Open in app

Sign in

Write

Sign in

AWS — Connecting to a Private Instance using a Bastion Host via Custom Virtual Private Cloud (VPC)

Olabode Olugbolagun
7 min readMay 14, 2021

--

Case Scenario

You are in charge of setting up an architecture for your team to have a private instance in a private subnet only for your team to have access to.

What is a VPC?

A VPC is a secure, isolated private cloud hosted within a public cloud. It enables you to launch AWS resources such host websites, databases, data warehouses into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center (on-premise).

A. Configure a Custom VPC

  1. Let’s begin by navigating to AWS Services and selecting VPC. Select create VPC.

2. Enter the following details for the fields below (or use your own examples)

  • Name: example “westoncustom-VPC”
  • IPv4 CIDR block: 10.0.0.0/16
  • Leave the rest of the fields with its default values selected

3. Click Create VPC

B. Create an Internet Gateway

Since our Bastion Host needs access to the internet, we will need to create an Internet Gateway (IGW). Once created, we’ll then need to attach it to our VPC.

  1. Within your VPC service, select on Internet Gateway
  2. Create Internet Gateway

3. Enter the following details for the fields below (or use your own examples)

  • Name: example “Weston-IGW”

3. Attach the Internet Gateway to your new Custom VPC

What is a subnet?

A subnet, or subnetwork, is a network inside a network. Subnets make networks more efficient. Through subnetting, network traffic can travel a shorter distance without passing through unnecessary routers to reach its destination.

B. Create Subnets

We will build two subnets. One will be public to allow access from the internet and one will be private.

Let’s build our Public Subnet first.

  1. Select on subnets withing your VPC service

2. Create a Public Subnet

3. Enter the following details for the fields below (or use your own examples)

  • VPC ID: Click the search field and select your custom VPC

Subnet settings

  • Subnet name: example “Weston-PublicSub”
  • Availability Zone: US East (N. Virginia) / us-east-1d
  • IPv4 CIDR block: 10.0.1.0/24

4. Once completed select Create subnet.

5. Lastly, lets enable the auto-assign public IPv4 address. When creating Instances, it will automatically be provided a public IPv4 address.

Select on your public subnet and then Actions. Within actions click Modify auto-assign IP settings. Click the box to enable.

Before we move on to creating our private subnet, I want to continue with associating all the necessary resources for the public subnet such as adding a routing table.

Create a Routing Table

A routing table is essential to controlling network traffic.

  1. Create a Routing Table

2. Enter the following details for the fields below (or use your own examples)

  • Name: example PublicRT-Weston
  • VPC: Select your custom VPC option

Currently, our route table only allows local traffic. Let’s add our IGW to the table which will allow traffic from the internet.

3. Edit and add routes

  • Destination: 0.0.0.0/0
  • Target: IGW- system generated number

4. We need to associate our subnet to the table. Click on Subnet Associations and edit. Select your public subnet and save changes.

We have now satisfied all the requirements public subnet and routing table. We will now need to recreate the same steps for our private subnet and routing table.

Repeat the same steps your public subnet and routing table but with some amendments:

Subnet

  1. Make sure your private subnet name is different from the public
  2. Choose a different Availability Zone and CIDR Block #

Routing table

  1. Make sure to give your routing table a different name
  2. Since we want our subnet to remain private, do not include the IGW as a route

C. Create a Bastion Host and Private Instance

Starting with our Bastion Host first.

  1. In AWS services, select on EC2 instances
  2. Launch instances

3. Enter the following details for the fields below (or use your own examples). Continue pass the steps not mentioned with or without the default selections.

Step 1: Choose an Amazon Machine Image (AMI)

  • AMI: AMI Amazon Linux 2 (Free-tier, Recommended choice)

Step 2: Select an Instance type

  • Type: t2 micro

Step 3: Configure Instance details

  • Network: select your custom VPC
  • Subnet: select your public subnet

Note: Auto-assign Public IP is enabled since we modified it after creating our public subnet

Step 4: Configure Security Group

Create a new security group. Give it a name and description. And for the type, make sure SSH is selected if not already selected. Then leave everything else as is but the source. We want the source only coming from our IP, and by default it will automatically populate our IP address.

  • Type: SSH
  • Source: IP — system will automatically provide the IP address

Step 5: Create a new key pair

Key pairs allow you to connect to your instance securely. You’ll be asked need to choose an existing key pair or create a new key pair. Select a new key pair and download it. Save your key pair in a secure place.

4. Once completed, review and launch.

Repeat steps to create your private instance….

Step 1: Choose an Amazon Machine Image (AMI)

Step 2: Select an Instance type

Step 3: Configure Instance details

Make your auto-assign Public IP is not enabled.

Step 4: Configure Security Group

Make sure your type is SSH. Select your source to be custom. And since we only want traffic coming our VPC, provide your VPC IP address as the source

Step 5: Create a new key pair

Step 6: Review and Launch instances

D. Connecting your bastion host to your private instance

Once your instances are up and running, you’ll have the ability to connect to any one of your instances using SSH client. But remember, our task is to connect the private instance via bastion host. I will be connecting using my Windows Terminal (CMD). Please use a terminal that will allow you to SSH into your instances. See below for guidance.

Bastion Host

  1. Run SSH on your terminal “ssh -i “WestonPub.pem” ec2-user@10.0.2.234”. You should now have successfully logged into your bastion host.

2. Let’s connect to our private instance. Similar to the Bastion Host, must obtain an use the SSH connection details and private key pair file.

In your terminal, enter the following details below

We’ll add our private key pair as a pem file using the vim command

  • Vim WestonPriv.pem

Open up your key pair file and copy and paste the details to your vim file

  • We also have to change the permissions on the file using chmod 400 WestonPriv.pem
  • Lastly, enter your SSH details “ssh -I “WestonPriv.pem” ec2-user@10.0.2.234"

Congratulations! You have successfully connected to your private instance via bastion host.

Conclusion

We can now dismantle our architecture as its use was only for demonstration purposes.

--

--

Olabode Olugbolagun

Written by Olabode Olugbolagun

15 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams