Published : 28. October 2020. |- Changed: 28. October 2020 | 14 visits
Everything you need to know about the Host Bastion in the AWS infrastructure.
All about Host Bastion!
In this article we discuss the following points regarding the bastion host:
- What is the Lord of the Bastion?
- What role does the host of the stronghold play in the infrastructure of the AWS?
- How do I set up and configure a bastion host?
Let’s start by injecting a stronghold into the host.
What is the Bastion Master?
Bastion Host is a Windows or Linux machine that is on the public subnet of your AWS infrastructure. This is a machine used for secure access to the rest of the infrastructure for administrative purposes. Since you don’t want to expose everything on your infrared internet, the Bastion host will take on this heavy work to secure the infrastructure.
Since this host is exposed to the Internet, it is recommended that a strong system hardening is applied to this computer. Protect this machine at the level of the control system with all available hardening methods, because this machine is the gateway to your entire infrastructure.
What is the role of the location in the AWS infrastructure?
As explained above, the Bastion Host is used to access the rest of the infrastructure for administrative tasks. Sometimes newcomers to the cloud see the bastion host as a way to access only a private subnet. But that’s not the point. You must also block access (SSH or RDP) to instances of the public subnet and only allow access via the bastion host.
This allows you to secure access to public and private sub-network bodies at an administrative level. And it’s a recommended practice. All your agencies, no matter what subnet they are on, should only be accessible through the bastion host.
In short, bastion hosts are used to protect administrative access to authorities on private and public subnets.
How do I unpack the bastion and install the host?
For this we will install the Linux bastion host on the same architecture we used when we made our last custom mailorder. In the case of a Windows environment, SSH can be replaced by RDP, and the Linux bastion can be replaced by a Windows machine. The deployment and configuration of the Bastions host can be summarized as follows
- Make the EC2 instance available in a public subnet (this is your bastion node).
- Create a new security group enabling SSH traffic from the bastion to the final destination on public and private sub-networks.
- Connection of the security group to the authorities
Let’s get to the heart of the matter.
For the first step I installed a copy of Amazon Linux 2 EC2. You can even use the customizable AMI, which already has all the operations for deletion, bastion registration, etc. But for this exercise I will use the usual Amazon-Linux-AMI. The SG created with this boot must allow SSH traffic from 0.0.0.0/0. Let’s mark this SG as Bastion sg.
Now it’s time to create a custom security group to allow traffic from bastion to bastion. The configurable SG is useful because you can connect the instances at startup and you don’t have to manually adjust the security groups of the instances to allow bastion traffic. On the other hand, we allow bastion host SG traffic in this SG. So even in the future, when the IP of the Bastions host changes (or even replaces the Bastions host), we don’t have to change the BG settings anywhere. All you have to think about is building a new stronghold with an existing SG stronghold.
- Connecting to the EC2 console
- Tap the Security group on the left navigation level.
- On the Security groups page, click Create security group.
- The screen below is presented to you:
Creating a custom security group
You must fill in the information below…
- The name of the security team: For identification
- MAIL ORDER: Select your PCV from the drop-down list.
- Rules of engagement: Allow SSHs from the SG stronghold (SG stronghold in step 1)
- Existing rule: Exit the default setting. Permit all traffic.
- Tags: no need.
This SG (allow-bastion-traffic-sg) should be attached to bodies operating in public/private bodies. Make sure you delete an existing SG that allows SSH traffic from 0.0.0.0/0 by default OR change the incoming line to an existing SG that allows it.
This confirms that SSH traffic to all instances of your mailbox is only allowed from the bastion host.
At this point, the host of the SG stronghold should have a rule under the arrival rule:
Bastion host SG Import rule
And the authorities of the VPC (each subnet) must have an input line under the source bastion-sg (bastion host SG) :
Input line for copies
Ready! It’s time to check it out. You will find 2 copies for the tests below. Sometimes it’s a stronghold, other times it runs on a private subnet. It can also work with an instance on a public subnet, but they will have a special public IP, so to avoid confusion, I removed the instance from the private subnet.
I got into the Bastions host using his public IP. Remember, we set up the bastion node in a public subnet so that it gets a public IP address when it is launched. And since the public IP is available on the Internet, I can directly smear the public IP of the stronghold’s host.
Once on the bastion node I try to ssh on a private IP instance running on a private subnet. Since the body operates on a private subnet, it is not marked by a public IP address and is therefore not accessible on the Internet. So I had to use the bastion host to do it, and it worked!
Pay attention: I transferred the SSH PuTTY agent here, so I didn’t have to enter an SSH key in the command when connecting to a private agency.
SSH from bastion to private body
This allows you to secure the administrative access to your Mail Order instances (within the public and private subnet) with bastion hosts.
aws bastion host step-by-step,aws bastion host cloudformation template,what is bastion host aws,aws bastion host terraform,bastion host vs vpn,bastion host vs jump box,deep dive into aws nitro system,aws nitro architecture,ec2 uefi,aws reinforce nitro,ec2 deep dive,aws command to enable detailed monitoring,github openguides,og-aws slack,aws books github,open source aws dashboard,aws developers slack,aws tooling,bastion host commands,aws bastion host users,bastion host aws blog,which of these should not be attached to a bastion host,bastion host banner,configure bastion server in aws,bastion host logging,why do you need a bastion host