Accessing Private Subnet Resources Using a Bastion Host
- Abhishek
- Oct 30
- 4 min read
Table of Contents
1. Problem Statement: Accessing Resources in a Private Subnet
A client needs to securely access resources in a private subnet within a Virtual Private Cloud (VPC) while ensuring that the private subnet remains isolated from direct internet exposure. One of the most common methods for achieving secure access to private subnet resources is by using a bastion host (or jump server), which acts as a gateway for SSH or RDP access to instances in the private subnet.
However, setting up a bastion host properly requires the correct configuration of security groups and proper access controls to ensure security while maintaining accessibility.
2. Solution: Setting Up a Bastion Host
Set Up the Bastion Host
To allow secure access to instances within the private subnet, the first step is to deploy an EC2 instance in a public subnet and configure it as the bastion host. This instance will have a public IP (or Elastic IP) to allow external access, while also being placed in the public subnet to maintain a secure perimeter for the private resources.
Steps for Bastion Host Configuration:
Deploy an EC2 instance in the public subnet.
Assign a public IP (or Elastic IP) to the instance to ensure it is accessible externally.
Create and configure a security group for the bastion host that allows SSH access (on port 22) from trusted IP addresses only. For example, if your trusted IP range is 203.0.113.0/24, the security group would look like:
SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Bastion Host Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 203.0.113.0/24 # Replace with your trusted IP rangeConfigure Private Subnet Instances
Once the bastion host is set up, the next step is to ensure that the instances within the private subnet can be accessed securely via the bastion host. These private instances must be configured with a security group that allows SSH access from the bastion host.
Steps for Private Subnet Instance Configuration:
Create a security group for instances in the private subnet.
Allow SSH (port 22) traffic from the bastion host's security group by referencing it within the private instance's security group.
SecurityGroupPrivate: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Private Instance Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionHostSecurityGroupThis setup ensures that only the bastion host has access to the private subnet instances, adding an extra layer of security.
Connect via Bastion Host
To securely connect to a private instance, use SSH agent forwarding. This method allows you to use your local SSH key to authenticate when connecting to the private instance via the bastion host.
Steps for Connecting via Bastion Host:
SSH into the bastion host using your SSH key:
ssh -A ec2-user@bastion-host-public-ipFrom the bastion host, SSH into the private instance:
ssh ec2-user@private-instance-ipThis method provides a secure way to access private subnet resources while keeping the security intact by limiting access to the public-facing bastion host only.
3. Why This Solution is Best
Using a bastion host is one of the best practices for securing access to private subnet resources. The main reasons why this solution is ideal include:
Secure Access:
The bastion host is the only publicly exposed instance, significantly reducing the attack surface.
By restricting SSH access to trusted IPs and using the bastion host as the only access point, the rest of the resources in the private subnet remain secure.
Centralized Access Point:
The bastion host acts as a centralized point for access management, allowing easier monitoring, logging, and control of who has access to the private instances.
It simplifies the management of access permissions, as you only need to configure the bastion host's security group and restrict SSH access from a trusted IP range.
4. Other Solutions
If setting up a bastion host is not the desired approach, there are a few alternate solutions to access resources in a private subnet
VPN Access
Establishing a VPN connection between your local network and the VPC can allow secure, direct access to resources in the private subnet without needing a bastion host. This can be done using AWS VPN or third-party VPN solutions.
Advantages:
Provides direct network access to all instances in the VPC, not just those in the private subnet.
Reduces the need for SSH agents or jump hosts.
Challenges:
Requires VPN setup and configuration, which may introduce additional complexity and cost.
AWS Systems Manager Session Manager
AWS Systems Manager (SSM) Session Manager provides an agentless solution to connect to EC2 instances without the need for a bastion host or a public IP. With Session Manager, you can securely access your instances via the AWS Management Console, AWS CLI, or AWS SDKs.
Advantages:
No need to expose SSH or RDP ports.
Offers centralized logging, auditing, and access controls.
Challenges:
Requires the SSM agent to be installed and running on the instances.
Limited to the permissions granted via IAM policies.
5. Conclusion
Using a bastion host is a highly secure and effective way to access resources in a private subnet while keeping the environment isolated and protected. It simplifies access management and ensures that only authorized users can interact with the private instances.
However, for users seeking different access methods, solutions like VPN access and AWS Systems Manager Session Manager provide alternative ways to securely access private subnet resources without the need for a bastion host.
By evaluating the specific needs of your environment and access control preferences, you can choose the most appropriate solution for secure, efficient access to your private resources.
Comments