This short article will discuss what a bastion host is and its importance in your cloud architecture. We will also talk about its various use cases, relevance, and the related processes of setting it up in the AWS Cloud. 

What is a Bastion Host?

A Bastion host, often called a jump server, is critical to securing cloud environments. It acts as an intermediary providing secure access to resources in a private subnet without exposing them directly to the internet. This setup is essential for maintaining a robust security posture, especially in environments where sensitive data and resources reside within private subnets.

Why Use a Bastion Host?

In a typical AWS architecture, private instances (those without direct internet access) host sensitive applications and data. However, administrators still need to manage and maintain these instances. Exposing them directly to the internet would be a significant security risk, so a Bastion host is used instead.

A Bastion host is a secure access point, allowing administrators to connect to private instances via SSH or RDP, depending on the operating system. Restricting access to the Bastion host alone and using it as a gateway minimizes the attack surface, and your private instances remain shielded from direct exposure.

Is a Bastion Host Still Relevant Today?

While Bastion hosts remain widely used in traditional environments, more modern alternatives have emerged that offer enhanced security and convenience. For instance, AWS Systems Manager Session Manager allows secure access to EC2 instances without needing a Bastion host or SSH keys, eliminating the need for open inbound ports. Zero Trust networking models and VPC endpoints also provide secure access to resources without the exposure risks associated with a publicly accessible Bastion host.

However, Bastion hosts are still relevant, particularly for environments where legacy systems are in use or where modern alternatives are not feasible. They continue to be a key part of many cloud security strategies, especially for organizations that require a simple yet effective solution for secure remote access.

How Does a Bastion Host Work?

The Bastion host is placed in a public subnet within your VPC, meaning it has a public IP address and can be accessed via the Internet. The private instances remain in a private subnet with no direct access to the internet. The Bastion host acts as a middleman—administrators first connect to the Bastion host and then use it to connect to the private instances via SSH.

Key points about Bastion hosts:

• Public-facing: The Bastion host is the only instance exposed to the internet.
• Controlled access: Only specific IP addresses (usually your office or home IP) can connect to the Bastion host.
• Security groups: Proper security group configuration ensures that only the Bastion host can communicate with the private instances.

Setting Up a Bastion Host in AWS 

Now that we understand the importance of a Bastion host let’s walk through setting one up in AWS. Take note that the following steps are a simplified and practical example.

Launch a Bastion Host in the Public Subnet

To create a Bastion host, you’ll launch an EC2 instance in your public subnet. Follow these steps:

1. Navigate to the EC2 Dashboard: In the AWS Management Console, go to the EC2 dashboard.

2. Launch an EC2 Instance:

   • Name: LinuxBastionHost
   • AMI: Choose the Amazon Linux 2023 AMI.
   • Instance Type: t2.micro (sufficient for basic usage).
   • Key Pair: Create a new key pair (e.g., MyKeyPair) or use an existing one.
   • Network Settings:
     • VPC: Select your VPC.
     • Subnet: Choose the public subnet (PublicSubnet).
     • Auto-assign Public IP: Enabled (this gives your Bastion host a public IP address).


3. Security Group Configuration:

   • Create a new security group (e.g., BastionSG).
   • Allow SSH (port 22) from your IP address only. This is crucial for securing access to the Bastion host.

4. Review and Launch: Review your settings and launch the instance.

Once the instance is launched, note the public IP address, as you’ll use it to connect to the Bastion host.

Launch a Private Instance in the Private Subnet

Next, you’ll launch another EC2 instance, but this time in the private subnet, which the Bastion host will access.

1. Launch another EC2 Instance:

   • Name: MyPrivateInstance
   • AMI: Amazon Linux 2023 AMI (or another AMI suitable for your use case).
   • Instance Type: t2.micro.
   • Key Pair: Use the same key pair (MyKeyPair).
   • Network Settings:
     • VPC: Select the same VPC.
     • Subnet: Choose the private subnet (PrivateSubnet).
     • Auto-assign Public IP: Disabled (private instances should not have public IPs).

2. Security Group Configuration:

   • Create a new security group (e.g., MyPrivateInstanceSG).
   • Allow SSH (port 22) from the BastionSG security group. This allows only the Bastion host to access the private instance.

3. Review and Launch: Review your settings and launch the instance.

Accessing the Private Instance via the Bastion Host

Once both instances are running, you can access the private instance securely through the Bastion host. Here’s how:

1. Connect to the Bastion Host:

   • Open your terminal (or an SSH client like PuTTY).
   • Use the following SSH command to connect to the Bastion host

        ssh -i MyKeyPair.pem ec2-user@<BastionHost-Public-IP> 

1. • Replace the placeholder with the public IP address of the Bastion host.

2. Transfer the Private Key:

   • You need to transfer the private key (MyKeyPair.pem) from your local machine to the Bastion host to access the private instance.
   • Use the following command to copy the private key

scp -i MyKeyPair.pem MyKeyPair.pem ec2-user@<BastionHost-Public-IP>:/home/ec2-user

1. • Replace the placeholder with the private IP address of your private instance.

2. SSH into the Private Instance:

• • Once you’re on the Bastion host, set the correct permissions on the private key:

chmod 400 MyKeyPair.pem

• • Now, use the following SSH command to connect to the private instance:

ssh -i MyKeyPair.pem ec2-user@<PrivateInstance-Private-IP>

• • Replace the placeholder with the private IP address of your private instance.

If successful, you’ll be connected to the private instance via the Bastion host, ensuring secure and controlled access.

Conclusion

By following this guide, you have successfully set up a Bastion host in AWS and used it to access a private instance securely. This setup is critical to maintaining a secure cloud environment, particularly for sensitive workloads. Bastion hosts act as gatekeepers, allowing access to private instances while shielding them from the internet. This strategy is vital for any organization looking to enhance its security posture on AWS.

Remember to periodically review and update security groups and configurations to ensure they align with your security policies and best practices.

Reference:

https://aws.amazon.com/solutions/implementations/linux-bastion/