Build a bastion host with AWS CDK using clear steps and real code. Our AWS Support Team is always here to help you.
How to Create a Bastion Host Using AWS CDK
Setting up secure access to private instances in a VPC is a common need, and one of the most effective ways to do it is by using a bastion host. If you’re
usinginfrastructure as code with AWS CDK, the process becomes both efficient and easy to manage. In this guide, you’ll learn how to deploy a bastion host using AWS CDK, with actual working code and all essential steps explained.
What is a Bastion Host?
A bastion host is a specially configured EC2 instance placed in a public subnet. It acts as a secure gateway for accessing resources in private subnets, typically via SSH. Instead of exposing every private instance to the internet, you expose only the bastion, greatly reducing your attack surface. aws-best-practices-for-security.
Why Use AWS CDK?
The AWS Cloud Development Kit (CDK) lets you define and deploy cloud infrastructure using familiar programming languages like TypeScript. With AWS CDK, you can version control your infrastructure, make your deployments repeatable, and avoid manual errors.
How to Create a Bastion Host
To get started, follow the steps below to set up your bastion host using AWS CDK
- Install and Set Up AWS CDK
Make sure the AWS CDK CLI is installed and configured to your account. You’ll be using TypeScript in this example.
- Define the VPC and Security Groups
Next, use CDK constructs to create a VPC that contains both public and private subnets.
- Create the Bastion Host
Then provision an EC2 instance to act as the bastion host. Assign it a public IP address so it can be accessed from outside the VPC.
- Set Up SSH Key Pair
Afterward ensure you have an existing SSH key pair. You’ll use this key to connect securely to the instance.
- Configure Security Group Rules
Then restrict access to SSH (port 22) to your IP address or a known IP range. This limits who can access the bastion host.
- Deploy the Infrastructure
Finally, use cdk deploy to launch the defined resources in your AWS environment.
Here’s the complete TypeScript code that handles all the above:
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
export class MyBastionHostStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a new VPC with public and private subnets
const vpc = new ec2.Vpc(this, 'MyVpc', {
maxAzs: 2, // Maximum availability zones
});
// Create the bastion host instance in a public subnet
const bastionHost = new ec2.Instance(this, 'BastionHost', {
vpc,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(), // Use the latest Amazon Linux AMI
keyName: 'my-ssh-key', // Replace with your SSH key name
vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
});
// Allow SSH access to the bastion host from your IP address
bastionHost.connections.allowFromAnyIpv4(ec2.Port.tcp(22), 'SSH access');
}
}
const app = new cdk.App();
new MyBastionHostStack(app, 'MyBastionHostStack');[If needed, Our team is available 24/7 for additional assistance.]
Conclusion
This configuration gives you a reliable and secure way to access private instances. With a bastion host AWS CDK setup, not only is network access easier to manage, but internal services also remain securely isolated from direct exposure to the internet. You now have a complete stack ready to deploy, and a foundation that can be extended as your infrastructure grows.
