Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Understanding the Importance of Bastion Hosts in AWS

Home » BLOG » Understanding the Importance of Bastion Hosts in AWS

Understanding the Importance of Bastion Hosts in AWS

This short article will discuss what a bastion host is and its importance in your cloud architecture. We will also talk about its various use cases, relevance, and the related processes of setting it up in the AWS Cloud. 

What is a Bastion Host?

A Bastion host, often called a jump server, is critical to securing cloud environments. It acts as an intermediary providing secure access to resources in a private subnet without exposing them directly to the internet. This setup is essential for maintaining a robust security posture, especially in environments where sensitive data and resources reside within private subnets.

AWS Linux Bastion Host Diagram

Why Use a Bastion Host?

In a typical AWS architecture, private instances (those without direct internet access) host sensitive applications and data. However, administrators still need to manage and maintain these instances. Exposing them directly to the internet would be a significant security risk, so a Bastion host is used instead.

A Bastion host is a secure access point, allowing administrators to connect to private instances via SSH or RDP, depending on the operating system. Restricting access to the Bastion host alone and using it as a gateway minimizes the attack surface, and your private instances remain shielded from direct exposure.

 

Is a Bastion Host Still Relevant Today?

While Bastion hosts remain widely used in traditional environments, more modern alternatives have emerged that offer enhanced security and convenience. For instance, AWS Systems Manager Session Manager allows secure access to EC2 instances without needing a Bastion host or SSH keys, eliminating the need for open inbound ports. Zero Trust networking models and VPC endpoints also provide secure access to resources without the exposure risks associated with a publicly accessible Bastion host.

However, Bastion hosts are still relevant, particularly for environments where legacy systems are in use or where modern alternatives are not feasible. They continue to be a key part of many cloud security strategies, especially for organizations that require a simple yet effective solution for secure remote access.

 

How Does a Bastion Host Work?

The Bastion host is placed in a public subnet within your VPC, meaning it has a public IP address and can be accessed via the Internet. The private instances remain in a private subnet with no direct access to the internet. The Bastion host acts as a middleman—administrators first connect to the Bastion host and then use it to connect to the private instances via SSH.

Key points about Bastion hosts:

  • Public-facing: The Bastion host is the only instance exposed to the internet.
  • Controlled access: Only specific IP addresses (usually your office or home IP) can connect to the Bastion host.
  • Security groups: Proper security group configuration ensures that only the Bastion host can communicate with the private instances.

 

Setting Up a Bastion Host in AWS 

Now that we understand the importance of a Bastion host let’s walk through setting one up in AWS. Take note that the following steps are a simplified and practical example.

 

Launch a Bastion Host in the Public Subnet

To create a Bastion host, you’ll launch an EC2 instance in your public subnet. Follow these steps:

  1. Navigate to the EC2 Dashboard: In the AWS Management Console, go to the EC2 dashboard.

  2. Launch an EC2 Instance:

    • Name: LinuxBastionHost
    • AMI: Choose the Amazon Linux 2023 AMI.
    • Instance Type: t2.micro (sufficient for basic usage).
    • Key Pair: Create a new key pair (e.g., MyKeyPair) or use an existing one.
    • Network Settings:
      • VPC: Select your VPC.
      • Subnet: Choose the public subnet (PublicSubnet).
      • Auto-assign Public IP: Enabled (this gives your Bastion host a public IP address).
  3. Tutorials dojo strip
  4. Security Group Configuration:

    • Create a new security group (e.g., BastionSG).
    • Allow SSH (port 22) from your IP address only. This is crucial for securing access to the Bastion host.
  5. Review and Launch: Review your settings and launch the instance.

Once the instance is launched, note the public IP address, as you’ll use it to connect to the Bastion host.

Launch a Private Instance in the Private Subnet

Next, you’ll launch another EC2 instance, but this time in the private subnet, which the Bastion host will access.

  1. Launch another EC2 Instance:

    • Name: MyPrivateInstance
    • AMI: Amazon Linux 2023 AMI (or another AMI suitable for your use case).
    • Instance Type: t2.micro.
    • Key Pair: Use the same key pair (MyKeyPair).
    • Network Settings:
      • VPC: Select the same VPC.
      • Subnet: Choose the private subnet (PrivateSubnet).
      • Auto-assign Public IP: Disabled (private instances should not have public IPs).
  2. Security Group Configuration:

    • Create a new security group (e.g., MyPrivateInstanceSG).
    • Allow SSH (port 22) from the BastionSG security group. This allows only the Bastion host to access the private instance.
  3. Review and Launch: Review your settings and launch the instance.

Accessing the Private Instance via the Bastion Host

Once both instances are running, you can access the private instance securely through the Bastion host. Here’s how:

  1. Connect to the Bastion Host:

    • Open your terminal (or an SSH client like PuTTY).
    • Use the following SSH command to connect to the Bastion host

        ssh -i MyKeyPair.pem ec2-user@<BastionHost-Public-IP> 

    • Replace the placeholder with the public IP address of the Bastion host.
  1. Transfer the Private Key:

    • You need to transfer the private key (MyKeyPair.pem) from your local machine to the Bastion host to access the private instance.
    • Use the following command to copy the private key

scp -i MyKeyPair.pem MyKeyPair.pem ec2-user@<BastionHost-Public-IP>:/home/ec2-user

    • Replace the placeholder with the private IP address of your private instance.
  1. SSH into the Private Instance:

    • Once you’re on the Bastion host, set the correct permissions on the private key:

chmod 400 MyKeyPair.pem

    • Now, use the following SSH command to connect to the private instance:
Free AWS Courses

ssh -i MyKeyPair.pem ec2-user@<PrivateInstance-Private-IP>

    • Replace the placeholder with the private IP address of your private instance.

If successful, you’ll be connected to the private instance via the Bastion host, ensuring secure and controlled access.

Conclusion

By following this guide, you have successfully set up a Bastion host in AWS and used it to access a private instance securely. This setup is critical to maintaining a secure cloud environment, particularly for sensitive workloads. Bastion hosts act as gatekeepers, allowing access to private instances while shielding them from the internet. This strategy is vital for any organization looking to enhance its security posture on AWS.

Remember to periodically review and update security groups and configurations to ensure they align with your security policies and best practices.

 

Reference:

https://aws.amazon.com/solutions/implementations/linux-bastion/

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Neil Rico

Neil, fueled by a passion for technology, now dedicates himself to architecting and optimizing cloud solutions, particularly within the dynamic realm of Amazon Web Services (AWS). He's always learning because life is a journey of discovering and growing.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?