In today’s guide I will be showing you how to build and setup an AWS bastion host, step by step. Before we begin though, lets go over what a bastion host actually is and does as this is something that not everyone may be familiar with.
What is an AWS bastion host?
A bastion host is a secure server that sits between you and your actual servers, usually serving as a proxy for your SSH or RDP connections. In this kind of setup you would only allow RDP or SSH to your servers from your AWS bastion host. This shrinks your attack surface down to a single instance, and can be even further reduced by requiring a VPN connection to access the bastion. To help you visualize these concepts, please see the 3 examples below.
Traditional SSH connections:
You > Servers
SSH connections with a bastion:
You > Bastion > Servers
SSH connections with a bastion and VPN (recommended for businesses):
You > VPN -> Bastion > Servers
As you can see above, each iteration becomes a bit more secure. The trade-off however, is that you are also adding extra steps to connect to your servers or instances such as connecting to your VPN and/or AWS bastion host first.
Typical AWS bastion host costs
Something to keep in mind is that bastions don’t have to cost a fortune, in fact you can probably get away with a t3a.nano instance in most cases. Paired with an instance savings plan and a 3 year reservation to help shrink the cost even further, you can likely run an SSH bastion instance for approximately ~$2.50 per month (plus $2.00 for an elastic IP). I have created an estimate to show you how this pricing is possible here. If you are planning on using this for RDP (Windows) you will need to purchase a larger instance due to Windows system requirements.
Simple AWS bastion server setup guide
Now that we have all of the exciting details out of the way, lets go over the actual AWS bastion host setup. For the purpose of this guide we will be going over setting up a bastion for SSH (Linux) however you can follow the same steps for a Windows bastion by simply replacing port 22 with port 3389 and using a Windows server.
Step 1: Launch an EC2 instance
For the purpose of our guide we will use Ubuntu 20.04 LTS as its the latest and greatest Ubuntu release that offers long term support. This instance should only requires 8GB of space unless you are planning on storing scripts or other data on your bastion. Make sure you also generate and attach an elastic IP to avoid headaches if the IP address of your bastion changes!
Step 2: Setup incoming connections security group.
When prompted to create the security group, you will enter either your VPN’s elastic IP (with /32) OR your IP address if you are not using a VPN. You will need to add port 22 rules for each IP if not using a VPN. This security group’s purpose is purely to allow incoming connections, we will be managing the actual SSH connections to your servers via a different security group.
Step 3: Setup communication between your servers and bastion host.
Now that the bastion host exists and you have verified that you can access it, we still need to grant access you your actual instances. We can accomplish this fairly easily by adding your bastion hosts internal IP to your existing server’s security groups. Once this is complete, your bastion will be ready to accept your incoming connections as well as connect to your instances.
Reminder: Don’t forget to terminate your old security group port 22 allowances if they are open to the world (0.0.0.0/0)!
Need some help? We offer a great low cost managed cloud service that takes care of all the AWS technical details, cost optimization, as well as provides monitoring/alerting. If interested, take a look at our managed cloud service!
Thanks for reading and have a wonderful week!