killbill · pierre · Jun 5, 2026 · Jun 4, 2026
diff --git a/userguide/aws/how-to-set-up-a-multi-tier-system.adoc b/userguide/aws/how-to-set-up-a-multi-tier-system.adoc
@@ -263,10 +263,20 @@ Your Inbound Rules should now look like this:
 
 image::../assets/aws/multitier-inbound-new.png[align=center]
 
-=== 5.4. Add user data script
+=== 5.4. Configure Network Settings
+
+Before launching the instance, configure the network settings:
+
+* Select the VPC where you want to deploy the EC2 instance.
+* Choose a *public subnet* within that VPC.
+* Ensure *Auto-assign public IP* is *enabled*.
+
+This allows the instance to receive a public IP address and be accessible from the internet. If Auto-assign public IP is disabled or a private subnet is selected, you may not be able to access the instance without additional networking configuration.
+
+=== 5.5. Add user data script
 Finally, scroll to the bottom and open the section labeled *Advanced Details*. You will see a long list of settings. At the very bottom of this list is a box headed *User data*. Paste the script created in Step 4 here.
 
-=== 5.5. Launch your Instances
+=== 5.6. Launch your Instances
 
 When the key pair is generated, click *Launch Instances*. You should see the screen below:
 
@@ -279,7 +289,7 @@ image::../assets/aws/multitier-instances.png[align=center]
 
 In a short time, the *Instance State* for each instance should indicate *Running*. You will need to scroll to the right to see all of the information available about your instances. In particular, make a note of the *Availability Zone* (such as `us-east-1a`) assigned to each instance. You will need this information later.
 
-=== 5.6. Login to an Instance
+=== 5.7. Login to an Instance
 
 Now that your instances are set up, you need to ensure that you can login to them for configuration and maintenance when needed. To login, use the secure shell command:
 

diff --git a/userguide/aws/how-to-set-up-a-single-tier-system.adoc b/userguide/aws/how-to-set-up-a-single-tier-system.adoc
@@ -24,11 +24,12 @@ The setup procedure includes nine steps:
 . <<step2, Subscribe to the Kill Bill AMI>>
 . <<step3, Set up EC2 Configuration>>
 . <<step4, Create a Key Pair>>
-. <<step5, Launch your Instance>>
-. <<step6, Set up Security Group>>
-. <<step7, Login to Your Instance>>
-. <<step8, Test Your Installation>>
-. <<step9, Add a Certificate>>
+. <<step5, Configure Network Settings>>
+. <<step6, Launch your Instance>>
+. <<step7, Set up Security Group>>
+. <<step8, Login to Your Instance>>
+. <<step9, Test Your Installation>>
+. <<step10, Add a Certificate>>
 
 
 [[step1]]
@@ -80,7 +81,18 @@ image::../assets/aws/single-tier-keypair.png[align=center]
 We will create a new key pair. Click *Create Key Pair* to display a pane to be used for the creation. Give the key pair a simple, easy to remember name such as `My-Key-Pair`. Do not change the other options on this pane. Then click *Download Key Pair*. *Important:* You *must* save the private key that will be generated in this step. If you lose this key, you will *not* be able to login to your instance. In addition, you must set the protection for this file so it is readable by the owner only.
 
 [[step5]]
-== Step 5: Launch Your Instance
+== Step 5: Configure Network Settings
+
+Before launching the instance, configure the network settings:
+
+* Select the VPC where you want to deploy the EC2 instance.
+* Choose a *public subnet* within that VPC.
+* Ensure *Auto-assign public IP* is *enabled*.
+
+This allows the instance to receive a public IP address and be accessible from the internet. If Auto-assign public IP is disabled or a private subnet is selected, you may not be able to access the instance without additional networking configuration.
+
+[[step6]]
+== Step 6: Launch Your Instance
 
 When the key pair is generated, click *Launch Instances*. You should see the screen below:
 
@@ -93,8 +105,8 @@ image::../assets/aws/single-ami-instances.png[align=center]
 
 In a short time, the *Instance State* for your instance should indicate *Running*. Select the checkbox to the left of your instance ID. An information pane should open below with details about your instance.
 
-[[step6]]
-== Step 6: Set up Security Group
+[[step7]]
+== Step 7: Set up Security Group
 
 
 You are almost set, but there is one more thing you should do, and that is to scroll down in the menu on the left side to select *Security Groups*. You should see a list of two or more groups. Select the group whose name begins with `Kill Bill on AWS`, then scroll to the bottom and select the tab for *Inbound Rules*. You should see:
@@ -107,8 +119,8 @@ image::../assets/aws/single-ami-inbound-new.png[align=center]
 
 Your Kill Bill installation is ready to go!
 
-[[step7]]
-== Step 7: Login to Your Instance
+[[step8]]
+== Step 8: Login to Your Instance
 
 You have setup access to port 22 in your security group. This will allow you to login directly to your instance from a terminal or command window. You may need to do this to perform some configuration and maintenance tasks that will be described below.
 
@@ -125,8 +137,8 @@ The first time you login, you will see a warning message asking if you want to a
 You will now be able to explore your instance and perform various configuration and maintenance tasks. To exit from your login, type `exit`.
 
 
-[[step8]]
-== Step 8: Test your Installation
+[[step9]]
+== Step 9: Test your Installation
 
 Congratulations! Your single-tier installation is ready to go!
 
@@ -138,12 +150,9 @@ In addition, you can visit the Kill Bill server using the URL `\https://INSTANCE
 
 If these logins do not work correctly, review your setup steps carefully, then proceed to the https://docs.killbill.io/latest/how-to-maintain-a-single-tier-system.html[Single-Tier Maintenance Guide].
 
-[[step9]]
-== Step 9: Add a Certificate
+[[step10]]
+== Step 10: Add a Certificate
 
 In order to make your site secure, you will need to add a valid X.509 SSL/TLS certificate. The easiest way to add this certificate is to make use of the tool `certbot`, which relies on the free Certificate Authority (CA) `Let’s Encrypt`. This method provides a simple way to obtain and install free certificates. For instructions on creating a certificate using `certbot`, see https://docs.killbill.io/latest/how-to-add-a-certificate-using-certbot.html[How to Add a Certificate Using Certbot]. Once your certificate is setup, you can login securely to Kaui using your CNAME as the URL (e.g., `\https://kaui.mydomain.com`).
 
 
-
-
-
diff --git a/userguide/aws/tutorial-single-tier.adoc b/userguide/aws/tutorial-single-tier.adoc
@@ -49,7 +49,17 @@ image::../assets/aws/single-tier-keypair.png[align=center]
 
 We will create a new key pair. Click *Create Key Pair* to display a pane to be used for the creation. Give the key pair a simple, easy to remember name such as `My-Key-Pair`. Do not change the other options on this pane. Then click *Download Key Pair*. *Important:* You *must* save the private key that will be generated in this step. If you lose this key, you will *not* be able to login to your instance. In addition, you must set the protection for this file so it is readable by the owner only.
 
-== Step 5: Launch Your Instance
+== Step 5: Configure Network Settings
+
+Before launching the instance, configure the network settings:
+
+* Select the VPC where you want to deploy the EC2 instance.
+* Choose a *public subnet* within that VPC.
+* Ensure *Auto-assign public IP* is *enabled*.
+
+This allows the instance to receive a public IP address and be accessible from the internet. If Auto-assign public IP is disabled or a private subnet is selected, you may not be able to access the instance without additional networking configuration.
+
+== Step 6: Launch Your Instance
 
 When the key pair is generated, click *Launch Instances*. You should see the screen below:
 
@@ -62,7 +72,7 @@ image::../assets/aws/single-ami-instances.png[align=center]
 
 In a short time, the *Instance State* for your instance should indicate *Running*. Select the checkbox to the left of your instance ID. An information pane should open below with details about your instance.
 
-== Step 6: Testing
+== Step 7: Testing
 
 You can now try to login to Kaui from your browser using the URL `\https://INSTANCE_IP:443`, where INSTANCE_IP is the IPV4 address for your instance, given on your dashboard as *Public IPV4 Address*. If all goes well, this should display the Kaui login screen. The browser may complain that your connection is not secure, but it should offer you a way to bypass the problem.