Launch bastion

Engineering Jul 31, 2019

Once you've launched a VPC with multiple public/private subnets as mentioned in, you might have use cases where you'd want to ssh into ec2 instances in your private network.

What's bastion?

In english, a part of the wall of a castle that sticks out from it in order to protect it.

In computer science, a part (or a node) of the infrastructure that's accessible from out in order to protect the private infrastructure. Think of this like a gateway to enter your infrastructure.

Side note: The featured image is "The Gateway of India" located in Mumbai. In earlier days while ships and boats are primary source of commute, it'd be viewed first when you're entering Mumbai.

How to do it?

This post does exactly that. Here's a quick terraform script to do the same.
Here, AMI id is of default amazon-linux-2 OS.

Replace other values such as private_key_name, public_subnet, vpc_id respectively or define them in variables.

Upon running this terraform with terraform apply, you'd get an instance-id in output.

As you've IAM access to this instance, you don't need to have private key with you. You can simply add the following in ~/.ssh/config file and install mssh in your local system.

Host 172.31.*.*
  ProxyCommand mssh i-xxxx -W %h:%p

Wait, mssh, what the hell is it?

tl;dr: it's a python wrapper to use ec2-instance-connect in AWS.

aws s3 cp s3://ec2-instance-connect/cli/ec2instanceconnectcli-latest.tar.gz .
pip install ec2instanceconnectcli-latest.tar.gz
mssh instanceid

Post this, you should be able to run mssh instance-id and be able to ssh into any instance in your private subnets.


You should go to about section on this site.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.