Running Unifi controller on Amazon Lightsail

Running Unifi controller on Amazon Lightsail

How to install, configure and run Unifi Network controller on Amazon Lightsail

Marin Frankovic
Amazon Employee
Published Apr 24, 2024
Last Modified Apr 25, 2024
Before going deeper into topic, this article is based on my personal experience with Unifi Network controller software and Amazon Lightsail service.
Logical question is, "Why would you run your controller in a cloud?". ;) Well, I used to run in a Docker container on my Synology NAS, but that was when I had only one site to manage.
So, main reason I run it on Amazon Lightsail now is:
  • I am managing more than 10 sites that are in different locations
  • I do not need to open incoming ports on my home network
  • Controller load is not impeding my NAS performance
  • Controller is always available regardless of my Internet connection
  • I have Linux machine in cloud that can be used for other stuff :)
  • Predictable cost and ease of use and management
I will cover Lightsail instance setup, how to connect to instance, instance updating, Unifi Network controller installation, instance firewall configuration, how to adopt Unifi devices to controller, how to add certificate to secure traffic and few best practices learned.

Preparing Amazon Lightsail

I have chosen to go with Ubuntu 22 LTS Linux distribution as I am most familiar with it.
  1. Go to https://lightsail.aws.amazon.com/ls/webapp/home/instances and login to your AWS account
  2. Choose option to create new instance
    • Select OS only
    • Select Ubuntu
    • Use existing or create new SSH Key pair (make sure to download keys for use with locally installed SSH client)
    • Enable automatic Snapshots (optional)
    • Select dual stack networking
    • Select size (at time when I was doing this I selected 1 CPU, 1 GB RAM but now would go for 2 CPU, 2 GB RAM)
    • Name your instance
  3. Hit Create Instance

Connecting to your instance

To connect to your instance you have two option. You can either connect via browser-based SSH client or via installed client on your computer. As I am on Windows, I use Putty, but any SSH client will do.
Connect to your instance
More information on how to connect using your own SSH client can be found in documentation.
One thing that you should definitely do is assign static IP to your instance. To do that, click on your instance and go to Networking tab.
Amazon Lightsail instance Networking Tab
Notice upcoming pricing changes to IPv4 addresses. You can remove IPv4 address but at this point not all Unifi services and devices make use of IPv6.

Upgrading Ubuntu packages

Once you successfully login to your instance, update all packages and distibution.
sudo apt update
sudo apt upgrade -y
-y parameter is used to skip upgrade command to ask confirmation after every package.
Sometimes after running upgrade command, not all packages update. In that case I re-run upgrade command with all packages named in a command.
sudo apt upgrade package1 package2 packagex -y
Reboot your instance after installing all updates.
sudo reboot
In my case, all updates are installed and I am ready to install Unifi controller.
Update your Ubuntu instance

Installing Unifi Network controller

You can install Unifi controller in several different ways. I found it easiest to be just to run prepared installation script that will install everything for you. Including required packages, setup database and application itself. Method 1 is manual installation, Method 2 is script based installation which I used.
Method 1
  1. Install required packages
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
  1. Add new source list to trusted sources
echo 'deb [ arch=amd64,arm64 ] https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
  1. Add GPG keys
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
  1. Install MongoDB
wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | sudo apt-key add -
echo "deb [trusted=yes] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt-get update
Sometimes this step is not needed. If your Linux distribution lacks MongoDB or repo does not have it, you can refer to this MongoDB installation guide.
  1. Install Unifi network controller
sudo apt-get update && sudo apt-get install unifi -y
Method 2
  1. Install ca-certificates package
sudo apt-get update; apt-get install ca-certificates wget -y
  1. Download installation script
wget https://get.glennr.nl/unifi/install/unifi-8.1.127.sh
In this case I am downloading latest (as of writing this post) version of Unifi Network controller installation script. Other versions can be found on Unifi community page.
  1. Once you download script, you can run it
bash unifi-8.1.127.sh
If you want to install latest Unifi Network Controller with all requirements in one line, you can use
rm unifi-latest.sh &> /dev/null; wget https://get.glennr.nl/unifi/install/install_latest/unifi-latest.sh && bash unifi-latest.sh
For both methods, if everything went as planned and there were no errors, you should be able to access your newly installed Unifi Network Controller via browser by entering https://ip.of.your.server:8443.
If you receive error, please continue reading. ;)
Update existing Unifi Controller
If you have existing Unifi Controller installation version 5.0x and above, you can update it by running these few simple commands.
  1. Install ca-certificate package (if not already available)
apt-get update; apt-get install ca-certificates wget -y
  1. Download update sctript
wget https://get.glennr.nl/unifi/update/unifi-update.sh
  1. Run the script
bash unifi-update.sh

Configure instance firewall settings

Unifi Network Controller needs some ports to be open so devices can connect to it and be adopted and managed. To open required ports go to Networking Tab of your instance. I have opened following ports for IPv4 and IPv6.
Firewall ports for Unifi Network Controller
For more information of Unifi Network Controller ports please check out this reference documentation.

Adopting devices

Since network controller is not running in your local network I used Layer 3 adoption option.
  1. Make sure device is in factory default state.
  2. Connect device to same network as your laptop
  3. Type in following command
set-inform http://ip-of-host:8080/inform
Before doing this I created A and AAAA record in my DNS zone that points to IPv4 and IPv6 address of Amazon Instance. In the command, I used DNS name instead of IP address of the instance.
I also recommend executing above command twice, as sometimes it does not work first time.

Add certificates to Unifi Network Controller

This step is optional, but it will make your connection to Unifi Network controller more secure. You can opt to go with free Lets encrypt certificates or with commercial certificates. In my case, i went with commercial certificate as I already have wildcard certificate for my custom domain name.
Lets Encrypt certificate
Make sure you have A record with your domain name pointing to IP address of Light sail instance.
Port 80 must be open for the challenge.
  1. Download the script
wget https://get.glennr.nl/unifi/extra/unifi-easy-encrypt.sh
  1. Execute the script
bash unifi-easy-encrypt.sh
Example of one liner with required parameters:
bash unifi-easy-encrypt.sh --skip --fqdn yourdomain.com:www.yourdomain.com --email name@yourdomain.com
More info can be found here.
Commercial certificate
  1. Obtain certificate from your provider
  2. Download your .cer file and root and any Intermediate .cer files
  3. Transfer all files to your Ubuntu VM to a location where your .key file is
  4. Run following command to bundle root and intermediate certificates
cat your_domain_name.crt DigiCertCA.crt intermediateCA >> bundle.crt
  1. Run following commands to import certificates and restart Unifi service
openssl pkcs12 -export -in yourwildcardcert.crt -inkey yourcertkeyfile.key -certfile bundle.crt -out unifi.p12 -name unifi -password pass:aircontrolenterprise
keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise
service unifi restart

Final recommendations

Turn on Amazon Lightsail Automatic snapshots feature on your Ubuntu instance. This saved me more than once! ;)
Automatic snapshots
Enable and configure Unifi Network controller backups. Make sure to download them from time to time.
Unifi Controller backup


Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.