How to create a Bastion Host in AWS

gray laptop computer showing html codes in shallow focus photography
Reading Time: 3 minutes

What is Bastion Host?

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure, it must reduce the chances of attacks.

It is a special-purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances.

How to Bastion Host work?

Amazon VPC enables you to launch AWS resources on a virtual private network that you have defined. It runs on an Aws EC2 instance that is a public subnet of your Aws VPC. Linux instances are in a subnet that is not publicly accessible, and they are set up with a security group that allows SSH access from the security group attached to the underlying EC2 instance running the bastion host. Users connect to the bastion host to connect to the Linux instances.

AWS Bastion Host

Building an AWS bastion host

 The basic steps for creating a bastion host for your AWS infrastructure:

  1. Launch an EC2 instance as you normally would for any other instance.
  2. Apply OS hardening as required.
  3. Set up the appropriate security groups (SG).
  4. Implement to connect local Using SSH-agent forwarding or Remote Desktop Gateway.
  5. Deploy an AWS for each of the Availability Zones you’re using.

Create Ec2 Instance

Create 2 Ec2 instances(Public and Private) using custom VPC, Route table, internet gateway and subnet (Public or Private subnet). And connect to the local using the SSH client.

First Create a custom VPC with public & private subnet, Route table and Internet gateway

Custom VPC
Custom VPC with two subnets, Route table and Internet gateway

Create 2 ec2 instances Public and Private. In a public instance use custom VPC with Public subnet and enable Auto-assign Public IP. Private Instance using custom VPC with Private subnet and Disable Auto-assign Public IP.

Ec2 instance with custom VPC and subnet

connect to the Public network using the SSH Client.

chmod 400 ec2.pem
ssh -i "ec2.pem"

SSH client

Connect to the local Using ssh

Local Server using Public instance

Ubuntu@ip- is the Public Instance of the Network. In the public network use the Public key to log in to the private network on the local machine.

Connect Private network using Public Network

  1. log in or SSH Public Instance to the Local Machine.
  2. Sudo su (Inside the Public Instance).
  3. You need of Public Key (.pem file) to access or log in to the private instance.
  4. Then you copy the.pem file from the local to the Public server using the SCP command.
  5. scp -i ec2.pem ec2.pem ubuntu@ IP):(destination path of .pem file).
  6. Using private Instance IP inside the public instance.
  7. Then you inside your private Network.

SCP command copy .pem file Local to Public Network

Log in to Private Network using Public Network
Aws Private Ec2 instance metadata