You don’t know Bastions
Introducing a Layman’s guide to Bastion Host
Imagine this, you have a Castle, marvelous, state of the art, like no castle ever was. It’s super efficient in its working and on an average day everything inside the castle is under control. The castle is secured by a wall which ensures its security, making sure no one can just waltz into the castle. There is a dock behind the castle where traders land, make some request to the castle messenger to do some task and then go back via the same boat with which they came in. This port is the only official way to come into the castle.
There is a gate for the castle which is guarded by security guards 24 hours and is locked by a big lock for the extra security.
The King of the castle manages everything in it, from Restoration work to all the clerical job of managing information related to the castle. But since he is the King, he has his own key to enter into the Castle gates. So when ever, he has to some king work, all he has to do his use his key, get inside the castle and do the King’s job.
Well the above is analogy on What Bastion is
- Here the Castle is your system, Your infrastructure and code.
- Your VPC is the wall.
- The dock is your port 80/443, where people can access your website. The ships are the HTTP request
- King of the castle is DevOps/infra/admin guy, who does maintenance work on your infrastructure
- The key is the private key(PEM file). A cryptographic key, which identifies you as a valid user.
- The Gate is the SSH Port(port 22) of an EC2 instance.
- Security guards are Security Groups attached to EC2- instance. They have rules on what to allow in the gate and where it should go
- So, from the above analogy you can understand that, only people with a specific key(in this case King), can enter into the gate. For everyone else, security guards are there to guard the gate.
Similarly in Bastion, if you have the correct PEM file, you can enter into the castle, else you will be stopped by `Security Groups`.
According to Wikipedia…….
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers.
So, if you have a system, it is considered much secured to put everything in a private Subnet, so that no computer can access it from outside the network. So things like Core Services, Databases, Elastic search are all created in a private subnet. There are limited things(like LoadBalancer) which expose certain services(like re-routing traffic from port 80 on LoadBalancer to port 5000 of App server). But Sometimes these conventional methods don’t work and we need something like Swiss Army Knife. Bastion is that Swiss Army Knife.
There are various use cases of using Bastion and I will list some of them.
Suppose your entire core service is running in private Subnet. This also includes your Database
- Suppose you are using RDS(PostgreSQL) in private Subnet and you want to connect your pg-admin to that DB. This is where Bastion comes in.
- You want to execute some shell commands on ec2 machines in private Subnet. For example: apt-get upgrade or `jmap` to create heap dump
- You want to get log(example — gc logs) to analyze locally, So you first copy the logs from ec2 machine to Bastion and then from Bastion to local machine, where it can be analyzed
The idea of Bastion is — you can never let anyone publicly access key components of your system components, so you hide it from rest of the world and use a totally different computer to which only you can access and which accesses the those hidden resources.
