Creating a Bastion Host
A bastion host is typically a host that sits inside your public subnet for the purposes of SSH (and/or RDP) access. You can think of it as a host for gaining secure access to resources in your VPC from the public internet. Bastion hosts are sometimes referred to as jump servers, as you jump to one, then back out of it.
Once you access a bastion host (for example, by using SSH to log into it), in order to access other instances you must either set up SSH port forwarding or copy your SSH key material to the bastion host. The latter is not ideal for security reasons in a production environment. If you require Windows connectivity, then setting up Remote Desktop Gateway instead of SSH port forwarding is recommended. This lab step assumes SSH connectivity to Linux instances.
In this lab step, you will create an EC2 instance that will serve as both an observer instance that you can run various tests from and a bastion host.
1. In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services:
2. To see available instances, click Instances in the left-hand menu:
3. Click Launch instances:
Note: If you encounter the new launch experience, click Opt-out to the old experience at the top of the page to ensure a consistent experience for this lab:
4. Select the top entry for the Amazon Linux 2 AMI (64-bit):
5. Ensure the t2.micro instance type is selected:
6. Click Next: Configure Instance Details:
7. Configure the following instance details:
- Network: Select the cloudacademy-labs VPC
- Subnet: Select the Public-A | us-west-2a subnet
- Auto-assign Public IP: Select Enable
Note: The student account has restricted permissions, and cannot list IAM roles. Do not worry about the IAM permissions message.
Leave the rest of the settings at their default values
8. Click Next: Add Storage:
Keep the default values on this page.
9. Click Add Tags:
10. Click Next: Configure Security Group:
11. Configure the following security group settings:
- Assign a security group: Select Create a new security group
- Security group name: Enter SG-bastion
- Description: Enter SG for bastion host. SSH access only
- Type: SSH
- Protocol: TCP
- Port: 22
- Source: 0.0.0.0/0
Note: It isn't a best practice to set the source to any IP, but is used to allow the lab to work in complex network environments. If you are in an environment with a static IP, you could set the source field to My IP in the drop-down menu to only allow your IP for improved security.
12. Click Review and Launch:
13. Click Launch:
The Select an existing key pair or create a new key pair popup window will appear.
14. Ensure that the 12-digit key pair generated for you by the Cloud Academy is selected under Select a key pair
Reminder: The PEM or PPK formatted key pair can be downloaded directly from the Your lab data section of the Cloud Academy Lab page at any time.
15. Click the checkbox next to the acknowledge statement and click Launch Instances:
16. Click View Instances at the bottom of the confirmation page. The status of your instance will transition to Running within 30 seconds.
17. Hover over the Name field of your instance, then click the edit icon and enter bastion for the Name:
In this lab step, you launched an EC2 instance with a public IP address in your public subnet that will be used as a bastion host.
In a production environment, you would restrict inbound access to specific IP addresses of your network administrators. The outbound traffic will also be modified later in this lab, restricting the destination to the security group of instances in your private subnet only. When configuring bastion hosts, they are often stripped down to provide the minimum amount of services.