DEV Community

Cover image for Enhancing AWS VPC Security: Accessing Your Network with a Private Jumpbox using Tailscale
Tevin Deale
Tevin Deale

Posted on

Enhancing AWS VPC Security: Accessing Your Network with a Private Jumpbox using Tailscale

In today's cloud-centric world, ensuring the security of your AWS resources is paramount. I was recently working on a cloud project and wanted a secure way to access the VPC remotely without using EC2 Instance Connect. This is when I came up with the idea to try using Tailscale VPN. I had already been tinkering with Tailscale on my home network and noticed how powerful it was. In this post, I will share how you can enhance your AWS VPC security by setting up a private jumpbox using Tailscale. We'll be using the free plan, which is sufficient for our needs. I suggest visiting Tailscale'swebsite to explore all their features and use cases.

The Solution

Solution Diagram

Understanding the Basics

For those new to AWS, a Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. A jumpbox, or bastion host, acts as a secure gateway to your VPC, typically accessed via SSH, and it helps in reducing the exposure of your instances. Tailscale is a user-friendly VPN that simplifies secure network connections using WireGuard’s encryption technology. It’s particularly great for creating secure, peer-to-peer networks.

Why Use a Private Jumpbox and Tailscale?

Using a private jumpbox, also known as a bastion host, provides a secure gateway to your AWS VPC. Unlike a public jumpbox, a private jumpbox is not accessible directly from the internet, which significantly reduces the attack surface and enhances the overall security of your network. This setup ensures that only authorized users can access your VPC resources.

Tailscale is a peer-to-peer VPN solution built on WireGuard, which simplifies secure network connections. Tailscale's ease of use, combined with its robust security features, makes it an excellent choice for setting up a private jumpbox. With Tailscale, you can create a secure mesh network that includes your local devices and your AWS resources, allowing seamless and secure access.

One of the key advantages of using Tailscale with a private jumpbox is its cost-effectiveness. Here are some points to consider:

  • Free Plan: Tailscale offers a free plan that is sufficient for many use cases, especially for small projects or individual developers. This plan includes all the core features needed to set up a secure private jumpbox.

  • Reduced AWS Costs: By using a private jumpbox, you can minimize the number of publicly accessible instances, which can lower your AWS costs. Public instances often require additional security measures and monitoring, increasing overall expenses.

  • No Need for Expensive Hardware: Tailscale operates on your existing infrastructure, meaning you don't need to invest in additional hardware or complex network setups.

Setting Up the Environment

Before we begin, ensure that you have a AWS account with necessary permissions, and the remote system set up with the Tailscale VPN.

Create the VPC

  1. Navigate to the VPC dashboard and click Create VPC.
    VPC Dashboard

  2. In the VPC Settings box we will use the VPC and More option for simplicity. Match your settings to the following and click Create VPC:

    • Name tag auto-generation: TailscaleJumpBox
    • IPv4 CIDR block: 10.0.0.0/16
    • IPv6 CIDR block(Important): Amazon-provided IPv6 CIDR block
    • Tenancy: Default
    • Number of Availability Zones: 1
    • Number of public subnets: 1
    • Number of private subnets: 1
    • Nat gateways: None
    • VPC endpoints: None
    • DNS Options: Both options should be checked.

Example output:

TailscaleJumpBox VPC Details

Using the VPC and more option when creating the VPC saves times by auto generating your subnets, route tables, and internet gateway.

Turn on IPv6 Auto-assign

  1. In the VPC Dashboard menu click Subnets.
  2. Enable Auto-assign IPv6 Enabling ipv6 auto assign

This will auto assign IPv6 addresses to resources deployed into the TailscaleJumpBox-VPC. This is useful because by default AWS IPv6 addresses are publicly available by default unlike IPv4 addresses.

Create Security Group

  1. In the VPC Dashboard menu click Security groups.
  2. Click Create Security Group.

Create security group button

  1. Enter in the following details:
    • Security group name: Tailscale-JumpBox-SG
    • Description: Allow remote connection from Tailscale
    • VPC: tailscalejumpbox-vpc
    • Inbound rules: None (default)
    • Outbound rules: Leave as default (all traffic) Example Output:

Example security group outbound rules

Launch Instance

  1. Navigate to the EC2 Dashboard.
  2. Click Launch Instance.

launch instance button

  1. Enter in the following details:
    • Name: Tailscale-JumpBox-USE-1a
    • Application and OS Images: Amazon Linux - Amazon Linux 2023
    • Instance Type: t2.micro (free tier)
    • Key pair: Create new key pair --> RSA --> .PEM --> Download Key
    • Network Settings: Click edit to change all options
    • VPC: tailscalejumpbox-vpc
    • Subnet: tailscalejumpbox-subnet-public1-us-east-1a
    • Auto-assign public IP: Disable
    • Auto-assign IPv6 IP: Enable
    • Security goups: Select existing security group
    • Common security groups: Tailscale-JumpBox-SG
    • Configure storage: Leave as default
    • Advance details: Expand this section and scroll to the bottom to enter User data (Shell Script)
    • User data:


#! bin/bash
hostnamectl set-hostname ts-jumpbox-use-1a
yum update -y
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --auth-key <tskey-auth> --ssh



Enter fullscreen mode Exit fullscreen mode

Shell script breakdown:

  1. #! bin/bash: This shebang line indicates that the script should be run in the bash shell.
  2. hostnamectl set-hostname ts-jumpbox-use-1a: Sets a readable hostname for the instance. (Optional)
  3. yum update -y: Updates all installed packages.
  4. curl -fsSL https://tailscale.com/install.sh | sh: Downloads and installs Tailscale's quick install script.
  5. tailscale up --auth-key <tskey-auth> --ssh: Starts Tailscale and authenticates the instance using the provided auth key, with SSH access enabled.
  6. Launch Instance

Note: Replace <tskey-auth> with your actual Tailscale authentication key. You can generate an auth key from the Tailscale admin console under the Keys section in the settings.

Using the --ssh Flag

By using the --ssh flag in the tailscale up command, you enable Tailscale SSH, which allows you to SSH into the machine using Tailscale’s secure network. After running the script, you will see an SSH tag on the machine in the Tailscale admin console.

Connecting to the JumpBox

To SSH into the server using Tailnet SSH, use the following command:



ssh ec2-user@<tailnet IP address>


Enter fullscreen mode Exit fullscreen mode

You will be prompted to log in with a browser to authorize access to the server.

Alternatively, you can use the -i flag with the RSA key generated when launching the instance:



ssh -i rsa.pem ec2-user@<tailnet IP address>


Enter fullscreen mode Exit fullscreen mode

By following these steps, you can securely connect to your jumpbox and access your AWS VPC using Tailscale, taking advantage of its seamless and secure networking capabilities.

Conclusion

In this blog post, we explored how to enhance the security of your AWS VPC by setting up a private jumpbox using Tailscale. By utilizing a private jumpbox, you significantly reduce the attack surface of your infrastructure, making your network more secure and resilient against unauthorized access.

We walked through a step-by-step process to install and configure Tailscale on your jumpbox, leveraging its powerful yet user-friendly VPN capabilities. By enabling Tailscale SSH, we made accessing your jumpbox and other AWS resources secure and straightforward, providing you with a seamless and cost-effective solution for remote network access.

One of the standout advantages of this setup is its cost-effectiveness. Using Tailscale's free plan and minimizing the number of publicly accessible instances can save costs while still providing robust security features.

By following the steps outlined, you now have a secure method to access your AWS VPC, ensuring your resources are protected without sacrificing convenience. I encourage you to implement this setup in your projects and experience the benefits firsthand.

If you have any questions, comments, or additional tips to share, please leave them below. I’d love to hear about your experiences and any further enhancements you make to this setup.

Call to Action
Try setting up your own private jumpbox with Tailscale today, and ensure your AWS VPC remains secure and accessible. Don’t forget to share your feedback and any custom configurations you come up with!

For more information and to explore additional features, visit Tailscale’s documentation.

Thank you for reading, and happy securing!

Top comments (0)