1. What is a Bastion host?
When you first develop a cloud infrastructure for a new project on AWS, you might start with something like EC2, S3, RDS… and you always don’t want to expose public accesses for these resources, so how would you access to them securely?
A bastion host, we call it also jump server, is a common solution for your private resources in AWS or or in your on-premise datacenter. It makes sure the user is authorized and can be authenticated to access different private resources.
A bastion host is a server that provides access to a private network from an external network, such as the Internet.
In this article, you will learn:
- How to setup a Bastion host for your AWS resources
- How to connect to EC2 instances via the Bastion host.
- How to connect to RDS database via the Bastion host.
2. How to setup a bastion Host for your AWS resources
Launch an EC2 instance and make sure that it is localted in a public subnet in order to be reachable from the internet.
Choose or create a new security group for your Bastion host as follow:
- Type: SSH
- Source: 0.0.0.0/0
For production environnement, it is highly recommanded to not use 0.0.0.0/0, instead use your company’s public ip address, thus your bastion host will only be reachable from your company’s network.
Now, create or choose your private key:
We suppose that you have already a private EC2 instance, if not, launch a new instance and make sure that:
- It uses a private subnet.
- An inbound rule is added on its Security group that allows SSH connection from Bastion server security group:
3. Testing connection to private EC2 instances.
Get public ip address of Bastion host, in snapshot below, the server name is “public-server”:
Then open your favourite SSH client and use your private key to connect to Bastion host:
Then execute these commands on Basiton host:
# Create a new file that will contains private key:
nano my-private-key.pem
# Then, copy content of your private key into this file and save it.
# Finally, change file permissions as follow:
chmod 400 my-private-key.pem
Get private ip address of your internal EC2 instance, I named this server “private-server”:
As you can see in the snapshot above, the internal server doesn’t have any public ip address.
Connect to your bastion host, then execute this command to access to private server:
ssh -i “my-private-key.pem” [email protected]
We assume that you used Amazon linux instance that has default username “ec2-user”.
4. Cleanup:
To cleanup the lab, just select both instances, then click on “Instance state” and “Terminate instance”
If you have any question, then just feel free to post it in the comment, I’ll be happy to read and answer all your questions.