Amit singh deora's Blog

What is Bastion Host and why it is so important? Complete guide with Installation

Amit singh deora's photo
Amit singh deora
·

8 min read

The concept of a Bastion host in AWS. Let’s understand with help of example.

On the top right corner you will see a castle. In the middle you will see a tunnel which is like a entrance for this particular castle and on the left hand side you will see a intruder or a trespasser (theif). Anyone who wants to access to this particular castle has to go through this particular tunnel and this is not an ordinary tunnel. This is a heavily guarded tunnel with an armory.

So anyone with a valid access to this particular castle will not have a problem but anyone who is a intruder or who doesn't have a valid access to this particular tunnel, a necessary action will be taken against him and he will be prohibited from entering into this particular castle.

See the tunnel in middle is heavily guarded and this is a tunnel for doing all the security checks for us. So same thing applies for the Bastion host also. Tunnel = Bastian host With Guards.

Note: Our Bastion host where everyone who wants to access our AWS network or AWS resources has to go through this particular tunnel. And this particular castle on the right hand side will be our AWS environment where our resources will be running.

AWS setup for Bastian with example

Left hand side you will see a user which has access to internet gateway so that he can access our AWS network. But here we are having public subnet and the private subnet.

Bastion host is always available into the public subnet so that any user can access that Bastion host. And if that user has a proper access then he eventually will be able to access the resources into our private subnet.

Here you will see the tunnel will sit over here into the public subnet where it will be safeguarded and any access to private subnet will go from here. Our resources hosted where castle is which is our private subnet. So here any user who is coming to our AWS network has to go through our Bastion host.

Let’ do practical

Setup Cloud Environment

Setup VPC

A VPC (Virtual Private Cloud) is like a virtual data center, similar to a physical one in the real world. Any resource which we create will be residing inside our VPC.

  1. Click on “create VPC”

  1. Fill the required fields, as shown below

  • Click on → VPC only

  • Name → “test-vpc”

  • IP Range → We are not gonna define a single IP. We are defining a IP ranges so that any resource which you create inside the VPC will get the IP address out of that particular range. IP ranges which is 12.0.0.0/16. Also called cidr block.

  • Put the Value and Create VPC

Setup Internet Gateway

create a internet gateway so that any user can access our AWS network with the internet gateway.

We have the internet gateway option available inside our VPC.

  1. To setup Internet Gateway go back to your VPC Console → Internet Gateway

  1. Click on “Create Internet Gateway”

  1. Fill the simple details below.

.Click on “Create IGW” → Successfully created Internet Gateway.

Now below we can see that yet, our internet gateway, “IGW-test” isn’t associated with our VPC yet. You can see the state as “detached”.

  1. Attach “IGW-test” with our “test-VPC”

Select the “IGW-test” → click “Actions” → “Attach to a VPC”

We have successfully attached both.

Create Public and Private Subnet

  1. Go to your “VPC Dashboard” section → Click on “Subnets”

  1. Create “Subnet”

  1. Select your “test-vpc” in “Subnet”

  • Creating “Public Subnet”
    Continue setup → Same screen

We have select a particular region availability zone. And in that region, you will find a multiple availability region. And why we need to choose this availability region is because of high availability. so that you will not have many downtime and you will have a maximum availability of resources from AWS side.

  • Adding “Private Subnet”

Click “Create subnet”

Setup route table

We need route table so, our request which is coming from our internet gateway can be routed to our public subnet as well as to our private subnet.

  1. Go to your “VPC dashboard” → Create route table

  1. Setting up “Public Route Table”

But this route table has not been associated with our public subnet. associate with our public subnet.

  1. Attaching “Public Route Table” + “Public Subnet”

Then go to subnet association click on edit subnet association here.

Select “test-public-subnet-2a”

Till now you had just defined the routes and we have just defined the route table and we have associated with our public subnet. But we have not provided internet access to that particular route table and internet gateway.

  1. Attach with Internet Gateway (makes internet accessible) → Click “edit routes”

Since we are setting up the route table for public subnet, it’s essential to attach route with “internet gateway” to make “Public Subnet” accessible to Internet.

  • Add Route and select target as “IGW-test”

Now our public subnet - Route table is attached with the “Internet Gateway”, and publicly accessible.

Important thing over here in the route table is whenever you're working with the public route table which is associated with a public subnet then you need to provide an internet access.

Now our RT-test-public (Route table) have access to internet as well as internal access.

Configured a “Internet Gateway” route so that we can access the internet or that particular subnet can have an access to internet. Our public route table + public subnet + IGW = Internet access.

  1. Setting up “Private Route Table”

It doesn’t need a internet access as it’s private route table, no need to add routes. Skip route and add subnet

But we we need internal communication with our subnet. So associate the private route table with private subnet, private subnet will have the private resources example ec2 instance. Which doesn’t require internet accessibility.

We will stick with default route with this IP address which means that it will not have an access to internet but it will have an internal access within the VPC.

  1. Attach private RT with private subnet association

  1. Select private subnet→ Save association

Setup Bastian Host- EC2 Instance for Public Subnet

Go to AWS console → EC2 → Launch Instance

  • Name: “test-ec2-public-instance”

  • Ubuntu AMI

  • Instance type: t2.micro

  • Key-Pair: “bastian-host-public-key”

Edit → “Network Settings” major part (continue instance setup)

  • Add VPC → “test-vpc”

  • Select subnet → “test-public-subnet-2a”

  • Auto assign public IP → Enable, Auto assign the public IP since this EC2 instance is going to be available publicly. So that we can access or we can SSH it into this particular instance. So we need to assign a public IP. Enable this option so that we get a public IP.

Edit → “Firewall Security Group” (continue instance setup)

  • Security group name

  • description

  • set the SSH type: because we need to SSH into our EC2 instance that's why we need to enable this SSH security group and we need to define this particular rule so that we can open the port 22 otherwise we will not be able to SSH into our machine

  • Source - Anywhere from internet

  • Launch Instance

Renamed our instance with “test-ec2-public-instance-bastian”

Setup EC2 Instance for Private Subnet (our castle)

For initial step till key-pair is similar

Note we are using same Key-Pair: “bastian-host-public-key”

Edit → “Network Settings” major part

  • Add VPC → “test-vpc”

  • Select subnet → “test-public-subnet-2a”

  • Auto assign public IP → Disable, as it’s our private EC2 we don’t require public IP. As this instance will communicate internally in VPC.

Edit → “Firewall Security Group” (focus)

  • Select SSH we need to access that particular private EC2 instance that's why we are just going to enable the SSH for port 22.

  • source type : from where you need to access this private EC2 instance so we need to access from our public subnet from our bastion host so we need to access this EC2 instance from our bastion host and this bastion host is residing into this IP address that is 12.0.1.0/24 so that's the IP range of my public subnet.

  • Launch Instance

SSH Into Public Bastian Instance

As you can see the IP which we have defined earlier for our Public Subnet, so our instance took the IP address from defined CIDR Range for Public Subnet.

Let’s access our Private Subnet’s EC2 instance with help of bastian host.

Enter into the EC2 instance which is present into our private subnet so we are already into our bastion host and from there we will access our private subnet

Open a one more terminal

Remember we are we have used the same SSH keys for EC2 into the bastion-public-subnet-instance as well we have used the same SSH key pair for our private-subnet-EC2-instance

  1. Go to the directory where you have stored the private key

  2. Copy the key with cat command

  1. Go to bastian host terminal

  • Create a new file to store your key

  • Change the file permissions

  1. Access the private instance with help of “Private IP address”

  • Copy the private IP Address

  • Ssh to your private instance from bastian public instance

  • We have used the private key which we have copied within our bastian host, in order to communicate with our private instance (because for both instance we have used same key)

  • We are successfully logged in to our private ec2 instance which was our castle, for the confidential or important resources that could be databases

Congratulations!! You have successfully completed the project!

Bastion HostsAWSaws ec2AWS,EC2vpcsubnetpublicsubnet