I setup a Pi-hole server on an AWS instance about a year ago. It was pretty straight forward and runs just great of the free tier. One of the advantages is that you can then use the Pi-hole server from multiple LANs if you want, or devices not on your LAN. After talking with some folks, I decided to put together a tutorial on how to do it, focused on people without AWS experience.
https://blog.sethmay.net/2020/05/how-to-setup-pi-hole-on-an-aws-instance/
May it meet your pi-hole needs.
Nice write up.
The only thing I stumbled across is the Security Group Configuration. If you set it up with TCP/UDP p53 IP/32 it allows DNS resolution only from one device (or WAN of the router). And you need a static public IP, or?
Very true. You would need to update your security group if you VPN changed. Interestingly, my non-static IP has stayed the same for as long as I've been running my Pi-hole (at least a year). You could widen the IP restriction, but it might need to be pretty wide to account for IP changes, and that opens you to potential abuse.
You could also setup vpn with the server (as t0m5k1 on reddit has suggested), but then it wouldn't work with your entire WAN.
Yes, that's a huge risk - it likely becomes an open resolver easily.
Did you write anything about VPN? I must have missed that....
I did not. My tutorial only covers the setup that I put in place. The reddit discussion is suggesting VPN but I have not played with going that route.
One other suggestion. Add instructions for opening it up so you can ping it to see the response time. For anyone not familiar, here they are.
Add a new EC2 security group inbound rule :