AWS Security: Bastion Hosts, NAT instances and VPC Peering

Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure.

Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This time, we’ll look at strategies to avoid unnecessarily exposing your data on the internet using a bastion host to tighten access to your resources, NAT instances, NAT Gateways, and VPC peering. When you’re ready to test yourself, Cloud Academy offers Hands-on Labs that allow you to work directly in a secure, sandboxed environment. Check out the Securing your VPC using Public and Private Subnets Hands-on Lab to learn how to design a VPC with a public subnet, a private subnet, and a network address translation (NAT) instance in the public subnet.

Hands-on Lab on securing your VPCs

 

What is a bastion host, and do I need one?

Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with the bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances (within private subnets) deeper within your VPC. When properly configured through the use of security groups and Network ACLs (NACLs), the bastion essentially acts as a bridge to your private instances via the internet.

You may ask yourself, do I need a bastion host in my environment? If you require remote connectivity with your private instances over the public internet, the answer is yes!

This diagram shows connectivity flowing from an end user to resources on a private subnet through a bastion host:
VPC system
When designing the bastion host for your AWS infrastructure, you shouldn’t use it for any other purpose, as this could open unnecessary security holes. Instead, I would suggest that you look into hardening your chosen operating system for even tighter security.

Here are the basic steps for creating a bastion host for your AWS infrastructure:

  1. Launch an EC2 instance as you normally would for any other instance.
  2. Apply OS hardening as required.
  3. Set up the appropriate security groups (SG).
  4. Implement either SSH-agent forwarding (Linux connectivity) or Remote Desktop Gateway (Windows connectivity).
  5. Deploy an AWS bastion host in each of the Availability Zones you’re using.

Security groups are essential for maintaining tight security and play a big part in making this solution work (you can read more about AWS security groups here). First, create an SG that will be used to allow bastion connectivity for your existing private instances. This SG should only accept SSH or RDP inbound requests from your bastion hosts across your Availability Zones (AZ). Apply this group to all of your private instances that require connectivity.

Next, create a security group to be applied to your bastion host. Inbound and outbound traffic must be restricted at the protocol level as much as possible. The inbound rule base should accept SSH or RDP connections only from the specific IP addresses (usually those of your administrators). You definitely want to avoid allowing wide open access (0.0.0.0/0). Your outbound connection should again be restricted to SSH or RDP access to the private instances of your AWS infrastructure. An easy way to do this is to populate the ‘Destination’ field with the ID of the security group you’re using for your private instances.

SSH and RDP connections require private and public key access to authenticate. This does not pose a problem when you are trying to connect to your bastion host from your local machine, as you can easily store the private key locally. However, once you have connected to your bastion host, logging in to your private instances from the bastion would require having their private keys on the bastion. As you will probably already know (and if not, then take careful note now), storing private keys on remote instances is not a good security practice.

As a result, AWS suggests that you implement either Remote Desktop Gateway (for connecting to Windows instances) or SSH-agent forwarding (for Linux instances). Both of these solutions eliminate the need for storing private keys on the bastion host. AWS provides great documentation on how to implement Windows Remote Desktop Gateway and SSH-agent forwarding.

As with all cloud deployments, you should always consider the resiliency and high availability of your services. With this in mind, I recommend deploying a bastion within each public Availability Zone that you are using. Remember: if the AZ hosting your only AWS bastion host goes down, you will lose connectivity to your private instances in other AZs.

Updates to bastion host functionality

As a side note related to bastion hosts, there are a couple of new ways to supplement your security posture.

First, you can skip bastion hosts altogether by using Session Manager (part of AWS Systems Manager) in order to securely connect to your private instances in your virtual private cloud (VPC) without needing an intermediary bastion host or any of its security-related dependencies, such as key pairs assigned to the instances.

Second, by using EC2 Instance Connect you can simplify one of the management aspects of your bastion hosts. Basically, you can forget about having to associate a key pair to your bastion host instance, nor do you have to add permanent user keys to your authorized keys. Instead, you can now push keys for short periods of time and use IAM policies to restrict access as you see fit. This reduces your compliance and audit footprint as well, which is always a good thing. In general, the implementation would involve using Instance Connect together with an AWS Lambda function to automate your SG group config, having it allow access from the predetermined IP address range of the Instance Connect service.

AWS NAT Instances & NAT Gateways

A NAT (Network Address Translation) instance is, like a bastion host, an EC2 instance that lives in your public subnet. A NAT instance, however, allows your private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.

Many people configure their NAT instances to allow private instances to access the internet for important operating system updates. As I’ve discussed previously, patching your OS is an important part of maintaining instance level security.

NAT Gateways provide the same functionality as a NAT instance, however, a NAT Gateway is an AWS managed NAT service. As a result, these NAT Gateways offer greater availability and bandwidth and require less configuration and administration.

Launching a NAT Instance Inside Your VPC

You can create and launch a NAT instance in three steps:

  1. Create a Security Group, which will be applied to your NAT.
  2. Select a pre-defined AMI and configure it as with any other EC2 instance.
  3. Set up correct routing.

Once your NAT has been launched, it’s important to disable source/destination checks. To do this, right click on your NAT Instance within the AWS Console and select ‘Networking > Change Source/Dest. Check > Yes, Disable’.

When creating a security group for your NAT, make sure that you allow inbound traffic from your private instances through the HTTP (80) and HTTPS (443) ports to allow for OS and software updates. Your outbound rule set should have an open destination of 0.0.0.0/0 for port 80 and 443 as well. If your instances will require you to open any other ports, this is where to do it.

AWS provides some Amazon Machine Images (AMIs) that are already pre-configured as NAT instances—I recommend that you consider using one. NAT AMIs have names that include the string ‘amzn-ami-vpc-nat’. This makes it easy to find by searching from the Community AMI tab in step one when launching an EC2 instance. These AMIs are a good idea, as they’re configured right out of the box for IPv4 forwarding and iptables IP masquerading. ICMP redirects are disabled.

You will now have to modify the route table used by your private subnets. Make sure you have a route ‘Destination’ that points to the outside world of ‘0.0.0.0/0’ with a ‘Target’ of ‘your new NAT instance.’ Your NAT-instance must be launched within your public subnet and it must have a public IP address. The route table of your public subnet where your NAT resides must have a route to the internet via your Internet Gateway. This will ensure that any request from your private instance will first go to the NAT, and the NAT will forward that traffic out via the IGW to the internet.

Your NAT is now set up and your private instances should be able to communicate with the outside world for updates etc. using ports 80 and 443. However, it’s important to note that connections initiated from the internet will not reach your private instances, as this configuration protects them.

Launching a NAT Gateway inside your VPC

Creating a NAT Gateway requires less configuration compared to a NAT instance:

  1. From within the VPC dashboard in the AWS Management Console, select NAT Gateways > Create NAT Gateway.
  2. Select the subnet to deploy your NAT Gateway.
  3. Apply an available Elastic IP Address (EIP) to your NAT Gateway and click ‘Create.’
  4. Set up correct routing for your private and public subnets as per the explanation above for NAT instances.

NAT Instance vs. NAT Gateway

The following table from AWS Documentation highlights the main differences between NAT instances and NAT Gateways.

NAT Instance vs. NAT Gateway

Introduction to AWS VPC Peering (Virtual Private Cloud)

With AWS VPC Peering, you can connect two VPCs as a single network. Instead of routing data through the internet or a VPN connection, AWS VPC Peering uses the internal AWS network infrastructure to share resources between AWS VPCs. AWS VPC peering provides a tight and secure shared environment that minimizes external exposure.

Because peered VPCs communicate across their private CIDR blocks, it’s important to ensure that the two VPCs do not have overlapping CIDR address ranges. It’s also important to note that you cannot directly reference a security group from one VPC to the other. Instead, you’ll need to enter a CIDR block or specific IP address in the Source/Destination section of your SG rules.

To deep dive into AWS Virtual Private Cloud, Cloud Academy’s Working with AWS Networking and Amazon VPC is a great place to start training. 

AWS VPC Peering Design

When setting up a peered connection, one VPC acts as the requester (the VPC initiating the connection) while the other acts as a peer. Before a connection can be established, the owner of the peer VPC has to acknowledge the request and accept the Peering connection. Once a connection has been established, routing between the CIDR blocks of each VPC must be added to a route table to enable resources within the networks to communicate via the private IP address range.

From a design perspective, you cannot daisy chain VPCs together and expect them to communicate across one large network. Each AWS VPC will only communicate with its ‘requester’ or ‘peer.’ For example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as below:
VPC
Then VPC 1 and VPC 2 could communicate with each other directly, as can VPC 2 and VPC 3. However, because you cannot route through one VPC to get to another, VPC 1 and VPC 3 could not communicate directly.

To enable direct communication between VPC 1 and VPC 3, you would have to implement a separate peering connection between the two, as shown below:
VPC
AWS VPC peering provides an excellent secure and trusted connection between VPCs for enhanced management and resource sharing. Depending on how you have configured your VPCs, you may want to incorporate such an architecture into your environment. AWS offers some scenarios that are definitely worth exploring.

For advanced configuration of Subnets and Routing for VPC Peering and other VPC solutions including various gateways, see our course, AWS Virtual Private Cloud: Subnets & Routing.

Let’s summarize what we have covered this week:

  • Bastion host: An AWS bastion host can provide a secure primary connection point as a ‘jump’ server for accessing your private instances via the internet.
  • NAT instance: For your private instances, a NAT instance can provide access to the internet for essential software updates while blocking incoming traffic from the outside world.
  • VPC Peering: VPC peering can be used to create secure connectivity and resource sharing between two VPCs.

Read the next post in this series, where I’ve looked at AWS’s Identity Access Manager Service (IAM) and how to create and manage users, groups, and roles, as well as MFA (Multi-Factor Authentication).

Thank you for taking the time to read my post. Please share any feedback in the comments below.



Avatar

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.


Related Posts

Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Connie Benton
Connie Benton
— March 25, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Alisha Reyes
Alisha Reyes
— February 7, 2020

New on Cloud Academy: Git Labs, CKA and CKAD Lab Challenges, AWS and Azure Learning Paths, AGILE, and Much More

We just kicked off our first Free Weekend of 2020. This means we've unlocked our Training Library for just 72 hours. Until Sunday at 11:59 pm (PST), you can get unlimited access to our industry-leading learning paths, courses, certification prep exams, and our most popular hands-on labs...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum
Avatar
Stuart Scott
— February 6, 2020

How to Encrypt an EBS Volume

Keeping data and applications safe in the cloud is one of the most visible challenges facing cloud teams in 2020. Cloud storage services where data resides are frequently a target for hackers, not because the services are inherently weak but because they are often improperly configured....

Read more
  • AWS
  • EBS
  • Encryption