Getting Started with AWS
Hosting a .NET Web App

Step 2: Create an Application Server

You can use Amazon EC2 to create a virtual server to run your web app. These virtual servers are called EC2 instances. Typically, you start from a base image called an Amazon Machine Image (AMI).

To create a virtual server using Amazon EC2, complete the following tasks.

Create a Security Group for Your Amazon EC2 Instance

A security group acts as a firewall that controls the traffic allowed to reach one or more EC2 instances. When you launch an instance, you can assign it one or more security groups. You add rules to each security group that control the traffic allowed to reach the instances to which the security group is assigned. Note that you can modify the rules for a security group at any time; the new rules take effect immediately.

For this tutorial, we'll create a security group and add the following rules:

  • Allow inbound HTTP access from anywhere

  • Allow inbound RDP traffic from your computer's public IP address so that you can connect to your instance

To create and configure your security group

  1. Decide who requires access to your instance; for example, a single computer or all the computers on a network that you trust. For this tutorial, you can use the public IP address of your computer, which you can get using a service. For example, AWS provides the following service: To locate another service that provides your IP address, use the search phrase "what is my IP address".

    If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers. If you don't know this address range, you can use for this tutorial. However, this is unsafe for production environments because it allows everyone to access your instance using RDP.

  2. Open the Amazon EC2 console at


    Be sure that you are using the Amazon EC2 console. If you're using the Amazon VPC console instead of the Amazon EC2 console, these directions will not match what you see.

  3. In the navigation bar, verify that US West (Oregon) is the selected region.

  4. In the navigation pane, click Security Groups, and then click Create Security Group.

  5. Enter WebServerSG as the name of the security group, and provide a description.

  6. Select your VPC from the list.

  7. On the Inbound tab, add the rules as follows:

    1. Click Add Rule, and then select RDP from the Type list. Under Source, select Custom IP and enter the public IP address range that you decided on in step 1 in the text box.

    2. Click Add Rule, and then select HTTP from the Type list.

  8. Click Create.

For more information, see Security Groups in the Amazon EC2 User Guide for Windows Instances.

Create an IAM Role

All requests to AWS must be cryptographically signed using credentials issued by AWS. Therefore, you need a strategy for managing credentials for software that runs on an EC2 instance. You must distribute, store, and rotate these credentials in a way that keeps them secure but also accessible to the software.

We designed IAM roles so that you can effectively manage AWS credentials for software running on your instances. You create an IAM role and configure it with the permissions that the software requires. For more information about the benefits of this approach, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Windows Instances and Roles (Delegation and Federation) in IAM User Guide.

The following procedure creates an IAM role that grants the web app full access to AWS. In production, you can restrict the services and resources that a web app can access.

To create an IAM role with full access to AWS

  1. Open the Identity and Access Management (IAM) console at

  2. In the navigation pane, click Roles, and then click Create New Role.

  3. On the Set Role Name page, enter a name for the role, and then click Next Step. Remember this name, as you'll need it when you launch your instance.

  4. On the Select Role Type page, under AWS Service Roles, select Amazon EC2.

  5. On the Attach Policy page, select the PowerUserAccess policy, and then click Next Step.

  6. Review the role information and then click Create Role.

Launch Your EC2 Instance

Now that you've created your key pair, security group, and IAM role, you're ready to launch your instance.


If you created your AWS account less than 12 months ago, and have not already exceeded the free tier benefits for Amazon EC2 and Amazon EBS, this instance will not cost you anything, because we help you select options that are within the free tier benefits. Otherwise, you'll incur the standard Amazon EC2 usage fees for this instance from the time that you launch it until you terminate it, even if it remains idle. The total charges are minimal if you complete the tutorial without interruption and terminate your instance when you are finished. For more information, see Amazon EC2 Pricing.

To launch an EC2 instance

  1. Open the Amazon EC2 console at

  2. In the navigation bar, verify that US West (Oregon) is the selected region.

  3. In the navigation pane, click Instances, and then click Launch Instance.

  4. On the Choose an Amazon Machine Image page, click Free tier only and then select a Windows AMI. Note that the directions in this tutorial assume that you're running Windows Server 2012 R2.

  5. On the Choose an Instance Type page, the t2.micro instance is selected by default. To stay within the free tier, keep this instance type. Click Next: Configure Instance Details.

  6. On the Configure Instance Details page, do the following:

    1. T2 instances must be launched into a subnet. Select your VPC from Network and select one of your public subnets from Subnet.

    2. Ensure that for Auto-assign Public IP, Enable is selected in the list. Otherwise, your instance will not get a public IP address or a public DNS name.

    3. Select your IAM role from IAM role. Note that you must select an IAM role when you launch an instance; you can't add a role to a running instance.

    4. Click Review and Launch. If you are prompted to specify the type of root volume, make your selection and then click Next.

  7. On the Review Instance Launch page, click Edit security groups. On the Configure Security Group page, click Select an existing security group, select the WebServerSG security group that you created, and then click Review and Launch.

  8. On the Review Instance Launch page, click Launch.

  9. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair, then select the key pair you created in Setting Up to Host a Web App on AWS. Click the acknowledgment check box, and then click Launch Instances.

  10. In the navigation pane, click Instances to see the status of your instance. Initially, the status of your instance is pending. After the status changes to running, your instance is ready for use.