Setting Up Hyperledger Besu On Amazon Web Services Using IBFT2


This week, I learned how to use AWS in Blockchain. I am going to create a private blockchain using IBFT2 consensus algorithm. I will use VPC with private/public subnets and create eight EC2 instances of type t2.micro. Two instances will be used on the private subnet and the rest will be used on the public subnet.

My Agenda

  1. Setting VPC.
  2. Create a Security Group.
  3. Install bootnodes on the private subnet.
  4. Install nodes on the public subnet.
  5. Improvements.
  6. Resources.

Setting Up A VPC

VPC is used to deploy isolated instances for a private Blockchain.

A virtual private cloud (VPC)is an on-demand configurable pool of shared computing resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resources.

If you don’t know how to deploy VPC I recommend this AWS short tutorial.

Before creating instances, I need to initialize the communication between them. So, I will create a security group for my VPC.

Create Security Group

Security Group is a list of rules for communication between instances like port 22 accept my device IP address. If you don’t know how to make a security group check this link. For my case, I will use these rules

Note that IP is for the private subnet

I found the above ports on PEGASYS website. It’s all the ports you need for the besu network. Don’t forget to add port 22 for SSH. Now, I will create two instances to be a bootnodes on the private subnets.

Access Private Subnets

A private subnet is a subnet that doesn’t have a route to the internet gateway. So, it impossible to SSH its instances. To be able to run commands on your instances, you may use AWS Systems Manager Session Manager or AWS Systems Manager Run Command but in my opinion, the fastest and easiest way to SSh your instance is to access it from another instance on public subnet then, use ‘ncat’ to open port 22. The commands will be:

To open port 22 for a private IP:

ncat --sh-exec "ncat PRIVATE.SUBNET.IP 22" -l 2222 &

Then, you need to copy your keypair.pem file to the public instance and voilà, just run ssh command like you normally do on your local machine.

ssh -i "keyname.pem" ubuntu@

Now, I have accessed the instance and I can install the bootnode.

I will start by downloading and installing Hyperledger Besu. Then, I will configure the ibft2 as the consensus algorithm. The following commands are extracted from the official documentation and PEGASYS website. Note that, these commands are a standard for all nodes. You can find links that explain them at the end of the article.

sudo apt-get update && sudo apt-get install openjdk-11-jdk
sudo mkdir -p /opt/besu/
sudo chown -R $USER:$USER /opt/besu/
tar -C /opt/besu/ -xvf besu-1.3.6.tar.gz
cd /opt/besu/
touch ibftConfigFile.json

Open the ibftCongfigFile.json using nano command

nano ibftConfigFile.json

then write

"genesis": {
"config": {
"chainId": 2018,
"constantinoplefixblock": 0,
"ibft2": {
"blockperiodseconds": 2,
"epochlength": 30000,
"requesttimeoutseconds": 10
"nonce": "0x0",
"timestamp": "0x58ee40ba",
"gasLimit": "0x47b760",
"difficulty": "0x1",
"mixHash": "0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365",
"coinbase": "0x0000000000000000000000000000000000000000",
"alloc": {
"fe3b557e8fb62b89f4916b721be55ceb828dbd73": {
"privateKey": "8f2a55949038a9610f50fb23b5883af3b4ecb3c3bb792cbcefbd1542c692be63",
"comment": "private key and this comment are ignored. In a real chain, the private key should NOT be stored",
"balance": "0xad78ebc5ac6200000"
"627306090abaB3A6e1400e9345bC60c78a8BEf57": {
"privateKey": "c87509a1c067bbde78beb793e6fa76530b6382a4c0241e5e4a9ec0a0f44dc0d3",
"comment": "private key and this comment are ignored. In a real chain, the private key should NOT be stored",
"balance": "90000000000000000000000"
"f17f52151EbEF6C7334FAD080c5704D77216b732": {
"privateKey": "ae6ae8e5ccbfb04590405997ee2d52d2b330726137b875053c36d94e974d162f",
"comment": "private key and this comment are ignored. In a real chain, the private key should NOT be stored",
"balance": "90000000000000000000000"
"blockchain": {
"nodes": {
"generate": true,
"count": 4

Use besu command to generate keys for nodes

besu-1.3.6/bin/besu operator generate-blockchain-config --config-file=ibftConfigFile.json --to=networkFiles --private-key-file-name=key

Move the gensis.json file

mv networkFiles/genesis.json /opt/besu/

then make a folder name data to add the public and private key of the node

mkdir keys
mv networkFiles/keys/0x......./key keys/
mv networkFiles/keys/0x......./ /keys/

Okay, that’s it! We have installed besu network and now the node is ready to use.

Initialize Bootnode

Bootnode is the first node created by the blockchain used to help other peers to find your Blockchain.

Initialize bootnode

besu-1.3.6/bin/besu --data-path=data --genesis-file=./genesis.json --rpc-http-enabled --rpc-http-api=IBFT --rpc-http-host= --host-whitelist="*" --rpc-http-cors-origins="all"  --metrics-enabled --metrics-host= --metrics-port=9545 --p2p-host= &

(Don’t forget to add your own private address on --p2p-host )

You can find the same command on the documentation. I just changed the p2p host with the private IP. Once you run this command you will need to search for this line:

2020-03-28 18:21:47.836+00:00 | main | INFO  | DefaultP2PNetwork | Enode URL enode://d357bdefa4e6f6bdf99020707194823acd0f3d808ef259f47616a4154a7b4d8007b0573d6ebc02cb378f2f5f279205d2e537279a5987ef2a752733cd9cc2a5a1@

The Enode URL will be used by other nodes to connect with you. Okay, now we are done here. You can create as many bootnode as you want. It’s usually 2 bootnodes in the production.

Then, for the instances on the public subnet, you will repeat the same process except for the last step you will use the Enode URL.

besu-1.3.6/bin/besu  --data-path=data --genesis-file=./genesis.json --node-private-key-file=/opt/besu/keys/key   --bootnodes=enode://ca6c54e4be70c38abbc2d05c4eaafcc057b9e38db33feb67a95ef37a7a5fcccde814e90573193a204502b8948336741fc5a47405a69a2a77f911245671f81c23@ --rpc-http-enabled --rpc-http-host= --host-whitelist="*" --rpc-http-api=ETH,NET,IBFT  --rpc-http-cors-origins="all" --metrics-enabled --metrics-host= --metrics-port=9545 --p2p-host= &

(Don’t forget to add your own private address on --p2p-host )

That’s it! Now all you need to do is to copy the ‘besu’ directory from the first instances to the others using scp.

scp -i besuvalidatornode.pem -r ubuntu@ /opt/besu

Unfortunately, using only two nodes can’t achieve the Byzantine fault-tolerant (the ability to function correctly and reach consensus despite nodes). You can find details on how ibft2 works.


  • The most obvious thing is to increase the number of instances or to use a better type of instance than ‘t2.micro’.
  • Use Orion as a private transaction manager. It generates and maintains private/public keypairs, provides an API for communicating between Orion nodes and an API for communicating with Ethereum clients and more. You can find all the details on Orion Orion documentation.
  • Or you can use Besu on Docker.

Use Besu On Docker

All you need to do is run this command. Then you will have IBFT2 with Orion running on your instance.

./ -c ibft2

Besu sample network container offers you many options to run all types of algorithms. You need to customize your container in order to have what you need only and to avoid wasting resources. If you run the command above, it will create 4 nodes: the first node is a bootnode and other depend on it. So, if the bootnode failed all other nodes will. In order to use Besu sample network in production, you need to modify filedocker-compose_poa.yml by adding another bootnode and creating three other nodes for it. Note that, I didn’t have to do that because I used the micro instance for educational purpose and I implement all nodes by my own.

I hope that I was clear. However, if you have any question, please don’t hesitate to ask me anytime.


Besu Official Documentation To Create A IBFT2 Network

Setting Up Hyperledger Besu In Aws

Amazon Web Service Form To SSH A Private Subnet

Setting Up Hyperledger Besu On Amazon Web Services Using IBFT2 was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.