Let us learn more on how to setup the linux Bastion host in AWS. With the support of our AWS support services at Bobcares we can go through the whole setup process.
What is Linux bastion host in AWS?
A bastion host is a Windows or Linux system that is part of the AWS infrastructure’s Public subnet. It’s a computer that allows administrators to safely access the rest of the infrastructure.
As we don’t want to expose everything in the infrastructure to the internet, the bastion host will handle the heavy job, safeguarding the infrastructure.
As this host is accessible through the internet, it is better that substantial system hardening be setup on this machine. Because this system is a gateway to the whole infrastructure, secure it at the OS level using all possible hardening approaches.
What is the function of the bastion host in the Amazon infrastructure?
We can use the bastion host to get access to the rest of the infrastructure for administrative purposes. Cloud newcomers may mistake bastion host for a mechanism to exclusively access instances on the private subnet.
Access (SSH or RDP) to instances on the public subnet should also be restricted to the bastion host.
In this method, administrative access to instances on public and private subnets may be secured. This is the preferred method. The whole network, regardless of subnet, should only be accessible through the bastion host.
We can use the Bastion hosts to keep the administrative access to instances safe on both private and public subnets.
How to deploy bastion and configure host and set up the linux Bastion host in AWS?
We will install Linux bastion hosts in the same architecture that we used to create our last custom VPC for this test.
In a Windows context, SSH is RDP, and the we can replace the Linux bastion by a Windows computer. The deployment and setup of Bastion hosts may be as as follows:
- Launch an EC2 instance on the public subnet (which will serve as the bastion host).
- Establish a new security group that permits bastion SSH communication to destination public and private subnets.
- Connect instances to security groups
Configuration
For Step 1 ket us deploy the Amazon Linux 2 EC2 instance. We can even use a customized AMI that has already been hardened and has logging enabled for a bastion, among other things.
Nevertheless, for this experiment, we will be using a standard Amazon Linux AMI. The SG that was built as part of this launch should enable SSH communication from 0.0.0.0/0. Let’s call this SG bastion-sg.
It’s now time to construct a custom security group that will enable bastion traffic to instances. Custom SG is useful since we can connect it to instances as they are starting and we don’t have to manually update the security groups of the instances to enable bastion traffic.
On the other side, we allow traffic from the SG of the bastion host in this SG. Hence, even if the IP address of the bastion host changes in the future (or the bastion host is replaced), we won’t have to update any SG settings. The only thing to remember is that you must deploy a new bastion host alongside the old bastion SG.
- Access the EC2 console.
- Click Security Groups in the left navigation pane.
- Click the Create security group button on the Security Groups page now.
Create custom security group
We must complete the following information for this:
- Name of security group: For identifying purposes.
- VPC Description: Choose the VPC from the dropdown menu.
- Rules for inbound traffic: Enable SSH access from the bastion host’s SG (bastion-sg from step 1)
- Retain the default outbound rule. Let all vehicles to pass through.
- Tags are optional.
This SG (allow-bastion-traffic-sg) can be with instances deployed in public or private instances.
Remove the existing default SG that is tied to them and permits SSH traffic from 0.0.0.0/0 OR modify an inbound rule in the existing SGs that allows this.
It verifies that only SSH communication from the bastion host will be authorized to all instances in the VPC.
Tesing
Here are two examples for testing. The first is the bastion, while the second is setup in the private subnet. This may work with an instance on the public subnet as well, but they will have public IP assigned as well, thus we can take an instance from the private network to avoid confusion.
We logged in to the bastion host using its public IP address. Because we placed the bastion server on a public subnet, it will receive a public IP address upon startup.
As the public IP is available through the internet, we may immediately putty to the public IP of the bastion host.
We can ssh to the private IP of an instance started in the private subnet after we are in the bastion host.
As we launch on a private subnet, it will not be assigned a public IP address, making it inaccessible over the internet. So we had to utilize a bastion host to gain access.
Note: We use PuTTY SSH agent forwarding in this case so that we didn’t have to specify the SSH key in command when connecting to the private instance.
We have to do this by employing bastion hosts. This will secure administrative access to instances in VPC (both public and private subnets).
[Need assistance with similar queries? We are here to help]
Conclusion
To sum up we have now seen how to set up the linux Bastion host in AWS. With the support of our AWS support services at Bobcares, we have now gone through the whole setup process.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments