a, Add a Virtual private gateway and access the private subnet over a site-to-site VPN
b, Access hosts in the private subnet using a bastion host
c, Access hosts in the private subnet using a NAT gateway
d, Add a public IP address to one of the hosts in your private subnet and us that host to access all the others
the answer is b. but what I don’t understand is why using a VPN gateway and connection to instances isn’t the safest option, as it doesn’t expose any instances to the internet while on the other hand bastion host still exposes one instance although hardened is still exposed to the public internet
Let me ask this instead, which would be more secure?
All machines on your network having direct access to every machine in the private subnet
A single entry point that can be controller to access machines in the private subnet
Both are viable solutions, just which one is more secure?