Access EC2 Instances Deployed in Private Subnets Leveraging Bastion Hosts. A Step-by-Step Guide.
Ajao Adedamola
Posted on March 22, 2024
NOTE THAT IN THIS SCENARIO, I AM ASSUMING YOU ALREADY HAVE AN INSTANCE DEPLOYED IN THE PRIVATE SUBNET THAT YOU NEED TO ACCESS.
PLEASE MAKE SURE YOU ALSO HAVE ACCESS TO THE KEY PAIR OF YOUR PRIVATE RESOURCE.
To connect to an EC2 instance in a private subnet on AWS using a bastion host, kindly follow these steps:
Step 1: Launch Bastion Host
Launch an EC2 instance in a public subnet. This instance will act as the bastion host. Ensure that it has a public IP address and is accessible from the internet.
As you can see below I have both of my instances launched in the same vpc, different availability zones and just one instance with a publicly accessible IP address.
Step 2: Configure Security Groups
Copy the private IP of the bastion host and private resource instance to your notepad or any text editor and name accordingly.
Configure the security group of the private resource instance to allow SSH (port 22) access from your instance in the public subnet for restricted purposes by editing the inbound rules.
Click Save rules to save changes.
Step 3: Editing your pem key
Locate the pem key of your private instance and click on open with notepad, vscode or any editor of your choice.
Below is an image of what the pem key should look like once open, That's half of mine to prevent security issues
Step 4: Connect to the Bastion Host
Use AWS SSM to connect to the bastion host.
You should see a new tab pop up and a terminal opened up for you on the AWS console.
Step 5: Saving your pem key to your Bastion host instance
Run the following commands as follows:
1. sudo su (gives super user priviledges)
2. cd /home (locates and opens the home directory)
3. cd ec2-user (locates and opens the ec2-user directory)
4. touch private.pem (This will create a file called private.pem)
5. nano private.pem (this will open a text editor to edit the file created by the touch private.pem command)
Go back to the notepad or vscode opened on your computer earlier and copy all the content of your pem key(Every single word).
Paste into the nano editor of your Bastion host.
Again I've blocked out some part of my key for security reasons, after pasting the pem key details click on CtrlX followed by y and finally the Enter key
Step 6: Logging into your private Instance
While still on your bastion host terminal, run the command
1. chmod 0400 private.pem.
2. ssh -i private.pem ec2-user@172.16.87.100(The private IP of your Private resource)
which according to the IP I copied earlier should be 172.31.66.236 and translates to :
ssh -i private.pem ec2-user@172.31.66.236.
You'll be greeted with a prompt asking you to verify the key authenticity, just type yes and Enter key.
If you get the same result as the Image above then congratulations you just logged into your instance using the Bastion host or Jumper method.
You might be wondering where this would be useful in a realife scenario and I'll be explaining why in next weeks blog post.
Please remember to disable and delete all resources after use so as to not incure cost on your AWS account.
Posted on March 22, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.