, and customization for your specific use case.
# Delete Lightsail instances
If you no longer need an instance, you can delete it using the Amazon Lightsail console or the AWS Command Line Interface (AWS CLI). You stop incurring charges for the instance as soon as it’s deleted. However, resources that were attached to the deleted instance will continue to incur charges until you delete them as well. For more information on these resources and how to delete them after deleting your instance, see [Next steps](#delete-instance-next-steps).
**Warning**
When you delete an instance, it can't be recovered. Any automatic snapshots of the instance will also be deleted as part of this operation. If you want to retain your data for later use, you must first create a snapshot of your instance or choose to keep an existing automatic snapshot. For more information, see the following documentation:
[Keep automatic snapshots from being replaced in Lightsail](amazon-lightsail-keeping-automatic-snapshots.md)
[Back up Linux/Unix Lightsail instances with snapshots](lightsail-how-to-create-a-snapshot-of-your-instance.md)
[Create a snapshot of your Lightsail Windows Server instance](prepare-windows-based-instance-and-create-snapshot.md)
## Delete an instance from the Lightsail console home page
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. For the instance you want to delete, choose the actions menu icon (⋮), then choose **Delete**.
![\[Delete an instance from the Lightsail console home page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/animation_delete_instance.gif)
1. Choose **Yes, delete** to confirm the deletion.
## Delete an instance from the Lightsail console instance management page
1. In the Lightsail console on the home page, choose the instance you want to delete.
1. Choose the **Delete** button, then choose **Delete instance**.
![\[Delete an instance from the Lightsail console instance management page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-delete-instance-button.png)
1. Select the checkbox, then enter ***Confirm*** into the input field to acknowledge that you want to delete the instance.
1. Choose **Delete instance** to confirm the deletion.
## Delete an instance using the AWS CLI
1. Complete the following prerequisites if you haven't already.
1. Install the AWS CLI. For more information, see [Install the AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/installing.html) .
1. Configure the AWS CLI. For more information, see [Configuring the AWS CLI](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. (Optional) Use AWS CloudShell. For more information, see [Manage Lightsail resources with AWS CloudShell](amazon-lightsail-cloudshell.md).
1. Open a Terminal, Command Prompt, or CloudShell window, then type the following command to get the name of the instance you want to delete:
```
aws lightsail get-instances
```
You should see results similar to the following:
![\[AWS CLI output for Lightsail get-instances operation.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-get-instance-output.png)
1. Select and copy the name of the instance you want to delete so you can use it in the next step.
**Note**
If the instance you want to delete does not appear, confirm that your AWS CLI is configured for the AWS Region where the instance is located. For more information, see [Configuring the AWS CLI](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Type the following command to delete the instance.
```
aws lightsail delete-instance --instance-name InstanceName
```
In the command, replace *InstanceName* with the name of the instance.
If the deletion is successful, you should see a confirmation similar to the following:
![\[AWS CLI output for Lightsail delete-instance operation.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-delete-instance-output.png)
**Note**
If the deletion isn’t successful, you should see an error message. Confirm that you copied and pasted the exact name of the instance and try again.
## Next steps
After you delete an instance, a static IP, snapshots, block storage disks, and load balancer associated to an instance remain in Lightsail, and incur additional charges. For more information about how to delete those resources, see the following articles:
+ [Delete a static IP](how-to-delete-static-ip.md)
+ [Delete a snapshot](amazon-lightsail-deleting-snapshots.md)
+ [Detach and delete a block storage disk](detach-and-delete-block-storage-disks.md)
+ [Delete a load balancer](delete-lightsail-load-balancer.md)
# Manage SSH key pairs and connect to your Lightsail instances
A key pair is a set of security credentials that you use to prove your identity when connecting to an Amazon Lightsail instance. A key pair consists of a public key and a private key. Lightsail stores the public key on your instance, and you store the private key.
The key pair files contain the following text:
![\[Key pair file example\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/key-pairs-and-connecting-to-instances-01.png)
On Linux and Unix instances, the private key allows you to establish a secure SSH connection to your instance. On Windows instances, the private key decrypts the default administrator password that you use to establish a secure RDP connection to your instance.
Anyone who has access to your private key can connect to your instances, so it's important that you store your private key in a secure place.
**Contents**
+ [Choosing a key pair option](#choosing-a-key-pair-option)
+ [Connecting to your instances](#connecting-to-your-instances)
+ [Manage keys stored on instances](#managing-keys-stored-on-instances)
## Choose a key pair option
You can choose one of the following key pair options when you create a Lightsail instance. Windows instances always use the default key; therefore, you can’t create a key pair or upload a key when creating Windows instances.
+ **Default SSH key** – Lightsail automatically creates a default key pair in each AWS Region where you create instances. When you use the default key pair with your instance, Lightsail stores the public key on your instance. You can download the private key of a default key pair at any time from the **Account** page on the Lightsail console. You can have up to one default key pair in each AWS Region.
+ **Create custom key (Linux and Unix instances)** – You can use the Lightsail console to create a new custom key pair to use with your instance. When you create a custom key pair, you give it a unique name, and Lightsail stores the public key on your instance. You can download the private key of a custom key pair only when you first create it.
+ **Upload key (Linux and Unix instances)** – To use an existing key pair of your own, you can upload your public key to Lightsail. When you upload a public key to use with your instance, you give it a unique name, and Lightsail stores it on your instance. You keep and store the private key of your key pair.
If you configure a single public key on multiple instances, you can use the same private key of the key pair to connect to those instances. For more information about managing key pairs, see [Managing key pairs in Amazon Lightsail](amazon-lightsail-managing-ssh-keys.md).
## Connect to your instances
You can connect to your Lightsail instances using one of the following options.
**Lightsail browser-based SSH and RDP clients**
In the Lightsail console, you can instantly connect to your Linux and Unix instances using a browser-based SSH client, and connect to your Windows instances using a browser-based RDP client. You don't have to install an SSH client on your computer, configure key pairs, or specify administrator passwords when you connect to your instances using the browser-based clients. This is the fastest way to connect to your instances. For more information, see [Connecting to your Linux or Unix instance in Amazon Lightsail](lightsail-how-to-connect-to-your-instance-virtual-private-server.md) and [Connecting to your Windows instance in Amazon Lightsail](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
The browser-based clients use a different key pair than the one you configure when you create your instances, such as the default key, or a key you create or upload. Therefore, even if you delete or lose one of the keys you originally configured, you can continue to connect to your instances using the browser-based clients.
**Third-party SSH and RDP clients**
You can connect to your Linux and Unix instances using a third-party SSH client, and connect to your Windows instances using a third-party RDP client. When you use an SSH client, you must configure it to use the private key of the key pair that you configured on your instance. When you use an RDP client, you must specify the administrator password of your Windows instance.
If you use a Windows computer locally, you can use the following clients to connect to your Lightsail instances.
+ **PuTTY** – Use PuTTY to connect to Linux or Unix instances using SSH. For more information, see [Set up PuTTY to connect to your instance](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
+ **Remote Desktop Connection** – Use the Remote Desktop Connection client to connect to Windows instances using RDP. For more information, see [Connect to your Windows instance using the Remote Desktop Connection client on a Windows computer](amazon-lightsail-connecting-to-windows-instance-using-rdc.md).
If you use a Mac computer locally, use the following clients to connect to your Lightsail instances.
+ **Native SSH client in Terminal** – Use the native SSH client in Terminal to connect to Linux and Unix instances. For more information, see [Connect to your Linux or Unix instance using SSH in Terminal](amazon-lightsail-ssh-using-terminal.md).
+ **Microsoft Remote Desktop** – Use the Microsoft Remote Desktop client for macOS to connect to Windows instances using RDP. For more information, see [Connect to your Windows instance using the Microsoft Remote Desktop client on a Mac](amazon-lightsail-connecting-to-windows-instance-using-microsoft-remote-desktop.md).
## Manage keys stored on instances
After your instance is up and running, you can add a new key to the instance, or replace the key that you originally assigned to it. For example, if a user in your organization requires access to the instance using a separate key, you can add that key to your instance. Another example might be when someone leaves your organization and they have a copy of the private key (.PEM) file. You can prevent them from connecting to your instance by replacing the key with a new one or removing it completely. For more information, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
**Topics**
+ [Choose a key pair option](#choosing-a-key-pair-option)
+ [Connect to your instances](#connecting-to-your-instances)
+ [Manage keys stored on instances](#managing-keys-stored-on-instances)
+ [Set up SSH keys](lightsail-how-to-set-up-ssh.md)
+ [Manage SSH keys](amazon-lightsail-managing-ssh-keys.md)
+ [Manage instance SSH keys](amazon-lightsail-remove-ssh-key-on-instance.md)
+ [Connect to Linux instances](lightsail-how-to-connect-to-your-instance-virtual-private-server.md)
+ [Connect to Windows instances](connect-to-your-windows-based-instance-using-amazon-lightsail.md)
# Set up SSH keys for Lightsail
Secure SHell (SSH) is a protocol for securely connecting to a virtual private server (or Lightsail *instance*). SSH works by creating a public key and a private key that match the remote server to an authorized user. Using that key pair, you can connect to your Lightsail instance using a browser-based SSH terminal.
For more information about SSH, see [Understanding SSH](understanding-ssh-in-amazon-lightsail.md).
When you create your Lightsail instance, the default option is to let Lightsail manage your SSH keys for you. Lightsail provides a browser-based SSH client for securely connecting to your Linux-based instance. It's a fully functional terminal, where you can enter commands and make changes to your instance.
Windows-based instances use remote desktop (RDP) protocol instead of SSH. For more information about Windows-based instances in Lightsail, see [Get started with Windows-based instances in Lightsail](get-started-with-windows-based-instances-in-lightsail.md).
**Important**
SSH key management is regional. When you create an instance in a new AWS Region, you will be given the option to use the default key pair for that region. You can also use a custom key in that region. Keep in mind that if you upload your own key, you will have to do that for each region where you have a Lightsail instance.
If you use the default key, you can still download the private key for safekeeping. This can be done either at the time you create your instance or later. If you choose to download the key after you created your instance, you can do so under **SSH keys** on the **Account** page.
## Create a new key
If you don't choose to use the default key, you can create a new key pair at the time you create your Lightsail instance.
1. If you haven't done it yet, choose **Create instance**.
1. On the **Create an instance** page, choose **Create custom key**.
1. Lightsail displays the Region where we're creating the new key.
![\[Here's the region where your key pair is being created\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-new-key-pair-in-region.png)
Choose **Create**.
1. Enter a name for your key pair.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. Choose **Generate key pair**.
**Important**
Save your key somewhere you can easily find it. Also, it's a good idea to make sure permissions are set so that no one else can read it.
1. Continue creating your instance.
## Upload an existing key
You can also choose to upload an existing key at the time you create your Lightsail instance.
1. If you haven't done it yet, choose **Create instance**.
1. On the **Create an instance** page, choose **Upload key**.
1. Choose **Upload**.
1. Lightsail displays the Region where you're uploading the new key.
1. Choose **Choose File** to find the key on your local machine.
Be sure to upload a public key (not a private key). For example, `github_rsa.pub`.
1. Choose **Upload key**.
1. Continue creating your instance.
## Manage your keys
You can manage your keys on the **SSH keys** tab of the **Account** page. You will see each key pair in use in each region.
![\[Key pair management on the Account page\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-account-key-pairs-management.png)
On this page, you can create a new key, delete an existing key, upload an existing key, or download a private key. You may want to use an SSH client like PuTTY to connect, which will require you to have the private half of the key. You can download the key on the **Account** page. [Learn more about setting up PuTTY to connect to a Lightsail instance](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
# Control secure instance connectivity with Lightsail SSH keys
You can establish a secure connection to your Amazon Lightsail instances using key pairs. When you first create an Amazon Lightsail instance, you can choose to use a key pair that Lightsail creates for you (the Lightsail default key pair) or a custom key pair that you create. For more information, see [Key pairs and connecting to instances in Amazon Lightsail](understanding-ssh-in-amazon-lightsail.md).
On Linux and Unix instances, the private key allows you to establish a secure SSH connection to your instance. On Windows instances, the private key decrypts the default administrator password that you use to establish a secure RDP connection to your instance.
In this guide, we show you how to manage the keys that you can use with your Lightsail instances. You can view your keys, delete existing keys, and create or upload new keys.
**Contents**
+ [View your default and custom keys](#view-default-and-custom-keys)
+ [Download the private key of a default key from the Lightsail console](#download-the-private-key)
+ [Delete a custom key in the Lightsail console](#delete-a-custom-key)
+ [Delete a default key and create a new one in the Lightsail console](#delete-default-key-create-new-one)
+ [Create a custom key using the Lightsail console](#create-a-custom-key-console)
+ [Create a custom key using ssh-keygen and upload to Lightsail](#create-a-custom-key-ssh-keygen)
## View your default and custom keys
Complete the following procedure to view your default and custom keys from the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
The **SSH keys** page lists:
+ **Custom keys** – These are keys that you create either using the Lightsail console or a third-party tool such as ssh-keygen. You can have many custom keys in each AWS Region.
+ **Default keys** – These are keys that Lightsail creates for you. You can have only one default key in each AWS Region.
![\[SSH keys page\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-02.png)
Custom and default keys are Regional. For example, keys in the US West (Oregon) AWS Region can be configured only on instances created in that Region. For more information about keys, see [Key pairs and connecting to instances in Amazon Lightsail](understanding-ssh-in-amazon-lightsail.md).
On the **SSH keys** page, you can create key pairs, upload keys, delete keys, and download the private key of a Lightsail default key pair.
**Note**
You cannot download the private key of a custom key pair because Lightsail does not store that key for you. If you’ve lost the private key of a custom key pair, then you should create a new one, and configure it on your instance. Then, delete the key which has been lost. For more information, see [Create a custom key using the Lightsail console](#create-a-custom-key-console) or [Create a custom key using ssh-keygen and upload to Lightsail](#create-a-custom-key-ssh-keygen) later in this guide.
## Download the private key of a default key from the Lightsail console
Complete the following procedure to download the private key of a default key pair from the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
1. Under the **Default keys** section of the page, choose the download icon for the key that you want to download.
![\[Default keys download icon\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-download-default-key.png)
**Important**
Store the private key in a secure location. Don't share it publicly because it can be used to connect to your instances.
You can configure an SSH client to connect to your instances using the private key. For more information, see [Connecting to your instances](understanding-ssh-in-amazon-lightsail.md#connecting-to-your-instances).
## Delete a custom key in the Lightsail console
Complete the following procedure to delete a custom key in the Lightsail console. This prevents the custom key from being configured on new instances that you create in Lightsail.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
1. Under the **Custom keys** section of the page, choose the delete icon for the key that you want to delete.
![\[Custom keys delete icon\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-06.png)
This doesn't remove the public key of the custom key pair from instances that were previously created and are currently running. To remove a previously configured public key stored on a running instance, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
## Delete a default key and create a new one in the Lightsail console
Complete the following procedure to delete a default key in the Lightsail console. This prevents that default key from being configured on new instances that you create in Lightsail. You can then create a new default key to replace the one that you deleted. You will be able to configure the new default key on new instances that you create in Lightsail.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
1. Under the **Default keys** section of the page, choose the delete icon for the default key that you want to delete.
![\[Default keys delete icon\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-delete-default-key.png)
**Important**
Deleting a default key doesn't remove the public key of the custom key pair from instances that were previously created and are currently running. For more information, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
1. The default key is used to generate the administrator password for Windows instances. Before you delete the default key, you should retrieve and save the administrator password from any Windows instances that use the default key you want to delete.
1. Choose **Continue** to delete the default key.
![\[Before you delete this key prompt\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-09.png)
1. You must download the default key before you can delete it. After you download the default key, you will be able to choose **Yes, delete** to permanently delete the default key.
![\[Download default key prompt\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-10.png)
1. The default key has been deleted. Choose **Okay**.
![\[Default key deleted prompt\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-11.png)
The following steps are optional and you should only complete them if you want to replace the default key pair you deleted.
1. Under the **Default keys** section of the page, choose **Create key pair**.
1. In the **Select a region** prompt that appears, choose the AWS Region in which you want to create your new default key. You will be able to configure your new default key on new instances in the same AWS Region.
**Note**
Using these steps, you can create default key pairs only in AWS Regions where you have created Lightsail resources. To create a default key pair in a new Region, you must create a Lightsail resource in that Region. Creating the resource also creates a default key pair.
1. Download the private key and store it in a safe location.
1. Choose **Ok, got it\$1** to continue.
![\[Key pair created\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-13.png)
1. Confirm the new default key on the Lightsail console SSH keys page.
![\[Default keys list\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-14.png)
You can configure your new default key on new instances that you create in Lightsail. To configure your new default key on instances that were previously created and are currently running, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
## Create a custom key using the Lightsail console
Complete the following procedure to create a custom key pair using the Lightsail console. You will be able to configure the new custom key on new instances that you create in Lightsail.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
1. Choose **Create key pair** under the **Custom keys** section of the page.
![\[Create custom key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-create-custom-key.png)
1. In the **Select a region** prompt that appears, choose the AWS Region in which you want to create your new custom key. You will be able to configure your new custom key on new instances in the same AWS Region.
![\[AWS Region list\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-17.png)
1. In the **Create a new SSH key pair** prompt that appears, give your custom key a name, and choose **Generate key pair**.
![\[Create a new SSH key pair\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-18.png)
1. In the **Key pair created\$1** prompt that appears, choose **Download private key** to save the private key to your local computer.
**Important**
Store the private key in a secured location. Don't share it publicly because it can be used to connect to your instances.
This is the only time you can download the private key of the custom key pair. Lightsail does not store the private key of custom key pairs. After you close this prompt, you will not be able to download it again.
![\[Download private key prompt\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-19.png)
1. Choose **Ok, got it\$1** to close the prompt.
![\[You can only download private key once prompt\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-20.png)
1. Your new custom key is listed under the Custom keys section of the page.
![\[Custom keys list\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-21.png)
You can configure your new custom key on new instances that you create in Lightsail. To configure your new custom key on instances that were previously created and are currently running, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
## Create a custom key using ssh-keygen and upload to Lightsail
Complete the following procedure to create a custom key pair on your local computer using a third-party tool, such as ssh-keygen. After you create the key, you can upload it to the Lightsail console. You will be able to configure the new custom key on new instances that you create in Lightsail.
1. Open Command Prompt or Terminal on your local computer.
1. Enter the following command to create a key pair.
```
ssh-keygen -t rsa
```
1. Specify a directory location on your computer where the key pair should be saved.
For example, you can specify one of the following directories:
1. On Windows: `C:\Users\\.ssh\`
1. On macOS, Linux or Unix: `/home//.ssh/`
Replace `` with the name of the user you're currently signed in as, and replace `` with the name of your new key pair.
In the following example, we specified the `C:\Keys` directory on our Windows computer, and gave the new key a name of `MyNewLightsailCustomKey`.
![\[ssh-keygen\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-22.png)
1. Enter a passphrase for your key and press **Enter**. You will not see the passphrase as you enter it.
You will need this passphrase later when configuring the private key of the key pair on an SSH client to connect to an instance that has the public key of the key pair configured on it.
![\[passphrase\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-23.png)
1. Enter the passphrase again to confirm it and press **Enter**. You will not see the passphrase as you enter it.
![\[passphrase\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-24.png)
1. A prompt confirms that your private key and public key have been saved to the specified directory.
![\[key pair save location\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-25.png)
Next you will upload the public key of the key pair to the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH keys** tab.
1. Choose **Upload key** under the **Custom keys** section of the page.
![\[Upload custom key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-27.png)
1. In the **Select a region** prompt that appears, choose the AWS Region in which you want to upload your new custom key. You will be able to configure your new custom key on new instances in the same AWS Region.
![\[AWS Region list\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-28.png)
1. Choose **Upload**.
1. Click **Choose File** in the **Upload a public key** prompt that appears.
![\[Choose public key file location\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-29.png)
1. Find the public key of the key pair you created earlier in this procedure, on your local computer, and choose **Open**. The public key of the key pair is the file with a .PUB file extension.
![\[Select public key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-30.png)
1. Choose **Upload key**.
![\[Choose upload key button\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-31.png)
1. Your new custom key is listed in the **Custom keys** section of the page.
![\[Custom keys list\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-21.png)
You can configure your new custom key on new instances that you create in the AWS Region where you uploaded your key. To configure your new custom key on instances that were previously created and are currently running, see [Manage keys stored on an instance in Amazon Lightsail](amazon-lightsail-remove-ssh-key-on-instance.md).
# Manage SSH keys on Lightsail Linux instances
You can establish a secure connection to your Amazon Lightsail instances using key pairs. Lightsail configures the public key of a key pair on your Linux or Unix instance when you first create it. You use the private key of the key pair to authenticate to your instance when establishing an SSH connection to it. For more information about keys, see [Key pairs and connecting to instances](understanding-ssh-in-amazon-lightsail.md).
After your instance is up and running, you can change the key pair that is used to connect to your instance by adding a new public key on the instance, or by replacing the public key (deleting the existing public key and adding a new one) on the instance. You might do this for the following reasons:
+ If a user in your organization requires access to the instance using a separate key pair, you can add the public key to your instance.
+ If you need to secure a new instance that was created from the snapshot of an instance which used a compromised key.
+ If someone has a copy of the private key and you want to prevent them from connecting to your instance (for example, if they left your organization), you can delete the public key on the instance and replace it with a new one.
To add or replace a key on your instance, you must be able to connect to your instance. If you've lost your existing private key, you can connect to your instance using the Lightsail browser- based SSH client. For more information, see [Connecti to your Linux or Unix instance](lightsail-how-to-connect-to-your-instance-virtual-private-server.md).
**Contents**
+ Step 1: [Learn about the process](#learn-about-the-process)
+ Step 2: [Create a key pair](#create-a-key-pair)
+ Step 3: [Add a public key to your instance](#add-public-key-to-instance)
+ Step 4: [Connect to your instance using the new key pair](#connect-to-instance-new-key-pair)
+ Step 5: [Delete an existing public key from your instance](#delete-public-key-from-instance)
## Step 1: Learn about the process
Following are the general steps to add and remove keys on an instance. If you want to remove a key from your instance without adding a new key, see Step 5: [Delete an existing public key from your instance](#delete-public-key-from-instance) later in this guide.
1. **Create a key pair** – To add a new key to your instance you must first create a new key pair. You can create a custom or default key pair using the Lightsail console, or on your local computer using a third-party tool, such as ssh-keygen. Both methods generate a new key pair, which consist of a public key and a private key. For more information, see Step 2: [Create a key pair](#create-a-key-pair) later in this guide.
1. **Add a public key to your instance** – After you create a key pair, you connect to your instance using SSH and add the public key of the key pair to your instance. For more information, see Step 3: [Add a public key to your instance](#add-public-key-to-instance) later in this guide.
1. **Test that you can connect to your instance using the new key pair** – After the public key of the key pair is saved on the instance, you should test that you can use the private key of the key pair to connect to the instance using SSH. For more information, see Step 4: [Connect to your instance using the new key pair](#connect-to-instance-new-key-pair) later in this guide.
1. **Remove an old public key from your instance** – After you successfully connect to your instance using the new key, you can remove an old public key from the instance. Complete this step to prevent a user from connecting to an instance using an old key pair. For more information, see Step 5: [Delete an existing public key from your instance](#delete-public-key-from-instance) later in this guide.
## Step 2: Create a key pair
Complete the following procedure to create a key pair on your local computer using ssh-keygen.
1. Open Command Prompt or Terminal on your local computer.
1. Enter the following command to create a key pair.
```
ssh-keygen -t rsa
```
1. Specify a directory location on your computer where the key pair should be saved.
For example:
+ On Windows: `C:\Users\\.ssh\`
+ On macOS, Linux or Unix: `/home//.ssh/`
Replace `` with the name of the user you are currently signed in as, and replace `` with the name of your new key pair.
In the following example, we specified the `C:\Keys` directory on our Windows computer, and gave the new key a name of `MyNewLightsailCustomKey`.
![\[Directory location C:\Keys\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-01.png)
1. Enter a passphrase for your key and press **Enter**. You will not see the passphrase as you enter it.
You will need this passphrase later when configuring the private key on an SSH client to connect to an instance that has the public key configured on it.
![\[Passphrase\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-02.png)
1. Enter the passphrase again to confirm it and press **Enter**. You will not see the passphrase as you enter it.
![\[Passphrase\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-03.png)
1. A prompt confirms that your private key and public key have been saved to the specified directory.
![\[Identity file save location\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-04.png)
1. Open the public key (.PUB) file, and copy the text in the file.
![\[Copy to contents of the public key file\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-05.png)
Continue to the next section of this guide to add your new public key to your Lightsail instance.
## Step 3: Add a public key to your instance
Complete the following procedure to add the public key to your instance. Public key content is saved in the `~/.ssh/authorized_keys` file on Linux and Unix instances.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Choose the **Instances** section on the Lightsail home page.
1. Choose the browser-based SSH client icon for the instance that you want to connect to.
![\[Choose the browser based SSH client\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-06.png)
1. After you're connected, enter the following command to edit the *authorized\$1keys* file using the text editor of your choice. The following steps use Vim for demonstration purposes.
```
sudo vim ~/.ssh/authorized_keys
```
You should see a result similar to the following example, which shows the current public keys configured on your instance. In our case, the Lightsail default key for the AWS Region in which the instance was created in, is the only public key configured on the instance.
![\[Edit the authorized keys file\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-07.png)
1. Press the **I** key to enter insert mode in the Vim editor.
1. Enter a line break after the last public key on the file.
1. Paste the public key text that you copied earlier in this guide (after creating a new key pair). You should see a result similar to the following example:
![\[Paste the public key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-08.png)
1. Press the **ESC** key. Next, type `:wq!` and press **Enter** to save your edits and exit the Vim editor.
The new public key is now added to your instance. Continue to the next section of this guide to connect to your instance using the new key pair.
## Step 4: Connect to your instance using the new key pair
To test the new key pair, disconnect from your instance, and reconnect to it using the private key that you created earlier in this guide. For more information, see [Key pairs and connecting to instances in Amazon Lightsail](understanding-ssh-in-amazon-lightsail.md). After you successfully connect to your instance using the new key, you can remove an old key from the instance. Continue to the next step to learn how to delete public keys from your instance.
## Step 5: Delete an existing public key from your instance
Complete the following procedure to remove a public key from your instance. This prevents a user from connecting to an instance using an old key pair. Do this after you successfully connect to the instance using the new key pair.
1. Connect to your instance using SSH.
1. Enter the following command to edit the *authorized\$1keys* file using the text editor of your choice. The following steps use Vim for demonstration purposes.
```
sudo vim ~/.ssh/authorized_keys
```
1. Press the letter **I** key to enter insert mode in the Vim editor.
1. Delete the line of text that contains the public key that you want to remove from your instance.
![\[Delete old public key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-09.png)
The result should look like the following example, where the new public key the only key that displays.
![\[Keep new public key\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-keys-on-instance-10.png)
1. Press the **ESC** key. Next, type `:wq!` and press **Enter** to save your edits and exit the Vim editor.
The deleted public key is now removed from your instance. Your instance will refuse connections that use the private key of that key pair.
# Connect to Linux or Unix instances on Lightsail
Amazon Lightsail provides you with a browser-based SSH client, which is the fastest way to connect to your Linux or Unix instance. You can also use your own SSH client to connect to your instance. For more information, see [Download and set up PuTTY](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
Connect to your instance with SSH to perform administrative tasks on the server, such as installing software packages or configuring web applications. The browser-based SSH client requires no software installation, and is available almost immediately after you create an instance.
To connect to a Windows Server instance in Lightsail, see [Connect to your Windows-based instance](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
**To connect to your Linux or Unix instance**
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Access the browser-based SSH client for the instance that you want to connect to by using any of the following:
+ Choose the quick connect icon, as shown in the following example.
![\[Open the browser-based SSH client with quick connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-quick-connect-to-your-instance-button.png)
+ Choose the actions menu icon (⋮), then choose **Connect**.
![\[Open the browser-based SSH client with the actions menu.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-linux-2023-instance-home-connect.png)
+ Choose the name of the instance, and on the **Connect** tab, choose **Connect using SSH**.
![\[Open the browser-based SSH client through the Connect tab.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-connect-using-ssh-button.png)
You can start interacting with your instance when the browser-based SSH client opens, and a terminal screen is displayed as shown in the following example:
![\[Browser-based SSH client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-web-based-ssh-terminal.png)
**Note**
The **Connect** tab also provides the information required to connect using your own SSH client. For more information, see [Download and set up PuTTY](lightsail-how-to-set-up-putty-to-connect-using-ssh.md)
## Interact with your Linux or Unix instance using the browser-based SSH client
Type Linux or Unix commands directly into the terminal screen, paste text into the terminal screen, or copy text from the terminal screen of the browser-based SSH client. The following sections show you how to copy and paste text to and from the clipboard in SSH.
**To paste text into the browser-based SSH client**
1. Highlight text in your local desktop, then press **Ctrl\$1C** or **Cmd\$1C** to copy it to your local clipboard.
1. In the bottom right corner of the browser-based SSH client, choose the clipboard icon. The browser-based SSH client clipboard text box appears.
1. Click into the text box, then press **Ctrl\$1V** or **Cmd\$1V** to paste the contents from your local clipboard into the browser-based SSH client clipboard.
1. Right-click any area on the SSH terminal screen to paste the text from the browser-based SSH client clipboard to the terminal screen.
![\[Paste text into the browser-based SSH client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/animated-gif-lightsail-paste-into-browser-terminal.gif)
**To copy text from the browser-based SSH client**
1. Highlight text on the terminal screen.
1. In the bottom right corner of the browser-based SSH client, choose the clipboard icon. The browser-based SSH client clipboard text box appears.
1. Highlight the text that you want to copy, then press **Ctrl\$1C** or **Cmd\$1C** to copy the text to your local clipboard. You can now paste the copied text anywhere in your local desktop.
![\[Copy text from the browser-based SSH client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/animated-gif-lightsail-copy-from-browser-terminal.gif)
# Connect to Lightsail Linux or Unix instances with the SSH command
If your local machine uses a Linux or Unix operating system, including macOS, then you can connect to your Linux or Unix instance in Amazon Lightsail using the SSH client through a terminal window.
The method to connect to your instance described in this guide is one of many. For more information about the other methods, see [SSH key pairs](understanding-ssh-in-amazon-lightsail.md).
The easiest way to connect to your Linux or Unix instance in Lightsail is by using the browser-based SSH client that is available in the Lightsail console. For more information, see [Connect to your Linux or Unix instance](lightsail-how-to-connect-to-your-instance-virtual-private-server.md).
**Topics**
+ [Step 1: Confirm your instance is running and get the public IP address](#terminal-ssh-get-public-ip-address)
+ [Step 2: Confirm the SSH key pair being used by your instance](#terminal-ssh-confirm-key-pair)
+ [Step 3: Change the permissions of your private key and connect to your instance using SSH](#terminal-ssh-change-key-file-permissions)
## Step 1: Confirm your instance is running and get the public IP address
In the following procedure, you sign in to the Lightsail console to confirm your instance is in the running state and to get the public IP address of your instance. Your instance must be in a running state in order to establish an SSH connection, and you will need the public IP address of your instance to connect to it later in this guide.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the **Instances** section of the Lightsail home page, locate the instance that you want to connect to.
1. Confirm that the instance is in a running state, and make note of the public IP address of your instance.
The state of your instance and its public IP address are listed next the name of your instance as shown in the following example.
![\[The status and public IP address of an instance\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-status-and-public-ip-address.png)
## Step 2: Confirm the SSH key pair being used by your instance
In the following procedure you confirm the SSH key pair that is being used by your instance. You will need the private key of the key pair to authenticate to your instance and establish an SSH connection.
1. In the **Instances** section of the Lightsail home page, choose the name of the instance that you want to connect to.
The **Instance management** page appears, with various tab options to manage your instance.
![\[Instance management page in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-management-page.png)
1. In the **Connect** tab, scroll down to see the key pair that is being used by your instance. There are two possibilities:
1. The following example shows an instance that uses the default key pair for the AWS Region in which you created your instance. If your instance is using the default key pair, then you can continue to step 3 of this procedure to download the private key of the key pair. Lightsail stores the private key only for the default key pair of each AWS Region.
![\[Default key pair used for a Lightsail instance\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-default-key-pair.png)
1. The following example shows an instance that uses a custom key pair that you either uploaded or created. If your instance is using a custom key pair, then you need to locate the private key of the custom key pair where you store your keys. If you lost the private key of the custom key pair, then you will not be able to establish an SSH connection to your instance using your own client. However, you can continue to use the browser-based SSH client available in the Lightsail console. Continue to the next [Step 3: Change the permissions of your private key and connect to your instance using SSH](#terminal-ssh-change-key-file-permissions) section of this guide after you locate the private key of the custom key pair.
![\[Custom key pair used for a Lightsail instance\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-custom-key-pair.png)
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
The **Account management** page appears, with various tab options to manage your account settings.
![\[Account management page in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-account-management-page.png)
1. Choose the **SSH keys** tab.
1. Scroll down, and choose the download icon next to the default key of the AWS Region of the instance that you want to connect to.
![\[Download private key of default key pair from the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-public-key-download.png)
The private key is downloaded to your local machine. You might want to move the downloaded key to a directory in which you store all of your SSH keys, such as a "Keys" folder in your user's home directory. You will need to refer to the directory where the private key is saved in the next section of this guide. If the private key attempts to save as a format other than `.pem`, you should manually change the format to `.pem` before saving.
**Note**
Lightsail does not provide utilities for manipulating `.pem` files or other certificate formats. If you need to convert the format of your private key file, free and open-source tools such as [OpenSSL](https://www.openssl.org/docs/) are readily available.
Continue to the next [Step 3: Change the permissions of your private key and connect to your instance using SSH](#terminal-ssh-change-key-file-permissions) section of this guide to use the private key you just downloaded and establish an SSH connection to your instance.
## Step 3: Change the permissions of your private key and connect to your instance using SSH
In the following procedure you will change the permissions of your private key file to be readable and writable only by you. You then open a terminal window in your local machine, and run the SSH command to establish a connection with your instance in Lightsail.
1. Open a terminal window on your local machine.
1. Enter the following command to make the private key of the key pair readable and writable only by you. This is a security best practice required by some operating systems.
```
sudo chmod 400 /path/to/private-key.pem
```
In the command, replace `/path/to/private-key.pem` with the directory path to where you saved the private key of the key pair that is being used by your instance.
**Example:**
```
sudo chmod 400 /Users/user/Keys/LightsailDefaultKey-us-west-2.pem
```
1. Enter the following command to connect to your instance in Lightsail using SSH:
```
ssh -i /path/to/private-key.pem username@public-ip-address
```
In the command, replace:
+ */path/to/private-key.pem* with the directory path to where you saved the private key of the key pair that is being used by your instance.
+ *username* with the username of your instance. You can specify one of the following user names depending on the blueprint that is used by your instance:
+ AlmaLinux OS 9, Amazon Linux 2, Amazon Linux 2023, CentOS Stream 9, FreeBSD, and openSUSE instances: `ec2-user`
+ Debian instances: `admin`
+ Ubuntu instances: `ubuntu`
+ Bitnami instances: `bitnami`
+ Plesk instances: `ubuntu`
+ cPanel & WHM instances: `centos`
+ Replace *public-ip-address* with the public IP address of your instance that you noted from the Lightsail console earlier in this guide.
**Example with absolute path:**
```
ssh -i /Users/user/Keys/LightsailDefaultKey-us-west-2.pem ec2-user@192.0.2.0
```
**Example with relative path:**
Notice the `./` prefixing the `.pem` file. Omitting `./` and simply writing `LightsailDefaultKey-us-west-2.pem` will not work.
```
ssh -i ./LightsailDefaultKey-us-west-2.pem ec2-user@192.0.2.0
```
You are successfully connected to your instance if you see the welcome message for your instance. The following example shows the welcome message for an Amazon Linux 2 instance; other instances blueprints have a similar welcome message. After you're connected, you can execute commands on your instance in Lightsail. To disconnect, enter `exit` and press Enter.
![\[SSH connection established with a Lightsail instance\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ssh-connection-established.png)
# Connect to Linux/Unix Lightsail instances with PuTTY
In addition to the browser-based SSH terminal in Lightsail, you can also connect to your Linux-based instance using an SSH client such as PuTTY. To learn how to set up PuTTY, see [Download and set up PuTTY to connect using SSH in Lightsail](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
**Note**
To connect to a Windows-based instance using RDP, see [Connect to your Windows-based Lightsail instance](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
You can use the default private key that Lightsail provides, a new private key from Lightsail, or another private key that you use with another service.
1. Start PuTTY (for example, from the **Start** menu, choose **All Programs**, **PuTTY**, **PuTTY**).
1. Choose **Load**, and then find your saved session.
If you don't have a saved session, see [Step 4: Finish configuring PuTTY with your private key and instance information](lightsail-how-to-set-up-putty-to-connect-using-ssh.md).
1. Log in using one of the following default user names depending on your instance operating system:
+ AlmaLinux, Amazon Linux 2, Amazon Linux 2023, CentOS Stream 9, FreeBSD, and openSUSE instances: `ec2-user`
+ Debian instances: `admin`
+ Ubuntu instances: `ubuntu`
+ Bitnami instances: `bitnami`
+ Plesk instances: `ubuntu`
+ cPanel & WHM instances: `centos`
For more information about instance operating systems, see [Choosing an image in Lightsail](compare-options-choose-lightsail-instance-image.md).
To learn more about SSH, see [SSH and connecting to your Amazon Lightsail instance](understanding-ssh-in-amazon-lightsail.md).
# Connect to your Lightsail Linux instance with PuTTY
You can use an SSH client like PuTTY to connect to your Amazon Lightsail instance. PuTTY requires a copy of your private SSH key. You might already have a key, or you might want to use the key pair that Lightsail creates. Either way, we've got you covered. For more information about SSH, see [SSH key pairs](understanding-ssh-in-amazon-lightsail.md). This topic walks you through the steps to download a key pair and set up PuTTY to connect to your instance.
The method to connect to your instance described in this guide is one of many. For more information about the other methods, see [SSH key pairs](understanding-ssh-in-amazon-lightsail.md).
The easiest way to connect to your Linux or Unix instance in Lightsail is by using the browser-based SSH client that is available in the Lightsail console. For more information, see [Connecting to your Linux or Unix instance in Amazon Lightsail](lightsail-how-to-connect-to-your-instance-virtual-private-server.md).
## Prerequisites
+ You need a running instance in Lightsail. For more information, see [Create an instance in Amazon Lightsail](getting-started-with-amazon-lightsail.md).
+ We recommended that you create a static IP address and attach it to your instance so you won't have to reconfigure PuTTY if your public IP address changes later. For more information, see [Create a static IP and attach it to an instance](lightsail-create-static-ip.md).
## Step 1: Download and install PuTTY
PuTTY is a free implementation of SSH for Windows. Learn more about PuTTY on the [PuTTY website](http://www.chiark.greenend.org.uk/~sgtatham/putty/), including restrictions related to countries where encryption isn't allowed. If you already have PuTTY, you can skip to **Step 2**.
1. Download the PuTTY installer or executable file from the following link: [Download PuTTY](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).
If you need help deciding which download to choose, see the [PuTTY documentation](http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html). We recommend using the latest version.
1. Go on to **Step 2** to get your private key before you configure PuTTY.
## Step 2: Get your private key ready
You have several options for getting your private key. You might want to use the default private key that Lightsail generates, you might want to have Lightsail create a new private key for you, or you might already have one from another service. The steps for each of these options is outlined in the following procedures:
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH Keys** tab.
1. Choose one of the following options depending on which private key you prefer to use:
+ **To use the default private key that Lightsail generates**, in the **Default keys** section of the page, choose the download icon next to the default private key for the AWS Region where your instance is located.
![\[SSH key pairs in the Lightsail console\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-download-default-key.png)
+ **To create a new key pair in Lightsail**, in the **Custom keys** section of the page, choose **Create key pair**. Choose the AWS Region where your instance is located, and choose **Create**. Enter a name, and choose **Generate key pair**. You will be given the option to download the private key.
**Important**
You can only download the private key once. Save it in a secured location.
+ **To use your own key pair**, choose **Upload New**. Choose the AWS Region where your instance is located, and choose **Upload**. Choose **Upload file**, and then locate the file in your local drive. Choose **Upload key** when you're ready to upload your public key file to Lightsail.
1. If you downloaded the private key, or you created a new private key in Lightsail, then make sure to save the `.pem` key file somewhere you can easily find it.
We also recommend that you set permissions for the file so that no one else can read it.
## Step 3: Configure PuTTYgen with your Lightsail private key
Now that you have a copy of your `.pem` key file, you can set up PuTTY using the PuTTY Key Generator (PuTTYgen).
1. Start PuTTYgen (for example, from the **Start** menu, choose **All Programs**, **PuTTY**, **PuTTYgen**).
1. Choose **Load**.
By default, PuTTYgen displays only files with the `.ppk` extension. To locate your `.pem` file, select the option to display files of all types.
1. Choose `lightsailDefaultKey.pem`, and then press **Open**.
PuTTYgen confirms that you successfully imported the key, and then you can choose **OK**.
1. Choose **Save private key**, and then confirm you don't want to save it with a passphrase.
If you choose to create a passphrase as an extra measure of security, remember you will need to enter it every time you connect to your instance using PuTTY.
1. Specify a name and a location to save your private key, and then choose **Save**.
1. Close PuTTYgen.
## Step 4: Finish configuring PuTTY with your private key and instance information
You're almost there\$1 Hang on while we make one last change.
1. Open PuTTY.
1. From Lightsail, grab the public IP address (hopefully you're using a [static IP address](understanding-static-ip-addresses-in-amazon-lightsail.md)) from the instance management page.
You can get the public IP address from the Lightsail home page, or choose your instance to view more details about it.
1. Type (or paste) the public IP address into the **Host Name (or IP address)** field.
**Note**
Port 22 is already open for SSH on your Lightsail instance, so accept the default port.
1. Under **Connection**, expand **SSH** and **Auth**, and then choose **Credentials**.
![\[PuTTY and the SSH Auth-Credentials option in the configuration dialog\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/putty-configuration-connection-ssh-auth.png)
1. Choose **Browse** to navigate to the `.ppk` file that you created in the previous step, and then choose **Open**.
1. Choose **Open** again, and then choose **Accept** to trust this connection in the future.
1. Log in using one of the following default user names depending on your instance operating system:
+ AlmaLinux, Amazon Linux 2, Amazon Linux 2023, CentOS Stream 9, FreeBSD, and openSUSE instances: `ec2-user`
+ Debian instances: `admin`
+ Ubuntu instances: `ubuntu`
+ Bitnami instances: `bitnami`
+ Plesk instances: `ubuntu`
+ cPanel & WHM instances: `centos`
For more information about instance operating systems, see [Choose an image](compare-options-choose-lightsail-instance-image.md).
1. Be sure to save your connection for future use.
## Next steps
If you need to connect again, see [Connect to your Linux/Unix-based instance with PuTTY](lightsail-how-to-ssh-connect-to-instance-virtual-private-server-using-putty.md).
# Transfer files securely to Lightsail Linux instances with SFTP
You can transfer files between your local computer and your Linux or Unix instance in Amazon Lightsail by connecting to your instance using SFTP (SSH File Transfer Protocol). To do this, you must get the private key for your instance, and then use it to configure the FTP client. This tutorial shows you how to configure the FileZilla FTP client to connect to your instance. These steps may also apply to other FTP clients.
**Topics**
+ [Prerequisites](#connecting-to-linux-unix-instance-using-sftp-prerequisites)
+ [Get the SSH key for your instance](#get-the-ssh-key-for-your-instance)
+ [Configure FileZilla and connect to your instance](#configure-filezilla-and-connect-to-your-instance)
## Prerequisites
Complete the following prerequisites if you haven't already:
+ Download and install FileZilla on your local computer. For more information, see the following download options:
+ [Download FileZilla Client for Windows](https://filezilla-project.org/download.php?platform=win64)
+ [Download FileZilla Client for Mac OS X](https://filezilla-project.org/download.php?platform=osx)
+ [Download FileZilla Client for Linux](https://filezilla-project.org/download.php?platform=linux)
+ Get the public IP address of your instance. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/), and then copy the public IP address that is displayed next to your instance, as shown in the following example:
![\[The public IP for an instance in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-public-ip.png)
## Get the SSH key for your instance
Complete the following steps to get the default private key for the AWS Region of your instance, which is required to connect to your instance using FileZilla.
**Note**
If you’re using your own key pair, or you created a key pair using the Lightsail console, locate your own private key and use it to connect to your instance. Lightsail does not store your private key when you upload your own key or create a key pair using the Lightsail console. You cannot connect to your instance using SFTP without your private key.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the drop-down menu.
![\[Account menu in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **SSH Keys** tab.
1. Scroll down to the **Default keys** section of the page.
1. Choose **Download** next to the default private key for the region where your instance is located.
![\[SSH keypairs in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/managing-key-pairs-download-default-key.png)
1. Save your private key in a secured location on your local drive.
## Configure FileZilla and connect to your instance
Complete the following steps to configure FileZilla to connect to your instance.
1. Open FileZilla.
1. Choose **File**, **Site Manager**.
1. Choose **New site**, then give your site a name.
![\[New site configuration in FileZilla.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filezilla-sftp-new-site.png)
1. In the **Protocol** dropdown, choose **SFTP – SSH File Transfer Protocol**.
1. In the **Host** text box, enter or paste your instance’s public IP address.
1. In the **Logon Type** dropdown, choose **Key File**.
1. In the **User** text box, enter one of the following default user names depending on your instance operating system:
+ AlmaLinux, Amazon Linux 2, Amazon Linux 2023, CentOS Stream 9, FreeBSD, and openSUSE instances: `ec2-user`
+ Debian instances: `admin`
+ Ubuntu instances: `ubuntu`
+ Bitnami instances: `bitnami`
+ Plesk instances: `ubuntu`
+ cPanel & WHM instances: `centos`
**Important**
If you are using a different user name than the default user names listed here, then you might need to give the user write permissions to your instance.
1. Next to the **Key File** text box, choose **Browse**.
![\[SFTP configuration in FileZilla.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filezilla-sftp-configuration.png)
1. Locate the private key file that you downloaded from the Lightsail console earlier in this procedure, and then choose **Open**.
**Note**
If you are using Windows, change the default file type to **All files** when searching for your pem file.
![\[File extension setting in FileZilla open dialog\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filezilla-file-extention-setting.png)
1. Choose **Connect**.
1. You may see a prompt similar to the following example, indicating that the host key is unknown. Choose **OK** to acknowledge the prompt and connect to your instance.
![\[Unknown host key in FileZilla.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filezilla-unknown-hostkey.png)
You are successfully connected if you see status messages similar to the following example:
![\[FileZilla successfully connected to an instance in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-filezilla-sftp-successfully-connected.png)
For more information about using FileZilla, including how to transfer files between your local computer and your instance, see the [FileZilla Wiki page](https://wiki.filezilla-project.org/Using).
# Connect to your Lightsail Windows instance using RDP
You can connect to your Windows Server instance in Amazon Lightsail using the browser-based RDP client that is available in the Lightsail console. The browser-based RDP client does not require software installation, and you can connect to your Windows Server instance immediately after you create it, and it becomes available. Connect to your instance to perform administrative tasks on the server, such as installing software, or configuring web applications.
You can also use your own RDP client to connect to your instance, such as the Remote Desktop Connection that is bundled with Windows. For more information about configuring your own RDP client, see [Connect to your Windows instance with the Remote Desktop Connection client](amazon-lightsail-connecting-to-windows-instance-using-rdc.md). To connect to a Linux or Unix instance in Lightsail, see [Connect to your Linux or Unix instance ](lightsail-how-to-connect-to-your-instance-virtual-private-server.md).
## Default administrator password for Windows Server instances
A randomly generated default administrator password is assigned to Windows Server instances when they are created. The browser-based RDP client in the Lightsail console uses the default administrator password to sign in to your instance. If you change the administrator password on your instance, you will be prompted to manually enter your new password each time you try to connect to your instance using the browser-based RDP client. Lightsail does not store your new administrator password, and it cannot be retrieved from your instance.
**Important**
If you lose your administrator password, you will not be able to sign in to your instance, and there is no way to reset the password. Store your new administrator password in a secure location where you can retrieve it later if you lose it, such as AWS Secrets Manager For more information, see the [AWS Secrets Manager User guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
You can change the administrator password back to the original default administrator password to avoid being prompted for it each time you access your instance using the browser-based RDP client. You can find the original default administrator password by choosing the **Instances** tab in the [Lightsail home page](https://lightsail.aws.amazon.com/). Choose the name of your Windows Server instance, choose the **Connect** tab, and choose **Show default password** to view the original default administrator password as shown in the following example.
![\[Windows default administrator password in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-default-admin-password.png)
## Connect to your Windows Server instance using the browser-based RDP client
Use the following procedure to connect to your Windows Server instance using the browser-based RDP client in the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Access the browser-based RDP client for the instance that you want to connect to by using one of the following steps:
+ Choose the browser-based RDP client icon, as shown in the following example.
![\[Open the browser-based RDP client with quick connect.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-to-windows-instance-using-rdp-connection-shortcut.png)
+ Choose the actions menu icon (⋮), then choose **Connect** as shown in the following example.
![\[Open the browser-based RDP client with the actions menu.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-server-2022-instance-home-connect.png)
+ Choose the name of the instance, and on the **Connect** tab, choose **Connect using RDP**.
![\[Open the browser-based RDP client through the Connect tab.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-connect-using-rdp-button.png)
You can start interacting with your instance when the browser-based RDP client opens, and a Windows desktop is displayed as shown in the following example.
![\[Browser-based RDP client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-web-based-rdp-client.png)
**Note**
The **Connect** tab also provides the information required to connect using your own RDP client, such as the default user name and password for your Windows instance. For more information about configuring your own RDP client, see [Connecting to your Windows instance in Amazon Lightsail using the Remote Desktop Connection client](amazon-lightsail-connecting-to-windows-instance-using-rdc.md).
## Interact with your Windows instance using the browser-based RDP client
Use the browser-based RDP client as you would your own local Windows desktop. RDP includes function keys and other keys specific to Windows to help you interact with your instance. The following sections show you how to copy and paste text to and from the clipboard in RDP.
**To paste text into the browser-based RDP client**
1. Highlight text in your local desktop, then press **Ctrl\$1C** or **Cmd\$1C** to copy it to your local clipboard.
1. In the bottom right corner of the browser-based RDP client, choose the clipboard icon. The browser-based RDP client clipboard text box appears.
1. Click into the text box, then press **Ctrl\$1V** or **Cmd\$1V** to paste the contents from your local clipboard into the browser-based RDP client clipboard.
1. Right-click any area on the remote desktop screen to paste the text from the browser-based RDP client clipboard to the remote desktop screen.
![\[Paste text into the browser-based RDP client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-paste-rdp-windows.gif)
**To copy text from the browser-based RDP client**
1. Highlight text on the remote desktop screen.
1. In the bottom right corner of the browser-based RDP client, choose the clipboard icon. The browser-based RDP client clipboard text box appears.
1. Highlight the text that you want to copy, then press **Ctrl\$1C** or **Cmd\$1C** to copy the text to your local clipboard. You can now paste the copied text anywhere in your local desktop.
![\[Copy text from the browser-based RDP client in Lightsail.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-copy-rdp-windows.gif)
# Change the Administrator password for Lightsail Windows instances
When you create a Windows Server-based Lightsail instance, we use the default password for the AWS Region where we create the instance. This makes it easier to connect using the browser-based remote desktop (RDP) client, as well as a client such as Remote Desktop Connection.
**Important**
We strongly encourage you to let Lightsail generate the password for your instance. Since we don't store your custom password, you can risk losing access to your Lightsail instance if you change the Administrator password.
## Change your Administrator password using Windows Server
You can change your Administrator password using the Windows Server **Change Password** tool. Type `Ctrl` \$1 `Alt` \$1 `Del` on your Windows Server-based Lightsail instance, and then choose **Change a password**.
## Get the ciphertext for your Lightsail key pair using the AWS CLI
If you change your password on your Windows Server-based Lightsail instance, you can use the AWS Command Line Interface (AWS CLI) to get information that helps you decrypt your password.
**Note**
Lightsail does not provide utilities for manipulating .pem files. If you need to convert the format of your private key file, free and open-source tools such as OpenSSL for Linux, and base64 for Windows are readily available.
**Get your ciphertext**
1. If you haven't done so already, install and configure the AWS CLI.
For more information, see [Configure the AWS Command Line Interface to work with Amazon Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md).
1. Open a command prompt or a terminal.
1. Type the following command.
```
aws lightsail get-instance-access-details --instance-name my-instance
```
Where *my-instance* is the name of the instance you want to get information about.
You will see output similar to the following.
```
{
"accessDetails": {
"username": "Administrator",
"protocol": "rdp",
"ipAddress": "12.345.678.910",
"passwordData": {
"ciphertext": "cipher",
"keyPairName": "my-ohio-key"
},
"password": "",
"instanceName": "2016-ohio-windows"
}
}
```
1. You can use the ciphertext with any available application to decrypt your password.
# Connect to a Lightsail Windows instance from Windows with Remote Desktop
You can use the Remote Desktop Connection (RDC) client included with the Windows operating system to connect to your Windows instance in Amazon Lightsail. RDC requires that you use the administrator user name and password for the Windows instance, which could be the default password assigned to the instance when it’s created or your own password if you changed the default password.
This topic walks you through the steps to obtain your default administrator password from the Lightsail console, and configure RDC to connect to your Windows instance. You can also connect to your instance from within the Lightsail console using your browser. For more information, see [Connect to your Windows instance with the web-based RDP client](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
## Get the default administrator password for your Windows instance
Complete the following steps to get the default administrator password for your Windows instance, which is required to connect to the instance using RDC.
**Note**
If you changed the default administrator password, then the password that is displayed in Lightsail console for your instance will not work. You’ll need to remember your password. You cannot connect to your instance using RDC without your administrator password.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Choose the Windows instance that you want to connect to.
1. In the **Connect** tab of the instance management page, choose **Show default password**.
1. Highlight the default password that is displayed, and copy it by pressing **Ctl\$1C**or **Cmd\$1C**. The password is now in your clipboard.
Continue to the next section of this guide to configure RDC, and paste the password into the client.
## Configure RDC and connect to your Windows instance
Complete the following steps to configure RDC and connect to your Windows instance.
1. Open the Windows menu, and then search for `Remote Desktop Connection` or `RDC`.
1. Choose **Remote Desktop Connection** in the search results.
![\[RDC in the start menu search results.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-in-start-menu.png)
1. In the **Computer** text box, enter your Windows instance’s public IP address.
![\[RDC configuration.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-remote-desktop-connection-configuration.png)
The public IP is displayed next to your instance in the Lightsail console, as shown in the following example:
![\[Public IP address of an instance in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-public-ip-address.png)
1. Choose **Show Options** to view additional connection options.
1. In the **User Name** text box, enter `Administrator`, which is the default user name for all Windows instances in Lightsail.
![\[RDC options.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-remote-desktop-connection-options.png)
1. Choose **Connect**.
1. In the prompt that appears, enter or paste the default administrator password that you copied from the Lightsail console earlier in this procedure, and then choose **OK**.
![\[Credentials for RDC connection.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-credentials.png)
1. In the prompt that appears, choose **Yes** to connect to the Windows instance despite certificate errors.
![\[RDC certificate confirmation.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-certificate-confirmation.png)
After you’re connected to the instance, you should see a screen similar to the following example:
![\[The desktop background for a Lightsail Windows instance in the Microsoft Remote Desktop application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-08.png)
# Connect to a Lightsail Windows instance from macOS with Remote Desktop
You can use the Microsoft Remote Desktop client to connect to your Windows instance from your macOS computer. Microsoft Remote Desktop requires that you use the administrator user name and password for your Lightsail Windows instance. This can be the default password assigned to the instance when it is created, or your own password if you changed the default password.
This topic walks you through the steps to obtain your default administrator password from the Lightsail console, and configure Microsoft Remote Desktop to connect to your Windows instance. You can also connect to your instance from within the Lightsail console using your browser. For more information, see [Connect to your Windows instance with the Microsoft Remote Desktop client](connect-to-your-windows-based-instance-using-amazon-lightsail.md).
## Get the required connection information for your Windows instance
You will need the public IP address, user name, and administrator password for your Windows instance to connect to it using the Microsoft Remote Desktop client.
Complete the following procedure to get the required information.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. Choose the **Instances** section on the Lightsail home page.
1. Make note of the public IP address of the instance you want to connect to.
1. Choose the name of the instance you want to connect to.
1. Choose the **Connect** tab.
1. Choose **Show default password** to obtain the Windows administrator password for your instance.
![\[The Show default password option in the Lightsail Instance Connect tab.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-01.png)
The prompt displays the default administrator password for your Windows instance.
![\[The default administrator password.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-windows-default-admin-password.png)
1. Copy the administrator password. You will use it to sign in to your instance using the Microsoft Remote Desktop client later in this guide.
## Configure Microsoft Remote Desktop and connect to your instance
Complete the following procedure to install the Microsoft Remote Desktop client on your Mac, and configure it to connect to your instance.
1. Open the App Store on your Mac, and search for **Microsoft Remote Desktop**.
1. Find the **Microsoft Remote Desktop** app in the search results, and choose **GET** to install the application.
![\[The Microsoft Remote Desktop application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-03.png)
1. Open **Microsoft Remote Desktop** after the installation is complete.
1. At the top, choose the **plus (\$1)** icon, and choose **Add PC**.
![\[The Add PC option in the Microsoft Remote Desktop application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-04.png)
1. In the **PC name** text box, paste the public IP address of your instance.
1. Choose **Add**.
![\[The Add button.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-05.png)
1. Right-click the icon for your instance, and choose **Connect**.
![\[The Connect option in the Microsoft Remote Desktop application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-06.png)
1. Enter **Administrator** into the **Username** text box, and enter the default administrator password that you got earlier in this guide into the **Password** text box.
1. Choose **Continue** to connect to your instance.
![\[The Continue button.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-07.png)
You are now connected to your Lightsail Windows instance.
![\[The desktop background for a Lightsail Windows instance in the Microsoft Remote Desktop application.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/connect-using-remote-desktop-mac-08.png)
# Access Instance Metadata Service (IMDS) and user data in Lightsail
*Instance metadata* is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, hostname, events, and security groups. You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or include a simple script. Instances can also include dynamic data, such as an instance identity document that is generated when the instance is launched.
**Important**
Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.
## Use the Instance Metadata Service
You can access instance metadata from a running instance in Lightsail by using one of the following methods:
+ Instance Metadata Service Version 1 (IMDSv1) – a request/response method
+ Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
**Important**
Not all instance blueprints in Lightsail support IMDSv2. Use the `MetadataNoToken` instance metric to track the number of calls to the instance metadata service that are using IMDSv1. For more information, see [View instance metrics](amazon-lightsail-viewing-instance-health-metrics.md).
For more information about using IMDS, see [Configure the Instance Metadata Service (IMDS)](amazon-lightsail-configuring-instance-metadata-service.md).
## Additional IMDS documentation
The following IMDS documentation is available in the *Amazon Elastic Compute Cloud User Guide for Linux Instances* and the *Amazon Elastic Compute Cloud User Guide for Windows Instances*:
**Note**
In Amazon EC2, instance blueprints are referred to as Amazon Machine Images (AMIs).
+ For Linux instances:
+ [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html)
+ [Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
+ [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html)
+ [Retrieve dynamic data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-dynamic-data-retrieval.html)
+ [Instance metadata categories](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html)
+ [Example: AMI launch index value](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMI-launch-index-examples.html)
+ [Instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
+ For Windows instances:
+ [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html)
+ [Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
+ [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html)
+ [Retrieve dynamic data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-dynamic-data-retrieval.html)
+ [Instance metadata categories](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html)
+ [Example: AMI launch index value](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMI-launch-index-examples.html)
+ [Instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
# Access and configure Instance Metadata Service (IMDS) on Lightsail
You can access instance metadata from a running instance by using one of the following methods:
+ Instance Metadata Service Version 1 (IMDSv1) – a request/response method
+ Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
**Important**
Not all instance blueprints in Lightsail support IMDSv2. Use the `MetadataNoToken` instance metric to track the number of calls to the instance metadata service that are using IMDSv1. For more information, see [View instance metrics](amazon-lightsail-viewing-instance-health-metrics.md).
By default, you can use either IMDSv1 or IMDSv2, or both. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether a `PUT` or `GET` header, which is unique to IMDSv2, is present in any given request. For more information, see [Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/).
You can configure the instance metadata service on each instance so that local code or users must use IMDSv2. When you specify that IMDSv2 must be used, IMDSv1 no longer works. For more information, see [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html) in the *Amazon Elastic Compute Cloud User Guide for Linux Instances*.
To retrieve instance metadata, see [Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html) in the *Amazon Elastic Compute Cloud User Guide for Linux Instances*.
**Note**
The examples in this section use the IPv4 address of the instance metadata service: `169.254.169.254`. If you are retrieving instance metadata for instances over the IPv6 address, make sure to enable and use the IPv6 address instead: `fd00:ec2::254`. The IPv6 address of the instance metadata service is compatible with IMDSv2 commands.
## How Instance Metadata Service Version 2 works
IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can be a minimum of one second and a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests.
**Important**
Lightsail instances launched from Amazon Linux 2023 and Ubuntu 24 blueprints will have IMDSv2 configured by default.
The following examples use Linux and PowerShell shell script and IMDSv2 to retrieve the top-level instance metadata items. These examples do the following:
+ Create a session token lasting six hours (21,600 seconds) by using the `PUT` request
+ Store the session token header in a variable named `TOKEN` (on Linux) or `token` (on Windows)
+ Request the top-level metadata items by using the token
Start by running the following commands:
+ **On Linux:**
+ First, generate a token with the following command.
```
[ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
```
+ Then, use the token to generate top-level metadata items with the following command.
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
```
+ **On Windows:**
+ First, generate a token with the following command.
```
PS C:\> [string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/token
```
+ Then, use the token to generate top-level metadata items with the following command.
```
PS C:\> Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/
```
After you create a token, you can reuse it until it expires. In the following examples, each command gets the ID of the blueprint (Amazon Machine Image (AMI)) that's used to launch the instance. The token from the previous example is reused. It is stored in `$TOKEN` (on Linux) or `$token` (on Windows).
+ **On Linux:**
```
[ec2-user ~]$ curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ami-id
```
+ **On Windows:**
```
PS C:\> Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} `
-Method GET -uri http://169.254.169.254/latest/meta-data/ami-id
```
When you use IMDSv2 to request instance metadata, the request must include the following:
+ **A `PUT` request** – Use a `PUT` request to initiate a session to the instance metadata service. The `PUT` request returns a token that must be included in subsequent `GET` requests to the instance metadata service. The token is required to access metadata when using IMDSv2.
+ **The token** – Include the token in all `GET` requests to the instance metadata service. When token usage is set to `required`, requests without a valid token or with an expired token receive a `401 - Unauthorized` HTTP error code. For information about changing the token usage requirement, see [update-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-instance-metadata-options.html) in the *AWS CLI Command Reference*.
+ The token is an instance-specific key. The token is not valid on other instances and will be rejected if you attempt to use it outside of the instance on which it was generated.
+ The `PUT` request must include a header that specifies the time to live (TTL) for the token, in seconds. The TTL can be specified to a maximum of six hours (21,600 seconds). The token represents a logical session. The TTL specifies the length of time that the token is valid and, therefore, the duration of the session.
+ After a token expires, to continue accessing instance metadata, you must create a new session using another `PUT` request.
+ You can choose to reuse a token or create a new token with every request. For a small number of requests, it might be easier to generate and immediately use a token each time you need to access the instance metadata service. But for efficiency, you can specify a longer duration for the token and reuse it instead of writing a `PUT` request every time you need to request instance metadata. There is no practical limit on the number of concurrent tokens, with each representing its own session. IMDSv2 is, however, still constrained by normal instance metadata service connection and throttling limits. For more information, see [Query throttling](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instancedata-throttling) in the *Amazon Elastic Compute Cloud User Guide for Linux Instances*.
HTTP `GET` and `HEAD` methods are allowed in IMDSv2 instance metadata requests. `PUT` requests are rejected if they contain an `X-Forwarded-For` header.
By default, the response to `PUT` requests has a response hop limit (time to live) of `1` at the IP protocol level. If you need a larger hop limit, you can adjust it by using the `update-instance-metadata-options` command. For example, you might need a larger hop limit for backward compatibility with container services running on the instance. For more information, see [update-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-instance-metadata-options.html) in the *AWS CLI Command Reference*.
## Transition to using Instance Metadata Service Version 2
Use of Instance Metadata Service Version 2 (IMDSv2) is optional. Instance Metadata Service Version 1 (IMDSv1) will continue to be supported indefinitely. If you choose to migrate to using IMDSv2, we recommend that you use the following tools and transition path.
**Tools for helping with the transition to IMDSv2**
If your software uses IMDSv1, use the following tools to help reconfigure your software to use IMDSv2.
+ **AWS software:** The latest versions of the AWS SDKs and the AWS CLI support IMDSv2. To use IMDSv2, make sure that your instances have the latest versions of the AWS SDKs and the AWS CLI. For information about updating the AWS CLI, see [Installing, updating, and uninstalling the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) in the *AWS Command Line Interface User Guide*. All Amazon Linux 2 software packages support IMDSv2.
+ **Instance metric**: IMDSv2 uses token-backed sessions, while IMDSv1 does not. The `MetadataNoToken` instance metric tracks the number of calls to the instance metadata service that are using IMDSv1. By tracking this metric to zero, you can determine if and when all of your software has been upgraded to use IMDSv2. For more information, see [Viewing instance metrics in Amazon Lightsail](amazon-lightsail-viewing-instance-health-metrics.md).
+ **Updates to Lightsail API operations and AWS CLI commands**: For existing instances, you can use the [update-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-instance-metadata-options.html) AWS CLI command (or the [UpdateInstanceMetadataOptions](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_UpdateInstanceMetadataOptions.html) API operation) to require the use of IMDSv2. The following command is an example. Make sure you replace *InstanceName* with the name of your instance, and *RegionName* with the AWS Region your instance is in.
```
aws lightsail update-instance-metadata-options --region RegionName --instance-name InstanceName --http-tokens required
```
**Recommended path to requiring IMDSv2 access**
Using the preceding tools, we recommend that you follow this path for transitioning to IMDSv2:
### Step 1: At the start
Update the AWS SDKs, the AWS CLI, and your software that uses role credentials on your instances to IMDSv2-compatible versions. For information about updating the AWS CLI, see [Upgrading to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html#install-linux-awscli-upgrade) in the *AWS Command Line Interface User Guide*.
Then, change your software that directly accesses instance metadata (in other words, that does not use an AWS SDK) by using the IMDSv2 requests.
### Step 2: During the transition
Track your transition progress by using the instance metric `MetadataNoToken`. This metric shows the number of calls to the instance metadata service that are using IMDSv1 on your instances. For more information, see [View instance metrics](amazon-lightsail-viewing-instance-health-metrics.md).
### Step 3: When everything is ready on all instances
Everything is ready on all instances when the instance metric `MetadataNoToken` records zero IMDSv1 usage. At this stage, you can require IMDSv2 use through the [update-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-instance-metadata-options.html) command. You can make these changes on running instances; you do not need to restart your instances.
Updating instance metadata options for existing instances is available only through the Lightsail API or the AWS CLI. It is currently not available in the Lightsail console. For more information, see [update-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-instance-metadata-options.html).
## Additional IMDS documentation
The following IMDS documentation is available in the *Amazon Elastic Compute Cloud User Guide for Linux Instances* and the *Amazon Elastic Compute Cloud User Guide for Windows Instances*:
**Note**
In Amazon EC2, instance blueprints are referred to as Amazon Machine Images (AMIs).
+ For Linux instances:
+ [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html)
+ [Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
+ [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html)
+ [Retrieve dynamic data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-dynamic-data-retrieval.html)
+ [Instance metadata categories](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html)
+ [Example: AMI launch index value](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMI-launch-index-examples.html)
+ [Instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
+ For Windows instances:
+ [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html)
+ [Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
+ [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html)
+ [Retrieve dynamic data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-dynamic-data-retrieval.html)
+ [Instance metadata categories](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html)
+ [Example: AMI launch index value](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMI-launch-index-examples.html)
+ [Instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)