AWS::VPC — How to access private subnet machines ?
An article to demystify the process of accessing the amazon vpc private subnet instances!
Introduction
Halo! AWS VPC helps its user and organization to setup their own network and also the restrictions around it. It provides an option to build our own infrastructure and the accessibility.
An instance that is created in a custom VPC and in a private subnet wouldn’t have access to outer world and therefore one can’t access it directly via personal desktop/laptop. For same we can use a bastion host that is also called as jump boxes.
Prerequisite
- AWS Console Access i.e. a valid account on AWS Portal.
- A valid user with permission of creation and deletion of VPC, EC2 instances.
- Utilities → Putty,Puttygen and Pageant.
Execution
The article is basically a continuation of my recent blog on VPC as over there we setup a VPC with a public and private subnet, attached a IGW to a public subnet route and successfully installed & accessed an apache url over the internet. But we haven’t access the private subnet instance !
So, in short below is what we have till now.
- Create a VPC , by default a route table/NACL were created with a VPC.
- Create 2 Subnets i.e. 1 Public and 1 Private under custom VPC. Assign CIDR block.
- Update “AutoAssignPublicIP” check for public subnet to Yes as same is set to No (by default) for all custom created subnets.
- Associate created subnet with Custom vpc.
- Associate route with VPC (create a separate private route for private subnet).
- Create and attach a IGW to VPC for Public Subnet.
- Create security groups.
So, assuming our setup is arranged as per above, we now move on a bit further to create an instance in a private zone and then follow some basic steps to access private instance via public instance but that is directly through the local machine.
1. Launch an Instance
First, launch an instance in a private subnet i.e. via selecting custom VPC and the private subnet on ‘Configure Instance Details’ page while launching an instance. Reference below:
Tag an instance as DBServer or as you like.
Next, create a new security group for private instance and allow ssh only from public webserver security groups as below i.e . add public SG to private SG for ssh access.
Review , launch and generate & download a new key-pair i.e. teckdevOpsPrivate.pem for private instance.
Now, checkout for launched instances.
2. Access Instances
Now, access a public instance and then try to access a private instance (DBServer) via that public instance i.e. Bastion Host.
So, accessing our DBServer i.e. private subnet instance is giving us a key error as we haven’t used any key to login. One way to overcome this problem is to copy the private key on a public/bastion instance but that is not safe and not a recommended method as one should never store private keys on bastion or jump boxes.
So, how we going to access our private machines ?
The answer is agent forwarding , we going yo use ssh agent forwarding to access private instance via bastion host i.e. without storing private keys on a bastion host.
3. Configuring agent forwarding(Using Putty)
We going to use Putty to access a private instance with an agent forwarding but before that we need to install and setup 2 more supporting utilities.
PuttyGen → to convert key files (pem → ppk) as putty supports only .ppk files.
Pageant → to support agent forwarding and access a private instance.
Putty and supporting utilities are available for download on following download link.
3.1 Convert Keys using PuttyGen
a) Open PuttyGen and on conversion tab select ‘Import Key’
b) Go to path where your key exists and select concerned keys to convert. In my case it would be teckdevOps.pem and teckdevOpsPrivate.pem.
c) Select the key and open , puttygen then loads the key that we selected and now enter the passphrase and Save private key. Repeat same steps for the second key i.e. teckdevOpsPrivate.pem.
d) Cool, now we have 2 more key files that is .ppk.
3.2 Import Keys to Pageant
a) Once, we done with key conversion the next step is to add/import our keys to pageant. Open pageant and click ‘Add key’ to add our keys.
b) Enter Passphrase to confirm , OK and done. Add both the keys in same manner.
3.3 Configure Putty
a) Now, last and final step is to configure Putty to use an agent forwarding and access a private instance i.e. our DBServer directly via our local machine.
Open Putty and enter Bastion Host IP @ hostname, port will be default to 22.
b) Select SSH → Auth category of putty and under Authentication parameters, check ‘Allow agent forwarding’ option.
c) Next, under SSH category , put a remote command i.e. ssh <DBServer IP> (private server IP) to send a remote command to server. Open and use concerned username(ec2-user) to login as putty login prompt appears.
Bang On! we are successfully logged onto a private subnet instance (DBServer) using putty & a bastion host and that is direct via our local machine.
Caution : Please don’t forgot to clean up(terminate the instances and delete the CustomVPC) the whole setup if not required so, as to avoid any charges.
Conclusion
So, we have seen a method of accessing a private subnet instance via a bastion host and that is without saving private keys on a public server. Hope, this article is useful and help you attaining some of the AWS Best Practices.
Thanks, for visit and Happy Reading! Adios!
— A blog by teckdevOps
