Using Bastion Hosts to Connect to Your VPC – Configuring Infrastructure Security – SCS-C02 Study Guide

Using Bastion Hosts to Connect to Your VPC

Bastion hosts are used to gain access to your instances that reside within your private subnets from the internet, and the bastion itself resides within the public subnet. The difference between a public subnet and a private subnet is that subnets only become classed as public when an IGW is attached to a VPC and a route exists within a route table associated with the subnet with a destination value of 0.0.0.0/0 via the target of the IGW, for example, as shown in the following figure:

Figure 10.24: Connecting to your VPC via a bastion host

Any subnet associated with a route table pointing to an IGW with a destination address of 0.0.0.0/0 is considered a public subnet as it has direct access to the internet. Any subnet without this route is considered private, as there is no route out to the internet or vice versa.

So, to clarify, for a subnet to be public, the following must be the case:

  • The VPC must have an IGW attached
  • The subnet must have a route pointing to the internet (0.0.0.0/0) with a target of the IGW

When a subnet is public, instances within this subnet will have a publicly accessible IP address and can communicate with the outside world. This allows your engineers to SSH into your public-facing instances for support and maintenance if needed (providing NACLs and security groups have been configured to allow this access).

However, should you experience issues with your instances within your private instances, how can those same engineers SSH into them from the internet; perhaps as a remote fix? The answer is they can’t, as they are private, and there is no route to the outside world. A bastion host must be installed within the public subnet to get around this.

The bastion host is a hardened EC2 instance with restrictive controls that acts as an ingress gateway between the internet and your private subnets without directly exchanging packets between the two environments. Hardening the host ensures that the chances of your systems being compromised are significantly reduced. As this is a gateway to your internal resources, you need to ensure that you follow best practices to harden your instance.

As part of the security group configuration associated with the bastion host, the sources allowed to access the bastion must be restricted as much as possible, such as restricting access to a small CIDR block or a single IP address. The security group for the private instances should allow SSH or RDP from the bastion host IP only.

When connecting to instances, you use a key pair for authentication. For Linux instances, this is stored as a *.pem file and is downloaded when the instance is created. However, once you connect to your bastion host (using the pem key file), you must use the *.pem file associated with the private instance to connect. This file will not be stored on the bastion host and should not be stored on the bastion host for security purposes.

Note

You will see bastion hosts in greater detail in Chapter 11, Securing EC2 Instances, including how to build and configure a bastion host for secure connectivity into your network, along with what are some alternatives that AWS presents to bastion hosts.

A bastion host is a secure standard known to many as a way to securely gain access from an outside network to the internal resources inside that network. The following section will discuss how you can build some of those networking components in the VPC service.