Table of Contents
Problem Statement
The client wants secure access to resources within a private subnet of their AWS VPC, without exposing these resources to the public internet.
Solution Overview
Deploy a bastion host (jump server) in a public subnet to act as a secure entry point. Use it to connect to resources in the private subnet while maintaining the isolation of private resources.
Step-by-Step Implementation
Setting Up the Bastion Host
Deploy an EC2 Instance in the Public Subnet
Launch an EC2 instance in the public subnet of your VPC.
Assign it a public IP or an Elastic IP for external access.
Configure the Security Group for the Bastion Host
Create a security group to allow SSH access only from trusted IP addresses.
Example Configuration:
SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Bastion Host Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 203.0.113.0/24 # Replace with your trusted IP range
Configuring Private Subnet Instances
Assign a Security Group to Private Subnet Instances
Ensure private instances allow SSH access from the bastion host security group.
Example Configuration:
SecurityGroupPrivate: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Private Instance Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionHostSecurityGroup
Verify IAM Role Permissions
Assign appropriate IAM roles to the bastion host and private instances for additional resource access.
Connecting via Bastion Host
Use SSH Agent Forwarding
Ensure your SSH client is configured with the private key for access.
Execute the following commands:
ssh -A ec2-user@<bastion-host-public-ip> ssh ec2-user@<private-instance-ip>
Optional: Configure SSH Config for Simplified Connection
Edit the ~/.ssh/config file:
Host bastion HostName <bastion-host-public-ip> User ec2-user IdentityFile ~/.ssh/your-key.pem Host private-instance HostName <private-instance-ip> User ec2-user ProxyJump bastion
Connect using:
ssh private-instance
Why This Solution is Best
Enhanced Security
Only the bastion host is exposed to the internet, keeping private resources secure.
Centralized Access
Provides a single, controlled entry point to manage access.
Cost-Effective
Avoids the need for complex network setups like VPNs.
Alternate Solutions
VPN Access
Establish a VPN connection to the VPC for secure, direct access to private subnet resources.
Pros: Direct connectivity; no public exposure.
Cons: More complex to set up and maintain.
AWS Systems Manager Session Manager
Use Session Manager for agentless, browser-based access.
Pros: No public IP or bastion host needed.
Cons: Requires additional IAM permissions and setup.
Conclusion
Using a bastion host provides a secure, centralized method for accessing resources in a private subnet while maintaining their isolation. Alternate solutions like VPNs or Session Manager can be considered for different operational needs or security preferences.
Would you like assistance with automation or cost estimation for this setup?
Comments