AWS Security Essentials - Securing Connections with a Bastion Host

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

This activity allows the student to gain experience designing and implementing a secure bastion host solution. A bastion host is a server whose purpose is to provide a private connection to your private infrastructure in AWS from an external or public network. The Bastion Host provides an extra layer of security for your private infrastructure at all times. In this Learning Activity, we will setup a Bastion Host and learn how to establish a secure connection.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Configure Security Groups

Navigate to EC2 from the services menu and select Security Groups from the menu on the left side of the page. We’ll see two named security groups, Bastion and Private , in the top panel.

Select the Bastion security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, and a source of Anywhere. Click Save.

Next, select the Private security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, but this time, choose Custom from the source dropdown menu. In the text field, enter the group ID of the Bastion security group (this can be found in the top panel on the page or selected from a contextual menu that appears when we begin typing). In the description field, enter "from Bastion SG" to indicate that traffic is coming from the bastion host’s security group. Click Save.

Navigate to Instances on the menu on the left side of the page. We’ll see three instances provisioned: two bastion hosts and one private instance.

Connecting from BastionHost1

Select the BastionHost1 instance. In the lower panel, copy the IPv4 public IP address to your clipboard. Open a terminal window on your computer and connect to the instance via SSH:

$ ssh cloud_user@12.34.56.78

Be sure to replace the IP address above with the one you copied. The password to log in can be found on the lab page, along with AWS credentials for this lab.

Now that we’re connected to the bastion host, we’ll make sure it can connect to the private instance. From the Instances page in the AWS console, select PrivateInstance from the list in the top panel. Below, copy its private IP address to your clipboard.

Go back to the terminal window, where we’re still logged in to the bastion host. From the bastion host, connect to the private instance via SSH:

$ ssh cloud_user@10.0.0.1

Replace the IP address in the command above with the IP address you copied for the private instance. The password to log in can be found on the lab page with the other credentials for this lab. If the security groups have been properly configured, we should be able to log in successfully.

Disconnect from all instances before starting the next steps.

Connecting with BastionHost2

Next, we’ll check whether we can get to the private instance from our second bastion host. Select BastionHost2 from the Instances list and copy its IPv4 public IP address from the description.

Return to the terminal and connect to the second bastion host, using its IP and the credentials provided on the lab page:

$ ssh cloud_user@87.65.43.21

In the AWS console, select the PrivateInstance again and copy its private IP address. Go back to the terminal, where you should still be logged in to the second bastion host. Connect to the private instance using its IP address:

$ ssh cloud_user@10.0.0.1

This time, the connection will fail. The BastionHost2 instance is part of a different security group that isn’t allowed to connect to the private instance. To see more details, we can check which security group the second bastion host uses in its description on the Instances page.

Changing Security Groups

To fix this problem, we can change the security group for BastionHost2.

Select Security Groups from the menu on the left side of the AWS console. Look for the Bastion security group (the same one we modified before) in the list within the top panel. Take note of the first four-five digits following "sg-" in its group ID.

Go back to the Instances section from the menu on the left side of the AWS console. Select the BastionHost2 instance and click Actions at the top of the page. From this menu, select Networking, then select Change Security Groups. Check the box corresponding with the Bastion security group (we can check the first few digits to see which one it is). Also uncheck the box that was selected by default. Click Assign Security Groups.

Now we can return to the terminal, where we’re still logged in to BastionHost2. Use the "up" arrow key to find the SSH command that connects to the private instance. This time, we’ll be prompted to enter the password and connect to PrivateInstance

Additional Resources

Go ahead and log in to the AWS console using the credentials provided.
Then, make sure you're in the Northern Virginia Region (us-east-1).

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?