Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating a VPC
lock
Creating a VPC Internet Gateway
lock
Creating a Public Subnet
lock
Creating a Bastion Host
lock
Creating a Private Subnet
lock
Creating a Network ACL for a Private Subnet
lock
Adding Rules to a Private Network ACL
lock
Launching an EC2 Instance on a Private Subnet
lock
Launching a Network Address Translation (NAT) Gateway
lock
Testing access of Private Subnet Instances
lock
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

A bastion host is typically a host that sits inside your public subnet for the purposes of SSH (and/or RDP) access. You can think of it as a host for gaining secure access to resources in your VPC from the public internet. Bastion hosts are sometimes referred to as jump servers, as you jump to one, then back out of it.

Once you access a bastion host (for example, by using SSH to log into it), in order to access other instances you must either set up SSH port forwarding or copy your SSH key material to the bastion host. The latter is not ideal for security reasons in a production environment. If you require Windows connectivity, then setting up Remote Desktop Gateway instead of SSH port forwarding is recommended. This lab step assumes SSH connectivity to Linux instances.

In this lab step, you will create an EC2 instance that will serve as both an observer instance that you can run various tests from and a bastion host.

 

Instructions

1. In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services:

alt

 

2. To see available instances, click Instances in the left-hand menu:

alt

 

3. Click Launch instances:

alt

 

4. Select the top entry for the Amazon Linux 2 AMI (64-bit):

alt

 

5. Ensure the t2.micro instance type is selected:

alt

 

6. Click Next: Configure Instance Details:

alt

 

7. Configure the following instance details:

  • Network: Select the cloudacademy-labs VPC
  • Subnet: Select the Public-A | us-west-2a subnet
  • Auto-assign Public IP: Select Enable 

Note: The student account has restricted permissions, and cannot list IAM roles. Do not worry about the IAM permissions message.

Leave the rest of the settings at their default values

 

8. Click Next: Add Storage:

alt

Keep the default values on this page.

 

9. Click Add Tags:

alt

 

10. Click Next: Configure Security Group:

 alt

 

11. Configure the following security group settings:

  • Assign a security group: Select Create a new security group
  • Security group name: Enter SG-bastion
  • Description: Enter SG for bastion host. SSH access only
  • Type: SSH
  • Protocol: TCP
  • Port: 22
  • Source: Select My IP from the drop-down menu

 

12. Click Review and Launch:

alt

 

13. Click Launch:

alt

The Select an existing key pair or create a new key pair popup window will appear.

 

14. Ensure that the 12-digit key pair generated for you by the Cloud Academy is selected under Select a key pair

Reminder: The PEM or PPK formatted key pair can be downloaded directly from the Your lab data section of the Cloud Academy Lab page at any time.

 

15. Click the checkbox next to the acknowledge statement and click Launch Instances:

alt

 

16. Click View Instances at the bottom of the confirmation page. The status of your instance will transition to Running within 30 seconds. 

 

17. Hover over the Name field of your instance, then click the edit icon and enter bastion for the Name:

alt

 

Summary

In this lab step, you launched an EC2 instance with a public IP address in your public subnet that will be used as a bastion host.

In a production environment, you would restrict inbound access to specific IP addresses of your network administrators. The outbound traffic will also be modified later in this lab, restricting the destination to the security group of instances in your private subnet only. When configuring bastion hosts, they are often stripped down to provide the minimum amount of services. 

Learning Pathnavigation