🌉Setting Up Bastion Host with 2 VPCs on AWS

This guide is here to help you to use a Bastion host with 2 VPC.

We will follow many steps in order to configure our bastion host. This is a beginner guide by a beginner !

Prerequisites

  • AWS Account

  • Basic familiarity with AWS services such as EC2 and S3.

  • Understanding of CIDR, Firewall, Linux, and Routing.

  • Optional: Link your AWS Account to your shell (applicable for Linux and Windows Subsystem for Linux). Here's a guide to do it : https://www.youtube.com/watch?v=BzzCIsjrE7U or you can use CloudShell

Logical scheme

We can easily expand our infrastructure by adding more instances in VPC 2.

Network setup

VPC creation

Let's begin by creating our VPCs using the following scripts:

 aws ec2 create-vpc \
--cidr-block 10.0.0.0/24 \
--tag-specification ResourceType=vpc,Tags=[{Key=Name,Value=VPC1}]
 aws ec2 create-vpc \
--cidr-block 10.0.1.0/24 \
--tag-specification ResourceType=vpc,Tags=[{Key=Name,Value=VPC2}]

Peering Connection

Let's begin by creating our VPCs using the following script using Peering Connection : 

aws ec2 create-vpc-peering-connection --vpc-id vpc-1a2b3c4d --peer-vpc-id vpc-11122233

Ensure to use the correct VPC IDs.

Internet Gateway

To finish this part, we need to implement an internet gateway in our VPC1. This is really necessary if you want to connect via SSH from another network. 

aws ec2 create-internet-gateway

Well, it's kinda light but i received error messages from my CLI. If you want more information about it, feel free to read this documentation. Let's attach it to our VPC 1 : 

aws ec2 attach-internet-gateway \
    --internet-gateway-id igw-0d0fb496b3EXAMPLE \
    --vpc-id vpc-0a60eb65b4EXAMPLE

EC2 & Security Group setup

Security Group

A security group (SG) acts as a virtual firewall for your instance to control inbound and outbound traffic. SGs are linked to a VPCs ! So first we will create 2 SGs, each one from a distinct VPC. Then, we will create rules specifically for SSH. 

aws ec2 create-security-group --group-name SecGVPC1 --description "Bastion" --vpc-id vpc-1a2b3c4d
aws ec2 create-security-group --group-name SecGVPC2 --description "Server" --

Be sure to note down the IDs of your new Security Groups. It will be write on your shell ;) Now, let's configure the inbound and outbound rules for our Security Groups. We'll allow SSH traffic for SecGVPC1 and only inbound SSH traffic for SecGVPC2. SecGVPC1 :

Let's configure the inbound and outbound rules for SecGVPC1:

aws ec2 authorize-security-group-ingress \
    --group-id sg-1234567890IDSECGVPC1 \
    --protocol tcp \
    --port 22 \
    # About the source, it's up to you if you want a specific IP, range or wildcard ?
    --cidr 0.0.0.0/0
    
aws ec2 authorize-security-group-egress --group-id sg-1234567890IDSECGVPC1 --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,UserIdGroupPairs='[{GroupId=sg-1234567890IDSECGVPC2}]'

About Egress rule : the destination is our second SecG. By default, one egress rule is to open all type of communications everywhere ... It's not necessary so we have to delete it : 

aws ec2 revoke-security-group-egress --group-id sg-1234567890IDSECGVPC1 --ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'

This setup will prove useful if you intend to deploy multiple servers with these rules.

SecGVPC2 :

Configure inbound and outbound rules for SecGVPC2:

aws ec2 authorize-security-group-ingress \
    --group-id sg-1234567890IDSECGVPC2 \
    --protocol tcp \
    --port 22 \
    # About the source, authorize only SecGVPC1 !
    --cidr 0.0.0.0/0
aws ec2 revoke-security-group-egress --group-id sg-1234567890IDSECGVPC2 --ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'

Create EC2

KeyPair & EC2

Now, let's proceed with creating our instances. To enhance security, we'll create key pairs for each instance. Remember, losing your private key means AWS can't recover it. There are multiple methods to create key pairs (create-key-pair), but I recommend accessing your AWS console directly to create your EC2 instances for several reasons:

  • You will need a public IP adress to connect on your bastion. And register it by CLI is ... quite complicate. You can do enable it easily from the console :

  • When you will create the keys, it will be download directly to your computer and assign to your instance

So, it's up to you to create the 2 EC2 in EC2 management console. Ensure you select the correct VPC, create unique keys for each instance, choose a free-tier application/OS image, enable auto-assign public IP for your bastion only, and select the appropriate security groups we previously created.

If you prefere to create with some scripts, you can check those ressources : run instances or create instance.

We're nearing the end! We've set up the network and the instances with their key pairs. Now, it's time to securely connect to our EC2 instances using SSH.

SSH & Keypair

Firstly, you will need to manage the key in order to keep it private. Otherwise, SSH will send you an error message :

Yes, it happened to me !

So before proceeding, ensure your private key remains private to prevent SSH error messages. You can achieve this by setting the appropriate permissions using the following commands:

chmod 400 ./keypair1.pem
chmod 400 ./keypair2.pem

Connecting to the bastion :

Now, let's connect to the bastion instance via SSH:

sudo ssh -i "keypair1.pem" ec2-user@IP-PUBLIC-BASTION

Next, let's exit and securely transfer keypair2.pem to the bastion using SCP:

sudo scp -i bastionkey.pem /where/key/is/keypair2.pem ec2-user@IP-PUBLIC-BASTION:/tmp

Note: Sending the key to /tmp is a workaround to avoid modifying the permissions of other files within the Bastion's instance.

Return to the bastion via SSH, move the key from /tmp to a secure location, and then connect securely to the second instance:

sudo ssh -i "keypair2.pem" ec2-user@IP-PRIVATE-SERVER

Upon successful connection, you should see a screen similar to this:

Nice birds !!

Summary and further steps

Congratulations on successfully managing networks between VPCs, implementing strict access rules, creating instances with corresponding security measures, and establishing SSH connections using key pairs. This type of network architecture with a bastion host is widely utilized in enterprises.

To enhance your setup further, consider integrating monitoring tools into your bastion host, such as Apache Guacamole or Fortigate. Additionally, you can expand your infrastructure by adding more servers to VPC2.

I hope this guide has been helpful to you!

Vic

PreviousP.2 Training for Cloud Practitioner Exam'

Last updated