"Deploying an Angular + .NET + MSSQL Application on AWS (RDS + EC2 + Nginx + SSL)"
This guide walks through deploying a full-stack application using:
Angular (Frontend)
.NET API (Backend)
MSSQL on AWS RDS (Database)
EC2 + Nginx + Certbot (Hosting & SSL)
This is the industry-standard cloud deployment pattern for this stack.
1️⃣ Database Setup — Create or Restore MSSQL on RDS
You can either create a new MSSQL database or restore from an existing production snapshot.
Both approaches are included below.
🔹 Option A — Create a New MSSQL Database (Standard)
Go to AWS Console → RDS → Create Database
Choose:
Engine: Microsoft SQL Server
Templates: Free Tier / Dev / Production depending on usage
Configure settings:
DB Instance Identifier:
myapp-dbMaster Username and Password
Choose instance class:
- e.g.
db.t3.medium(common for apps)
- e.g.
Select VPC:
- test-secure-vpc
Select subnet group:
- Auto-selected based on VPC
Public access:
- NO (industry standard)
Encryption:
- Choose the default AWS KMS key unless custom required
Storage:
- GP3 is standard
Network & Security:
- Assign or create an RDS security group
Click Create Database.
🔹 Option B — Restore from Snapshot (Staging / Testing)
Navigate to RDS → Backups / Snapshots
Select the appropriate automated backup or manual snapshot
Click Restore Snapshot
Fill out required fields:
| Setting | Description |
| DB Identifier | e.g. myapp-test-db |
| Description | Purpose of restored DB |
| DB Instance Class | e.g. db.t3.medium |
| VPC | Select test-secure-vpc |
| Subnets | Auto-selected |
| Storage | Same as source or adjust |
| Encryption Key | Choose same KMS key (recommended) |
| Public Access | NO (default) |
Click Restore.
🔹 Required Security Configuration (Industry Standard)
✔ Secure way:
Allow the EC2 Security Group inside the RDS inbound rules.
Open RDS Security Group
Go to Inbound Rules → Edit
Add:
| Type | Port | Source |
| MSSQL | 1433 | EC2 Security Group |
This ensures:
Only your backend EC2 can access the database
No IP exposure
No CIDR risk
Fully secure VPC-internal communication
2️⃣ Security Group Configuration (Critical for Secure Communication)
🔹 Step 4: Configure RDS Security Group (Industry Standard)
This is important:
➡ Do NOT whitelist EC2 IPs or CIDR manually
IPs change → insecure.
✔ Industry Standard: Allow only EC2 Security Group in RDS inbound
Open the RDS Security Group
Go to Inbound Rules → Edit → Add Rule
Add rule:
| Type | Port | Source |
| MSSQL | 1433 | EC2 Security Group |
This ensures:
Only the EC2 instance can access RDS
No external access
Fully secure private VPC communication
3️⃣ Launch EC2 Instance (Same VPC)
To ensure secure private communication, EC2 must be inside the same VPC (test-secure-vpc).
🔹 Step 1: Launch EC2
OS: Ubuntu 22.04 LTS
Instance type:
t3.medium(typical)VPC: test-secure-vpc
Subnet: Choose private or public depending on architecture
🔹 Step 2: Create EC2 Security Group
Add these inbound rules:
| Port | Purpose |
| 22 | SSH access |
| 80 | HTTP |
| 443 | HTTPS |
Outbound: Allow all (default)
🔹 Step 3: Connect via SSH
ssh -i yourkey.pem ubuntu@EC2_PUBLIC_IP
4️⃣ Deploy Backend (.NET API)
Navigate to your backend project:
cd backend
4.1 Update CORS in Startup.cs
services.AddCors(options =>
{
options.AddPolicy("AllowAngular",
builder => builder
.WithOrigins("https://your-frontend-domain.com")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
});
app.UseCors("AllowAngular");
4.2 Update RDS Connection String in appsettings.json
"ConnectionStrings": {
"DefaultConnection": "Server=YOUR-RDS-ENDPOINT;Database=DBNAME;User ID=DBUSER;Password=DBPASS;"
}
4.3 Build & Publish:
dotnet restore
dotnet run
Release publish:
dotnet publish -c Release -o out
5️⃣ Create a .NET Systemd Service (Linux)
Create the service file:
sudo nano /etc/systemd/system/myapp.service
Paste:
[Unit]
Description=MyApp .NET Backend Service
After=network.target
[Service]
WorkingDirectory=/home/ubuntu/backend/out
ExecStart=/usr/bin/dotnet /home/ubuntu/backend/out/myapp.dll
Restart=always
RestartSec=10
SyslogIdentifier=myapp-service
User=ubuntu
[Install]
WantedBy=multi-user.target
Enable & Start:
sudo systemctl daemon-reload
sudo systemctl enable myapp
sudo systemctl start myapp
sudo systemctl status myapp
Logs:
journalctl -f -u myapp
6️⃣ Deploy Angular Frontend
Navigate to frontend:
cd frontend
Install dependencies:
npm install
6.1 Update environment.prod.ts
export const environment = {
production: true,
apiUrl: 'https://your-backend-domain.com'
};
6.2 Build Angular App
npm run build
7️⃣ Configure Nginx for Angular + Backend Reverse Proxy
Copy build output:
sudo mkdir -p /var/www/html
sudo cp -r dist/your-app/* /var/www/html/
7.1 Install Nginx
sudo apt update
sudo apt install nginx -y
7.2 Configure Virtual Host
sudo nano /etc/nginx/sites-available/default
Paste:
server {
listen 80;
server_name your-frontend-domain.com;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://localhost:5000/; # change if your app runs on different port
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Reload:
sudo systemctl reload nginx
8️⃣ SSL Certificate with Certbot
Install:
sudo apt install certbot python3-certbot-nginx -y
Generate certificate:
sudo certbot --nginx -d your-frontend-domain.com
Certbot auto-configures HTTPS.
🎉 Deployment Successfully Completed!
You now have a professionally deployed stack:
✔ Secure MSSQL RDS DB restored with correct parameters
✔ Secure SG-to-SG communication (no IP exposure)
✔ EC2 backend running as systemd service
✔ Angular hosted on Nginx
✔ Backend routed via reverse proxy
✔ HTTPS SSL fully enabled