Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Bastion Host: Secure Remote Access to Your Private Instances.

Bastion Host

Introduction

In the rapidly evolving landscape of cloud computing, security remains paramount. When managing an EC2 fleet within an Amazon Web Services (AWS) Virtual Private Cloud (VPC), ensuring secure remote access is supreme. This is where the AWS Bastion Host comes into play, providing a secure and controlled gateway to your instances. In this blog, we will explore the AWS Bastion Host, its benefits, and how to set it up.

What is an AWS Bastion Host?

An AWS Bastion Host, also known as a jump box, is a server specifically designed to allow secure SSH access to your instances within a VPC. It acts as an intermediary, providing a single point of access to instances that do not have public IP addresses, thereby enhancing the security of your VPC by limiting exposure to the internet.

Best Practices for Managing AWS Bastion Hosts

  • Update and Patch Regularly
  • Limit Access via IAM Roles
  • Rotate SSH Key Pairs Regularly
  • Implement Multi-Factor Authentication (MFA)

we will leverage the default VPC which already has a public subnet, route table correctly configured and an internet gateway attached additionally, we will create a private subnet with a route table which we will use to launch our private instance. We will then connect to the private instance by jumping from our instance in the public subnet to the private subnet. Let’s proceed as follows.

Log in to the management console with a user with admin privileges then in the search box, type VPC then select VPC under services.

We will use the default VPC subnet CIDR to create a private subnet in the default VPC. So, copy the default VPC subnet to your clipboard (this is to enable you know default VPC subnet CIDR range). Then click Create Subnet.

In the create subnet console fill in the required details. For VPC, select default then scroll down.

Subnet name call it Private-subnet-1a. AZ select the availability zone of your choice, will select us-east-1a. For IPV4 CIDR make sure it’s within the CIDR range of the default VPC, since we are launching this subnet in the default VPC. Those are the only settings we need. Click Create Subnet.

We have successfully created our private subnet leveraging the default VPC.

Under subnets, we can see our private subnet.

Next, we will create a private route table and associate it with our subnet. In the left UI of VPC select route table then click create route table.

In the create route table UI, name your route table, VPC select default then click create route table.

The route table has been successfully created and we can see its only routing traffic locally within the VPC.

Move to the subnet association tab then click edit subnet associations.

Available subnets will be listed, select private-subnet-1a then click save associations.

We have now created a private route table and associated it with our private subnet. Next, we will launch two EC2 instances. One in the public subnet which will be our Bastion Host, and one in the private subnet which will be our Production server. We will use the Bastion Host to jump into our Production server.

Log into the EC2 console by typing EC2 in the search box then select EC2 under services.

In the EC2 UI, select instances then click Launch Instances.

For name, call this instance Bastion Host. For application OS select the QuickStart tab then choose Amazon Linux. Scroll down.

For AMI move within the free-tier, instance type also select t2. micro which is also free-tier eligible, select your key-pair then scroll down.

Expand the networking tab, then select the default VPC with a public subnet of your choice. Then scroll down.

Under firewall select create new security group and make sure you select SSH on port 22. For source traffic for this demo, we will leave it open to anywhere but as a best practice always limit it to your IP address. Scroll down.

Review and click launch instance.

Successfully launched. We will now launch our production server in the private subnet. Click launch instances a gain.

Call it the production server additionally, let’s repeat the same process of launching Instances. For OS select Amazon Linux. Scroll down.

For AMI move within the free tier, instance type a gain and select t2. micro. select your key-pair then scroll down.

Expand the networking tab, select the default VPC, and for the subnet select the private subnet you launched. Scroll down.

Select Create Security Group and make sure port 22 is open.

Review then click launch instance.

Successfully launched the instance.

Now SSH into the Bastion host. By using the command seen below, replace the IP address with your Instance IP address.

Using an editor of your choice, paste your key pair into the Bastion Host. Then give it enough permission.

 

Then type this command to SSH into your private instance and that’s it we can see we are in our private EC2 instance and can confirm this by its private IP address.

 

This brings us to the end of this blog. Clean up.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].

Thank you!

Written By :

Victor Onyango, AWS Certified Solutions Architect – Associate, AWS Certified Security

Leave a Reply