How do I set up Fail2Ban on an Amazon Lightsail Debian instance, when it has its own firewall?
Think of the Lightsail firewall as your static firewall, and iptables as your dynamic, reactive firewall.
Firewall rules such as permanently blocking ports or blocking IP ranges of countries should go under the Lightsail firewall. While blocking that one IP that is brute forcing SSH credentials would be the job of Fail2Ban/ufw/iptables.
Having two layers of firewalls should have no adverse effect on your install. In fact, this configuration allows for the best possible performance since your OS doesn't need to utilize system resources to process packets which have already been blocked by the Lightsail firewall.