DEV Community

Cover image for AWS Create Bastion Host to communicate with your Private Subnet
Ariel Coba
Ariel Coba

Posted on

AWS Create Bastion Host to communicate with your Private Subnet

Note: This is my first blog post, any recommendations and feedback would be appreciated.

Introduction

Bastion Host - A bastion host is a specialized computer that is deliberately exposed on a public network. From a secured network perspective, it is the only node exposed to the outside world and is therefore very prone to attack.

The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway. The most common examples of bastion hosts are mail, domain name system, Web and File Transfer Protocol (FTP) servers.

In this post, I will be demonstrating how to configure a VPC in order to communicate two EC2 Instances (One acting as a bastion host and the other one inside a private network).

Creating VPC

First Let's start Creating a simple VPC:

VPC

You can use any name or CIDR you want.

Creating Subnets

Let's select our VPC (Created in last step):

SubnetsVPC

Let's create two subnets, one for the public subnet and the other one for the private subnet.

Subnets

Let's edit the Public Subnet Already created and Check "Enable auto-assign public IPv4 address"

autoassignipv4

Creating Routing Tables

Route Table for Public Subnet

PublicRouteTable

Route Table for Private Subnet

PrivateRouteTable

Edit route table associations so we can add these route tables already created to our subnets:

RouteTableAssociation

PublicSubnetRouteTable

PrivateSubnetRouteTable

Creating Internet Gateway

Now, We need to create an Internet gateway in order to provide internet access to our Bastion Host

Internetgateway

Then, we need to attach this Internet Gateway to our VPC (myDemoVpc)

IGW1

IGW2

Add a Route to this Internet Gateway already attached

IGW-PublicSubnet-RouteTable

IGW-PublicSubnet-RouteTableAdded

Note: This Route must to be added ONLY to our public subnet route table as we're simulating a connection from our bastion host to a private subnet which can contains a database or a server with sensitive data or any other information that must be remain private and cannot reach the internet.

Creating EC2 Instances

Let's start creating our Bastion Host and test connectivity trough the internet:

EC2-Settings

Let's go to the Network Settings Section and Click on Edit to select the options marked

EC2-Network

Testing Connectivity

Select our instance previously created and click on Connect

EC2Connectivity

EC2ConnectivitySSH

We have internet access in our Bastion Host:

EC2Connected

Creating EC2 Instance in Private Subnet

Let's go now to the Network Settings Section and Click on Edit to select the options marked

EC2PrivateNetworkSettings

Note: To Add a layer of extra security, I've only provided access through SSH to Bastion Host Security Group as well added ICMP - IPv4 rule to test connectivity.

SG-Rules

Testing Final Connectivity

After Created the EC2 Private instance, let's test connectivity through web browser:

EC2PrivateInstaceConnection

As you can see above, we cannot connect through the internet, this is the expected behavior as we haven't assigned a public ip address to this instance since it will remain private.

Let's test connectivity from our Bastion Host

ConnectivityOK

As we can see, we're able to ping our private instance though our Bastion Server

Let's try our final test by connecting through SSH from our Bastion Server

Let's create a file which contains our key pair

vi bastionDemoKey.pem

Copy the content of the key pair created in AWS

Change Permissions to the file created

chmod 400 bastionDemoKey.pem

Now let's try SSH to our EC2 Private Instance

ssh -i bastionDemoKey.pem ec2-user@172.16.2.10

We have connectivity!!

SSHPrivateEC2

I hope you find this information helpful, if you have any issues, comments or feedback shoot me a comment.

Have a good one community!

Top comments (0)