Bastion Host in AWS| Hands-on
Things to know about Bastion host
What is Bastion Host?
Bastion Host is a server which resides in a public subnet of your VPC. It provides a SSH access to your server residing in private subnet.
Why We use bastion Host?
In order to protect your instance from unauthorized access, public access or to prevent it from DDOS attacks.
Now let’s create a bastion host and access an instance in private subnet.
Steps:
- Create a VPC with CIDR Block (10.0.0.0/16).
- Create a new key pair for your instance.
- Create two EC2 instances one in public subnet and private subnet respectively.
- SSH to Public Instance.
- SSH to Private Instance from Public Instance.
Creating VPC:
- Head to VPC Console.
- Click Create VPC.
You can create each element inside your VPC of your own. For now we are using VPC and More option this create a public subnet, private subnet, route table and internet gateway.
3. Select VPC and More.
4. Enter a name to your VPC. (DemoBastionHost-VPC)
5. Enter IPv4 CICD. (10.0.0.0/16)
6. Select No IPv6 CICD Block.
7. AZ as 1, 1-private and 1-public subnet, NAT gateway and VPC endpoint as none.
8. Click Create VPC.
Creating new key pair for your instance:
- Open EC2 Console.
- Select Key Pairs from Left.
- Click Create Key Pair.
- Enter key pair a name. (DemoBastionHost-KeyPair)
- Select RSA as key pair type.
- File Format as .pem.
7. Click Create Key Pair.
Now .pem file starts downloading to your local machine. Have the file safe and secure.
Creating two EC2 instance one in public subnet and private subnet:
Along with the EC2 Creation let’s create Security group.
i. Creating Public instance: (Bastion Host)
- Open EC2 Console.
- Click Launch Instance.
- Give Instance a name. (DemoBastionHost — HostServer)
- Select AMI as Amazon Linux 2 and instance type as t2.micro.
- Click Edit in Network.
- Select VPC as your newly created VPC.
- Select Subnet as Public Subnet.
Note: First we are creating public facing instance in public subnet with public IP attached to it.
8. Enable auto-assign public IP.
9. Select Create Security Group.
Allow SSH traffic on port 22 for all IP.
10. Click Launch Instance.
ii. Creating Private instance:
- Follow the above step till 6.
Name the instance as (DemoBastionHost — PrivateServer)
2. Now Select the subnet as Private Subnet.
3. Disable auto-assign public IP.
4. Select Existing Security Group.
5. Choose the already created security group for your public instance.
6. Click Launch Instance.
Now, both instance is created in their respective subnets. Let’s SSH.
SSH into Public Instance:
- Select your Public instance.
- Click Connect.
- Select EC2 Instance Connect and Click Connect.
- Run touch keypair.pem command on the terminal.
Note: This Create a file named keypair.pem in your present working directory.
5. Run vim keypair.pem command on the terminal.
Note: This opens a vim text editor.
6. Open the already downloaded .pem file in the local machine.
7. Copy the content of the .pem file and paste in the text editor.
8. After Pasting press i to insert.
9. Now press esc key and type :wq on the terminal.
Note: wq — write to the file and quit the text editor.
10. Run chmod 400 keypair.pem command on the terminal
Note: this adds executable permission to the file.
That’s it everything is set to SSH into Private server.
SSH into Private Instance:
- Copy the private IP of the private server from EC2 Console.
- Run ssh -i keypair.pem ec2-user@<copied_ip_goes_here>.
- Type yes.
Thats it, now you are connected to your private server in your private subnet.
If you notice one thing you cannot ping google.com or install packages from the internet to your private server. this is due to; your private server didn’t have the access to the internet. To allow access we can use NAT Gateway. Checkout my medium page for creating NAT Gateway.
To know more about Networking and Networking Component in AWS stay tuned to my medium profile.
