Lab Steps

Logging in to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) instance
Testing access of Private Subnet Instances
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.


A bastion host is typically a host that sits inside your public subnet for the purposes of SSH (and/or RDP) access. You can think of it as a host for gaining secure access to resources in your VPC from the public internet. Bastion hosts are sometimes referred to as jump servers, as you jump to one, then back out of it. In this Lab Step you will create an EC2 instance that will serve as both an observer instance that you can run various tests from and a bastion host.

Note: Once you access a bastion host (for example, by using SSH to log into it), in order to access other instances you must either setup SSH port forwarding, or copy your SSH key material to the bastion host. The latter is not ideal for security reasons in a production environment. If you require Windows connectivity, then setting up Remote Desktop Gateway instead of SSH port forwarding is recommended. This Lab Step assumes SSH connectivity to Linux instances.



1. Navigate to the EC2 Dashboard and click Launch Instance. A 7-page wizard starts. Fill out accordingly:

Step 1: Choose AMI

  • Select the top entry for the Amazon Linux 2 AMI (64-bit)


Step 2: Choose Instance Type

  • Select the default t2.micro (Free tier eligible)


Step 3: Configure Instance

  • Network: Select the cloudacademy-labs VPC
  • Subnet: Select the Public-A (us-west-2a) subnet
  • Auto-assign Public IP: Select Enable 
  • IAM role: Leave as None (The student account has restricted permissions, and cannot list IAM roles. Please do not worry about the IAM permissions message.)
  • Note: Leave the rest of the settings at their default values


Step 4: Add Storage

  • Leave all the default values


Step 5: Add Tags

  • No tags are needed


Step 6: Configure Security Group

  • Select Create a new security group
  • Security group name: Enter SG-bastion
  • Description: Enter SG for bastion host. SSH access only.
  • Rule:
    • Type: SSH
    • Protocol: TCP
    • Port: 22
    • Source: Select My IP from the drop-down menu (Note: This is a safe, temporary setting and will get changed later.)


Step 7: Review

  • Review the settings and click Launch when ready. A key pair dialog is started.


Select an existing key pair or create a new key pair dialog:

  • Choose an existing key pair
  • Select a key pair: Select the 12-digit key pair generated for you by the Cloud Academy. (Reminder: The PEM or PPK formatted key pair can be downloaded directly from the Your lab data section of the Cloud Academy Lab page at any time.)
  • Check the "I acknowledge..." message

Click Launch Instance when ready to proceed.


2. Once launched, click View Instances to see your instance in the EC2 Dashboard. The status should transition to running within about 30 seconds. 


3. Hover over the Name field of your instance. Click the edit pencil and enter bastion for the Name. This will make it easily identifiable when other instances are up and running as well:


Note: You will only see the bastion host in your lab environment. (Private and NAT instances have not been launched.)



In this Lab Step you launched a basic Linux EC2 instance with a publicly routable IP address in your public subnet that will be used as a bastion host. Later on you will modify its security group to restrict inbound traffic to SSH only. In production you would restrict inbound access to specific IP addresses of your network administrators. (In this Lab you will be a bit more relaxed however.) The outbound traffic will also be modified later, restricting the destination to the security group of instance(s) in your private subnet only. When configuring bastion hosts, they are often stripped down to provide the minimal amount of services. Essentially, they are used for SSH almost exclusively, so with fewer services there are fewer exploit possibilities.