Note: This is my first blog post, any recommendations and feedback would be appreciated.
Introduction
Bastion Host - A bastion host is a specialized computer that is deliberately exposed on a public network. From a secured network perspective, it is the only node exposed to the outside world and is therefore very prone to attack.
The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway. The most common examples of bastion hosts are mail, domain name system, Web and File Transfer Protocol (FTP) servers.
In this post, I will be demonstrating how to configure a VPC in order to communicate two EC2 Instances (One acting as a bastion host and the other one inside a private network).
Creating VPC
First Let's start Creating a simple VPC:
You can use any name or CIDR you want.
Creating Subnets
Let's select our VPC (Created in last step):
Let's create two subnets, one for the public subnet and the other one for the private subnet.
Let's edit the Public Subnet Already created and Check "Enable auto-assign public IPv4 address"
Creating Routing Tables
Route Table for Public Subnet
Route Table for Private Subnet
Edit route table associations so we can add these route tables already created to our subnets:
Creating Internet Gateway
Now, We need to create an Internet gateway in order to provide internet access to our Bastion Host
Then, we need to attach this Internet Gateway to our VPC (myDemoVpc)
Add a Route to this Internet Gateway already attached
Note: This Route must to be added ONLY to our public subnet route table as we're simulating a connection from our bastion host to a private subnet which can contains a database or a server with sensitive data or any other information that must be remain private and cannot reach the internet.
Creating EC2 Instances
Let's start creating our Bastion Host and test connectivity trough the internet:
Let's go to the Network Settings Section and Click on Edit to select the options marked
Testing Connectivity
Select our instance previously created and click on Connect
We have internet access in our Bastion Host:
Creating EC2 Instance in Private Subnet
Let's go now to the Network Settings Section and Click on Edit to select the options marked
Note: To Add a layer of extra security, I've only provided access through SSH to Bastion Host Security Group as well added ICMP - IPv4 rule to test connectivity.
Testing Final Connectivity
After Created the EC2 Private instance, let's test connectivity through web browser:
As you can see above, we cannot connect through the internet, this is the expected behavior as we haven't assigned a public ip address to this instance since it will remain private.
Let's test connectivity from our Bastion Host
As we can see, we're able to ping our private instance though our Bastion Server
Let's try our final test by connecting through SSH from our Bastion Server
Let's create a file which contains our key pair
vi bastionDemoKey.pem
Copy the content of the key pair created in AWS
Change Permissions to the file created
chmod 400 bastionDemoKey.pem
Now let's try SSH to our EC2 Private Instance
ssh -i bastionDemoKey.pem ec2-user@172.16.2.10
We have connectivity!!
I hope you find this information helpful, if you have any issues, comments or feedback shoot me a comment.
Have a good one community!
Top comments (0)