From Zero to Live: A Step-by-Step AWS EC2 Production Deployment Guide

Spinning up an EC2 instance is easy, turning it into a stable, secure, auto-recovering home for your service is where the craft lives. This hands-on guide walks you through a practical AWS EC2 production deployment from first click to HTTPS, logging, and auto-scaling. I’ll assume a typical web API (e.g., a Spring Boot JAR, Node.js app, or similar). Commands use Amazon Linux 2023, adapt dnf to apt/yum if you prefer another distro.

What We’ll Build:

• • 1× EC2 instance behind an Application Load Balancer (ALB)
• • Systemd service for your app (auto-start, auto-restart)
• • Nginx as a reverse proxy (optional if your app handles HTTP well)
• • HTTPS via ACM on the ALB (no Certbot on box, simpler ops)
• • Logs + metrics to Cloud Watch
• • Auto-scaling Group (ASG) using a Launch Template for zero-downtime replacements

This architecture underpins a stable, compliant AWS EC2 production deployment that’s simple to manage and scale.

Prerequisites:

• • An AWS account with permissions to create EC2, IAM, VPC, ALB, and CloudWatch resources
• • A domain (optional but recommended) managed in Route 53 (or any DNS provider)
• • Your application artifact (e.g., myapp.jar) or a container image

Step 1: Network and security foundations

VPC:
Use the default VPC to keep things simple, or create one with public subnets in at least two AZs for high availability.

Security Group (SG):
Create an SG named sg-myapp:
Inbound:

• • 22/tcp from your IP (for SSH)
• • 80/tcp from ALB SG (later) or 0.0.0.0/0 temporarily
• • 8080/tcp (app port) from the instance itself or ALB SG only (not public)

Outbound: All (default).

Key pair:
Create an SSH key pair (.pem). Store it safely with correct permissions (chmod 400).

Tip: Don’t expose your app port publicly in production. Let the ALB talk to it privately, this is foundational for secure AWS EC2 production deployment.

Step 2: IAM Role for the Instance

Create an IAM role with CloudWatchAgentServerPolicy (for logs/metrics) and optional access to S3 or Secrets Manager. Attach this role to the instance (or to the Launch Template).

Step 3: Launch the EC2 Instance

• • AMI: Amazon Linux 2023
• • Instance type: t3.small or t4g.small
• • Storage: 20 GB gp3
• • Security Group: sg-myapp
• • IAM Role: your created role

Connect via SSH:

ssh -i /path/to/key.pem ec2-user@EC2_PUBLIC_DNS

Update OS:

sudo dnf update -y

Step 4: Install Runtime & Basic Hardening

Install runtime dependencies for your AWS EC2 production deployment:

1. Runtime

sudo dnf install -y java-21-amazon-corretto

java -version

2. Dedicated User & Directory

sudo useradd --system --create-home --shell /sbin/nologin myapp

sudo mkdir -p /opt/myapp

sudo chown -R myapp:myapp /opt/myapp

3. Firewall

Use security groups primarily; restrict SSH and app ports.

Step 5: Put Your App on the Box

Copy your artifact and create an environment file:

scp -i /path/to/key.pem myapp.jar ec2-user@EC2_PUBLIC_DNS:/tmp/

sudo mv /tmp/myapp.jar /opt/myapp/

sudo chown myapp:myapp /opt/myapp/myapp.jar

Environment:

sudo tee /etc/myapp.env >/dev/null << 'EOF'

SERVER_PORT=8080

SPRING_PROFILES_ACTIVE=prod

APP_DB_URL=jdbc:postgresql://db:5432/app

APP_DB_USER=appuser

APP_DB_PASS=change-me

EOF

Use AWS Secrets Manager or SSM for sensitive credentials.

Step 6: Run the App as a systemd Service

Create a unit file for consistent AWS EC2 production deployment management:

sudo tee /etc/systemd/system/myapp.service >/dev/null << 'EOF'

[Unit]

Description=MyApp Service

After=network.target

[Service]

User=myapp

Group=myapp

EnvironmentFile=/etc/myapp.env

WorkingDirectory=/opt/myapp

ExecStart=/usr/bin/java -jar /opt/myapp/myapp.jar

Restart=always

RestartSec=5

SuccessExitStatus=143

[Install]

WantedBy=multi-user.target

EOF

Enable and start:

sudo systemctl enable myapp

sudo systemctl start myapp

Step 7: Nginx Reverse Proxy (Optional)

If your app doesn’t handle static content or gzip efficiently, install Nginx as a front proxy. This adds performance benefits to your AWS EC2 production deployment.

Step 8: Application Load Balancer (HTTPS with ACM)

Use TLS termination on the ALBsimpler, more secure, and essential for production-grade infrastructure.

Steps:

• • Request certificate in ACM
• • Create target group (HTTP:80 or 8080)
• • Create ALB and attach listener rules
• • Configure DNS with Route 53

This structure defines an industry-standard AWS EC2 production deployment pattern: ALB handles HTTPS, instances stay private.

Step 9: Logging & Metrics with CloudWatch Agent

Install and configure the agent to send metrics and logs to CloudWatchcritical for observability in any AWS EC2 production deployment.

Step 10: Make it Resilient (Autoscaling)

Define immutable infrastructure:

• • Launch Template
• • Auto Scaling Group (ASG)
• • Rolling updates for zero downtime

Scaling policies maintain efficiency and cost control.

Step 11: Blue/Green Deployments

Use versioned artifacts or dual target groups (blue/green). Both patterns ensure quick rollback and zero downtimebest practices for a robust AWS EC2 production deployment.

Step 12: Backups & Recovery

• • Use AMI Lifecycle Manager
• • Keep state in RDS/S3
• • Snapshot EBS if necessary

Step 13: Cost and Housekeeping

Use Graviton (t4g.*) for 20–40% savings.
Set CloudWatch alarms for metrics and automate non-prod instance shutdowns.

Troubleshooting Checklist

• • Health check failing? Validate /health endpoint.
• • 502/504? Adjust ALB timeouts or Nginx settings.
• • TLS issues? Verify ACM certificate and DNS alias.

Each of these ensures your AWS EC2 production deployment stays healthy and reliable.

Containerized Variant

If running containers, use ECS/Fargate for managed orchestration. The deployment flow (ALB → Target Group → Service) remains identical to a standard AWS EC2 production deployment.