Connecting to a Private Instance through a Bastion Host
Task: we are setting up architecture for our team to have a private instance in a private subnet for only our team to access. We will need to configure our architecture so our team can access the private instance.
Let’s head over to the AWS Console.
Step 1: Build a Custom VPC with a CIDR of 10.0.0.0/16
Locate and select VPC on the AWS Services Page under Networking & Content Delivery.
On the VPC page, click “Create VPC.”
Next, enter a name in the name tag box; I chose “p1vpc”. We will insert our CIDR into the IPv4 CIDR block box as 10.0.0.0/16. Leave the defaults as they are given and click “Create VPC.”
Step 2: Create a Public Subnet with a CIDR of 10.0.1.0/24
To create a subnet, find Subnets on the VPC drop-down menu on the left-hand side. Once there, click “Create subnet.”
We are asked to choose the VPC ID. Select the VPC that you have created (not the default option). The VPC ID is on the top row, with the CIDR value on the bottom (10.0.0.0/16). Click “Create subnet.”
In the subnet settings, enter a name and an IPv4 CIDR block. In this instance, “public-sn” works. Enter 10.0.1.0/24 in the IPv4 CIDR block box, leave the key and value as they are, and click “Create Subnet.”
Step 3: Create a Private Subnet with a CIDR of 10.0.2.0/24
Repeat the process above, changing the subnet name to “private-sn” and the IPv4 CIDR block to 10.0.2.0/24. Leave the key and value as is and click “Create subnet.”
Our subnet page should now list our two subnets named public-sn and private-sn.
The following steps are crucial to the success of this project!
Step 1: Create and Attach the Internet Gateway
On the left-hand side of our screen, locate internet gateway on our VPC drop-down menu. Click “Create internet gateway.”
In the name tag box, enter a name for the internet gateway, such as “myIGW.” Click “Create internet gateway.”
You are met with a page about your new internet gateway that has been created. Select the actions box and “Attach to VPC.”
A drop-down menu is given where we select our created VPC. Select “Attach internet gateway.”
Step 2: Create a NAT Gateway
Find NAT Gateways under the VPC drop-down menu on the left-hand side. Select “Create NAT gateway.”
We are creating a NAT gateway in our public subnet. On the creation page, enter a name such as “myGW.” Select the public subnet from the subnet menu and allocate an elastic IP. Select “Create NAT gateway.”
Step 3: Create and Connect the Route Tables
On the left-hand side, click “Route Tables.” Once on the page, select “Create route table.”
On the “Create route table” page, we will create a public route table and a private route table. The steps are the same for both. In the photo below, I show the creation of the public route table; please note that you NEED TO create a public AND private route table. Enter the names (public-rt and private-rt), select our VPC and click the “Create” button.
We now need to edit our routes for the public-rt and private-rt to connect to their respective Internet/NAT Gateway. Below are the steps for the public-rt. Select our public-rt box, click the routes tab found below, hit “Edit routes.”
Add a route.
Type in 0.0.0.0/0 for our destination, select the Internet Gateway (myIGW) we created for the target, and save routes.
Follow the same steps with our private subnet selected, but this time we want to target the NAT gateway that we created.
Step 4: Subnet Associations
For the route tables, we will edit the subnet associations. Public to public, private to private. The photos below show the steps for the private route table. Repeat the process with the public route table.
We now need to locate the EC2 page under Compute on the AWS Console.
Step 4: Create a Bastion Host in the Public Subnet with a Public IP Address
On the EC2 Resources page, click “Instances (running).”
Click “Launch Instances.”
Select which AMI to work with. Since we are working with the free tier of AWS, the first AMI option works (Amazon Linux 2 AMI (HVM), SSD Volume Type).
Then choose the Instance Type t2.micro and hit “Next: Configure Instance Details.”
We are concerned with Network, Subnet, and Assign Public IP on the Configure Instance Details page. For Network, select the VPC ID (p1vpc) we set up earlier. Select the public subnet and select enable for Auto-assign Public IP. Click “Next: Add Storage.”
We will leave storage as default, and click “Next: Add Tags.” Add “Name” for the key and “BastionHost” as the Value. Click “Next: Configure Security Group.”
Create a new security group named and described as BastionHost. Change the source to “My IP” and click “Review and Launch.”
Create a new key pair named BastionHostKP for this project, and download the key pair. It is essential to know where this key pair is downloaded into your computer so you can use it in the future. Remember, we can only download a key pair once. Click “Launch Instances.”
Step 5: Launch an EC2 t2 or t3 Nano Instance in the Private Subnet with only a Private IP Address
Follow the steps in creating a new instance as mentioned above. For Network, select our created VPC, choose private-sn for the Subnet, and select disable for Auto-assign Public IP.
Leave storage as default and click “Next: Add Tags.” Add “Name” for the key and “PrivLayer” as the Value. Click “Next: Configure Security Group.”
Click “Create a new security group” and enter p1pSG for the security group name and description. Change the source of the IP to Custom and enter the Bastion Host IP; this can be found on your Bastion Host Instances detail page. Click “Review and Launch.”
Use the existing key pair that was created titled “BastionHostKP”. Acknowledge the message at the bottom and launch the instance.
Step 6: Connect “Successfully” to the Private Instance from the Bastion Host in your VPC!
I use a Mac, so these next steps use Terminal.
Open Terminal and follow the steps found here: https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/.
Ssh into your Bastion Host. Once you receive a success message, ssh into the “PrivLayer” instance.
Once you have successfully connected into the Private Instance through the Bastion Host, you have completed your task.
Find me on LinkedIn — linkedin.com/in/helenccampbell
