Let’s build a Cloud Network - 03: Bastion Host
Welcome to the third article in our series, where we explore fundamental networking concepts in AWS.
Today, we’ll dive into a mechanism that allows us to access resources within our private subnet without requiring direct internet access. It’s a clever way to strike the perfect balance between security and accessibility.
So, let’s uncover this method and learn how to harness its power in our AWS environment!
Let’s imagine a scenario where we need to access the EC2 instance residing in our private subnet. However, there’s a challenge: the private subnet has no direct internet connectivity, making it inaccessible from our computers.
To tackle this situation, we can utilize a “Bastion Host.” This solution allows us to access the EC2 instances in the private subnet from the internet.
Let’s take a closer look at the diagram to grasp the concept more effectively.
In the private subnet, we have an EC2 instance that is completely isolated from the external world. It cannot communicate with anything outside the VPC, and it is protected by its own security group, ensuring only authorized traffic can access it.
On the other hand, in the public subnet, we have another EC2 instance with internet access. This instance can freely interact with the public internet. This particular EC2 instance acts as a “Bastion Host,” serving as a secure entry point to access resources within the private subnet when needed.
Since both EC2 instances are within the same VPC, the Bastion Host Instance has direct access to the EC2 instance in the private subnet. The concept here is to establish a connection to the private EC2 instance through the Bastion Host instance.
To achieve this, the procedure is as follows: first, we connect to the Bastion Host instance from the internet. Once connected to the Bastion Host, we can then SSH (securely access) into the EC2 instance located in the private subnet.
To enhance security, the Bastion Host security group has been configured to permit inbound traffic exclusively from the internet on port 22 (for SSH access) but limited to known IP ranges. Instead of permitting all internet traffic, we specify specific IP addresses from which we can access the Host instance.
This approach ensures that only authorized users, whose IP addresses fall within the defined ranges, can connect to the Bastion Host. These IP ranges (CIDR) can represent the public CIDR of the organization in a real-life scenario.
For the private EC2 instance to allow SSH access (port 22), we need to configure its security group appropriately. Specifically, the security group of the private EC2 instance should allow incoming SSH connections from either the security group associated with the Bastion Host or the private IP address of the Bastion Host.
By using the Bastion Host as an intermediary, we maintain an extra layer of security, allowing us to securely reach the private EC2 instance even though it doesn’t have direct internet accessibility. The Bastion Host acts as a secure gateway that enables controlled access to the private resources within the VPC.
In the next article, we’ll explore additional networking concepts and uncover some more methods for accessing resources within a private subnet without the need for a direct internet connection. Stay tuned to learn more about building a secure and well-connected network environment in AWS!
At Apium Innovations we build world-class software products while following the best practices in DevOps, follow us to learn more.
