Accessing private EC2 using the bastion host/jump host

This post is continuous post from the previous post — Deploying EC2 with Private and Public Subnet Using Terraform in AWS.

Bastion hosts are instances that sit within your public subnet and are typically accessed using the SSH or RDP. The primary role for the bastion host is that it’s act as the “jump” server which allowing you to accessing the server using the SSH or RDP to your private subnet.

There are few best practises recommended for the bastion host

1. Never place your SSH private key within your bastion hosts. It’s always recommended to use SSH Agent Forwarding to connect to the bastion hosts than to other instance on the private subnets.
2. Make sure the security group on the bastion host to allow SSH (post 22) from your trusted IP address but not 0.0.0.0/0 mask.
3. Having more than 1 bastion host in different availability zone to ensure for the high availability.
4. Configure the private server to accept the SSH only from the bastion hosts.

By using the SSH Agent, we no need to copy our private key (PEM file) to the bastion host, which we can ensure the secure of the key. The SSH agent handles the signing of authentication data on your behalf.

Step 1: Adding the private key (PEM file) to the key chain. This allow the user to access the private instance without copying to the bastion hosts. To add the key, just using this comment:

Step 2: Check is the private key added to the key chain

The above will list all the keys added to the chain. Check whether the key you added is listed there.

Step 3: Access the bastion host (Public instance)

Step 4: Access the private instance

You should be in your EC2 instance inside the private subnet. To find out how to create the testing stack using the terraform, you may refer to the previous post about the terraform to build the VPC and EC2.

Originally published at https://tech.david-cheong.com on June 7, 2020.