how to setup bastion host using aws ec2

How to setup a Bastion host using AWS EC2

Blog - Labs - Security by Aziz

1. What is a Bastion host?

When you first develop a cloud infrastructure for a new project on AWS, you might start with something like EC2, S3, RDS… and you always don’t want to expose public accesses for these resources,  so how would you access to them securely?

A bastion host, we call it also jump server,  is a common solution for your private resources in AWS or or in your on-premise datacenter. It makes sure the user is authorized and can be authenticated to access different private resources.

A bastion host is a server that provides access to a private network from an external network, such as the Internet.

bastion host architectureIn this article, you will learn:

  • How to setup a Bastion host for your AWS resources
  • How to connect to EC2 instances via the Bastion host.
  • How to connect to RDS database via the Bastion host.

2. How to setup a bastion Host for your AWS resources

Launch an EC2 instance and make sure that it is localted in a public subnet in order to be reachable from the internet.

bastion host setup

Choose or create a new security group for your Bastion host as follow:

  • Type: SSH
  • Source: 0.0.0.0/0
    For production environnement, it is highly recommanded to not use 0.0.0.0/0, instead use your company’s public ip address, thus your bastion host will only be reachable from your company’s network.

bastion host setup

Now, create or choose your private key:

bastion host setup

We suppose that you have already a private EC2 instance, if not, launch a new instance and make sure that:

  • It uses a private subnet.
  • An inbound rule is added on its Security group that allows SSH connection from Bastion server security group:

bastion host setup

3. Testing connection to private EC2 instances.

Get public ip address of Bastion host, in snapshot below, the server name is “public-server”:

bastion host public ip address

Then open your favourite SSH client and use your private key to connect to Bastion host:

ssh shell on bastion host

Then execute these commands on Basiton host:

# Create a new file that will contains private key:
nano my-private-key.pem
# Then, copy content of your private key into this file and save it.
# Finally, change file permissions as follow:
chmod 400 my-private-key.pem

Get private ip address of your internal EC2 instance, I named this server “private-server”:

private server private ip address

As you can see in the snapshot above, the internal server doesn’t have any public ip address.

Connect to your bastion host, then execute this command to access to private server:

ssh -i “my-private-key.pem” [email protected]

We assume that you used Amazon linux instance that has default username “ec2-user”.

ssh connection on private server

 

4. Cleanup:

To cleanup the lab, just select both instances, then click on “Instance state” and “Terminate instance”

terminate instances

If you have any question, then just feel free to post it in the comment, I’ll be happy to read and answer all your questions.

Leave a Reply

Your email address will not be published. Required fields are marked *