Bastion Hosts in AWS DevOps
Bastion hosts serve as secure, intermediary systems that allow users to access EC2 instances within a private subnet from the public internet. Here's an organized summary of the key points:
- Purpose: To enable SSH access to EC2 instances in a private subnet, which are not directly accessible from the public internet.
- Location: The bastion host is an EC2 instance located in a public subnet.
- Security Groups:
- The bastion host has its own security group (Bastion Host Security Group).
- EC2 instances in the private subnet have their own security groups.
- Connectivity Flow:
- Users SSH into the bastion host.
- From the bastion host, users then SSH into the desired EC2 instance(s) in the private subnet.
Security Group Configuration
- Bastion Host Security Group:
- Must allow SSH access (port 22) from the internet.
- Access should be restricted to known IPs (e.g., corporate public CIDR) to minimize security risks.
- EC2 Instance Security Group in the Private Subnet:
- Must allow SSH access from the bastion host. This can be specified by the bastion host's private IP or its security group.
Security Considerations
- Restricting access to the bastion host is critical to prevent unauthorized access to the infrastructure.
- The security group for the bastion host should be as restrictive as possible to ensure only selected IPs can access it.
This mechanism of using a bastion host adds an extra layer of security, ensuring that EC2 instances in private subnets are not exposed directly to the public internet, thereby reducing the attack surface.
Example
Let's consider an example scenario:
- Bastion Host: Located in a public subnet for initial SSH access.
- Target EC2 Instances: Located in a private subnet, accessible via SSH through the bastion host.
- Security Group Settings:
- Bastion Host Security Group: Allows SSH from specific public IPs.
- Private EC2 Security Group: Allows SSH from the bastion host's security group.
This setup illustrates how a bastion host functions as a pivot point for accessing private subnet resources securely.