Connect to a Private Instance using a Bastion Host in EC2 inside a Custom Virtual Private Cloud (VPC) in AWS
The team has been assigned a task to build a custom Virtual Private Cloud (VPC). They will need to successfully create a connection to a private instance using a bastion host in EC2 where the team will be the only ones to have access to it.
Create a VPC
1. Navigate to VPC
2. Click on Create VPC button
3. Enter VPC setting indicated, for the name tag you may give it the name you desire.
4. Click on Create VPC
Create Public and Private Subnet
1. Navigate to Subnets
2. Click on Create Subnet
3. Create public subnet with the following configuration, for VPC ID select the newly created VPC from the drop down and for Subnet name give it the name you desire.
4. Click Add New Subnet to create private subnet with the following configuration, for Subnet name give it the name you desire.
5. Click Create Subnet, the subnets will display as follows:
6. Modify Auto-Assign IP Setting for Public Subnet
- Select public subnet created
- From Actions drop down select Modify auto-assign IP settings
- Select Enable auto-assign public IPv4 address
- Save changes
Create Internet Gateway
1. Navigate to Internet Gateways
2. Click on Create Internet Gateway
3. Create Internet Gateway, for Name tag give it the name you desire.
4. Click on Create Internet Gateway
5. Click Actions and from the drop down select Attach VPC.
6. Select your VPC previously created.
7. Click on Attach Internet Gateway
Create NAT Gateway
1. Navigate to NAT gateways
2. Click on Create NAT Gateway
3. Create NAT Gateway with the following configurations.
- Name — Give it the name you desire
- Subnet — Select your public subnet
- Elastic IP allocation ID — Click Allocate Elastic IPx
- Click Create NAT gateway
Create Public and Private Route Table
1. Navigate to Route Tables
2. Click on Create route table
3. Create Public Route table with the following configurations.
- Name — Give it the name you desire
- VPC — Select VPC created previously
- Click Create Route Table
- In Routes tab select Edit Routes
- Click add route, set Destination to 0.0.0.0/0 and for Target select Internet Gateway created
- Click Save changes
- In Subnet association select Edit subnet associations under Explicit Subnet Associations
- Select the public subnet created
- Click on Save Associations
4. Create Private Route table with the following configurations.
- Name — Give it the name you desire
- VPC — Select VPC created previously
- Click Create Route Table
- In Routes tab select Edit Routes
- Click add route, set Destination to 0.0.0.0/0 and for Target select NAT Gateway created
- Click Save Changes
- In Subnet association select Edit subnet associations under Explicit Subnet Associations
- Select the private subnet created
- Click on Save Associations
Create EC2 Public Instance
1. Navigate to EC2
2. Click on Launch Instances
3. Amazon Machine Image (AMI) — Select Amazon Linux 2 AMI
4. Instance Type — Select t2.micro
5. Configuration Details
- Network — Select VPC created previously
- Subnet — Auto populates with Public Subnet
- Auto-assign Public IP — Auto populates with Use subnet setting (Enable)
- User Data key in the following:
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd6. Add Storage — Keep defaults
7. Add Tags — As desired
8. Security Group
- Security Group Name — Name desired
- Description — Description desired
- Rules as follows:
9. Review and launch — No change required
10. Select and exiting key pair or create a new key pair. If one is created make sure to download Key Pair and do not lose it.
11. Click on Launch Instances
Create EC2 Private Instance
1. Navigate to EC2
2. Click on Launch Instances
3. Amazon Machine Image (AMI) — Select Amazon Linux 2 AMI
4. Instance Type — Select t2.micro
5. Configuration Details
- Network — Select VPC created previously
- Subnet — Change to Private Subnet
- Auto-assign Public IP –Use subnet setting (Disable)
6. Add Storage — Keep defaults
7. Add Tags — As desired
8. Security Group
- Security Group Name — Name desired
- Description — Description desired
- Rule as follows — For source select Custom and choose your Bastion Host.
9. Review and launch — No change required
10. Select existing key pair.
11. Click on Launch Instances
Connecting to your Private Instance from your Bastion Host
1. Verify you instances are running.
2. Select your Bastion Host and click on Connect
3. Select SSH Client to view your details needed to connect from the terminal.
4. Once in your terminal change to directory where private key is located.
5. Run command “chmod 400 MyKeyBB.pem” without double quotes and use what you see under SSH client for your instance.
6. Run command “ssh -i “MyKeyBB.pem” ec2-user@3.80.244.212" without double quotes and reply to message with “yes” use what you see under SSH client for your instance.
7. You have now successfully connected to your Bastion Host.
8. We will now connect to your private instance, in order to do this we will need to create a copy of your private key file inside your Bastion Host.
- Open your private key using a text editor.
- Select everything in the file.
- From the command line type “VIM MyKeyBB.pem” without the double quotes and the file name could be whatever you want it to be.
- Paste the information you copied from your original private key.
- Now hit ESC followed by :wq, your private key has been created inside the Bastion Host.
9. Run command “chmod 400 MyKeyBB.pem” without double quotes and use the name of the key created.
10. Run command “ssh -i “MyKeyBB.pem” ec2-user@10.0.2.93" without double quotes and make sure you use the ip address for your private instance.
Clean Up
We have now successfully connected to Private Instance using a Bastion Host and could proceed with removing instances and VPC created since we will no longer need them. This was used for demonstration purpose only.
1. Terminate instances created.
2. Delete NAT Gateway created.
3. Internet Gateway
- Detach from VPC.
- Delete Internet Gateway created.
4. Delete VPC created.
