Accessing Private Subnet Resources Using a Bastion Host

Table of Contents

1. Problem Statement

2. Solution Overview

3. Step-by-Step Implementation

   • Setting Up the Bastion Host

   • Configuring Private Subnet Instances

   • Connecting via Bastion Host

4. Why This Solution is Best

5. Alternate Solutions

6. Conclusion

   
   

Problem Statement

The client wants secure access to resources within a private subnet of their AWS VPC, without exposing these resources to the public internet.

Solution Overview

Deploy a bastion host (jump server) in a public subnet to act as a secure entry point. Use it to connect to resources in the private subnet while maintaining the isolation of private resources.

Step-by-Step Implementation

Setting Up the Bastion Host

1. Deploy an EC2 Instance in the Public Subnet

   • Launch an EC2 instance in the public subnet of your VPC.

   • Assign it a public IP or an Elastic IP for external access.

     
     

2. Configure the Security Group for the Bastion Host

3. Create a security group to allow SSH access only from trusted IP addresses.

4. Example Configuration:

   
   

SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Bastion Host Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 203.0.113.0/24  # Replace with your trusted IP range

Configuring Private Subnet Instances

1. Assign a Security Group to Private Subnet Instances

2. Ensure private instances allow SSH access from the bastion host security group.

3. Example Configuration:

   
   

SecurityGroupPrivate: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Private Instance Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionHostSecurityGroup

1. Verify IAM Role Permissions

   • Assign appropriate IAM roles to the bastion host and private instances for additional resource access.

     
     

Connecting via Bastion Host

1. Use SSH Agent Forwarding

2. Ensure your SSH client is configured with the private key for access.

3. Execute the following commands:

   
   

ssh -A ec2-user@<bastion-host-public-ip> ssh ec2-user@<private-instance-ip>

1. Optional: Configure SSH Config for Simplified Connection

2. Edit the ~/.ssh/config file:

   
   

Host bastion HostName <bastion-host-public-ip> User ec2-user IdentityFile ~/.ssh/your-key.pem Host private-instance HostName <private-instance-ip> User ec2-user ProxyJump bastion

• Connect using:

  
  

ssh private-instance

Why This Solution is Best

1. Enhanced Security

   • Only the bastion host is exposed to the internet, keeping private resources secure.

2. Centralized Access

   • Provides a single, controlled entry point to manage access.

3. Cost-Effective

   • Avoids the need for complex network setups like VPNs.

     
     

Alternate Solutions

1. VPN Access

   • Establish a VPN connection to the VPC for secure, direct access to private subnet resources.

   • Pros: Direct connectivity; no public exposure.

   • Cons: More complex to set up and maintain.

     
     

2. AWS Systems Manager Session Manager

   • Use Session Manager for agentless, browser-based access.

   • Pros: No public IP or bastion host needed.

   • Cons: Requires additional IAM permissions and setup.

     
     

Conclusion

Using a bastion host provides a secure, centralized method for accessing resources in a private subnet while maintaining their isolation. Alternate solutions like VPNs or Session Manager can be considered for different operational needs or security preferences.

Would you like assistance with automation or cost estimation for this setup?