Connecting to an EC2 Instance on a Private Subnet With a Bastion Server

Bastion Server Guide

Now your not going to want to expose all your AWS EC2 instances on the internet for obvious reasons. So how do you connect to it? Setting up and connecting via a ‘Bastion’ server is the quickest and easiest way to connect. A Bastion server is a server that does nothing more than allow you to connect to EC2 instances that are on a private subnet in your VPC. In this guide, I cover how to do this securely via SSH. If you are using Mac, then the SSH agent is installed by default and is accessed via the ‘Terminal’ app.

This guide assumes:

  1. You have already launched an EC2 to act as your Bastion server, and it is internet facing
  2. It resides in the same VPC as the machine you wish to access
  3. You have created and applied a security group for SSH access
  4. You are using a Mac.

The following guide covers:

  1. Adding your private key to the keychain
  2. Verifying the keys that are available for SSH to use
  3. Connecting to your Bastion server
  4. How to connect to your private Subnet EC2 instance.

Add your private key to your keychain

By adding your private key to the key chain, you can avoid having to specify which private key to use each time you connect, making life more comfortable.

  1. Open the ‘Terminal App’
  2. Type ‘ssh-add -K YourKeyName.pem’
  3. The SSH agent will now prompt you for further information, complete this information and press return
  4. Verify your key by typing ‘ssh-add list. This returns a long string and your key name.

The key has now been added.

If you skip this step you will need to specify the required key using the ‘-i <YourKeyName.pem>’.

Connect to your Bastion server

  1. Type ‘ssh –A ec2-user@<bastion-external IP-address or external-DNS-entry>’

The connection has now been established.

Connect to your private subnet EC2 instance

  1. Type ‘ssh ec2-user@<internal-IP-address or internal-DNS-entry>’

You have now connected to your EC2 instance on your private subnet. Despite connecting to this machine it will not be connected to the internet, so you will not be able to access any external resources such as updates etc. In a later guide, I will show you how to do this safely. Find out more about my AWS certification or drop me a line on Twitter.

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.