Lab Steps

Logging In to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) Gateway
Testing access of Private Subnet Instances
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

You can pause this lab for
(up to) 1h


A bastion host is typically a host that sits inside your public subnet for the purposes of SSH (and/or RDP) access. You can think of it as a host for gaining secure access to resources in your VPC from the public internet. Bastion hosts are sometimes referred to as jump servers, as you jump to one, then back out of it.

Once you access a bastion host (for example, by using SSH to log into it), in order to access other instances you must either set up SSH port forwarding or copy your SSH key material to the bastion host. The latter is not ideal for security reasons in a production environment. If you require Windows connectivity, then setting up Remote Desktop Gateway instead of SSH port forwarding is recommended. This lab step assumes SSH connectivity to Linux instances.

In this lab step, you will create an EC2 instance that will serve as both an observer instance that you can run various tests from and a bastion host.



1. In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services:



2. To see available instances, click Instances in the left-hand menu:



3. Click Launch instances:



4. In the Name and tags section, enter bastion under Name.


5. In the Application and OS Images section, select the Amazon Linux option under Quick Start:



6. In the Instance Type section, you should not change any options. Simply make sure the default t2.micro is selected:



7. In the Key pair section, select the  keypair:
Note: Your keypair may differ from the screenshot. 
Reminder: The PEM or PPK formatted key pair can be downloaded directly from the Your lab data section of the Cloud Academy Lab page at any time.


8.  In the Network settings section, click Edit, and configure the following instance details:

  • VPC: Select the cloudacademy-labs VPC
  • Subnet: Select the Public-A | us-west-2a subnet
  • Auto-assign Public IP: Select Enable 
  • Firewall: Select Create security group
  • Security group name: Enter SG-bastion
  • Description: Enter SG for bastion host. SSH access only
  • Type: SSH
  • Protocol: TCP
  • Port: 22
  • Source type: Anywhere
  • Source:

Note: It isn't a best practice to set the source to any IP, but is used to allow the lab to work in complex network environments. If you are in an environment with a static IP, you could set the source field to My IP in the drop-down menu to only allow your IP for improved security.


9. Review the Summary section and click Launch instance:


A confirmation page will let you know that your instance is launching:​​​​​​​



10. Click View all instances at the bottom of the confirmation page. The status of your instance will transition to Running within 30 seconds. 



In this lab step, you launched an EC2 instance with a public IP address in your public subnet that will be used as a bastion host.

In a production environment, you would restrict inbound access to specific IP addresses of your network administrators. The outbound traffic will also be modified later in this lab, restricting the destination to the security group of instances in your private subnet only. When configuring bastion hosts, they are often stripped down to provide the minimum amount of services.