What is Bastion Host and How does it work?

What is Bastion Host?

When you have a group of servers in a private network, it can be challenging to access them from the internet. This is because servers in a private network don't have a public IP address, making it impossible to connect to them directly from the internet. To overcome this issue, AWS offers a solution called a Bastion host.

It is also known as a Jump host, is a special kind of server that acts as a secure gateway to access other servers in a private network. It is typically placed in a public subnet and is used to establish a secure connection to your private network from outside. This helps prevent unauthorised access to your private network, as all traffic must pass through the Bastion host first.

Why use a Bastion Host in AWS?

There are several reasons why you might want to use a Bastion host in AWS:

Secure Access: A Bastion host provides a secure way to access your private network by acting as a gateway. It allows you to control who has access to your private network and provides an additional layer of security.

Compliance: Many compliance regulations require that access to sensitive data be restricted and monitored. A Bastion host helps you comply with these regulations by providing secure access and monitoring of all connections.

Cost-Effective: By using a Bastion host, you can reduce the number of public IP addresses you need, which can help reduce costs.

Let's try to make Bastion Host

To try out how bastion host works, let's create 3 EC2 instances(t2.micro for demo purpose); and name them for our easy understanding. Let's give them the names as remote-client, bastion-server and private-ec2 respectively.

Once all the 3 EC2 instances start running, let's connect with all three of them.

Here, the main point to remember is for the client to connect to a private EC2 instance, the client needs to have access to both the Bastion server, as well as the private EC2 instance, for successful SSH authentication.

So first, let's create a new private key. This private key will have access to Bastion server and will have access to the private EC2, as well. Let's first connect to the client machine and we'll run the ssh-keygen command to quickly create a private key.

Now, if we run ls-l command on the .SSH directory, we should see that we have a public and a private key.

Now, at this stage, if we try and connect to the Bastion server, that connection should fail. And the same connection will also fail to the private EC2 instance because we have not entered the authorised keys yet.

So, let's see how to solve this issue.

Let's go to the SSH directory and copy the public key displayed by the remote-client. We can get the private key by running the following command in the remote-client.

We'll add it as part of the authorised keys in both the Bastion as well as the private EC2 by running the follwing command in both Bastion as well as the private EC2.

So, what this basically means is that, since we have added the public key in the authorised keys, it means that any client who is trying to connect to the EC2 instances with any one of the authorised keys(which is the public key, and the associated private key) would be allowed to make a connection. So essentially, since we have both the public and the private key generated, we have uploaded this public key in both the Bastion-server and the private-EC2. So, whenever we try to log in with the associated private key, the login is successful. So, this is how the basic concept really works here.

Now, when we try to do a SSH, we can directly use the IP address, since we're already connected to the EC2 user. So, let's try to connect to the Bastion server by using the ssh command and we can see that the connection is successful.

We will make use of a SSH Agent Forwarding to connect Bastion Host to the private EC2 instance. SSH Agent Forwarding is a feature of the SSH protocol that allows you to use your local SSH key to authenticate to remote servers, without having to store your private key on the remote server.

For SSH Agent Forwarding there are four command that needs to be implemented at a client level.

exec ssh-agent bash
eval 'ssh-agent -s'
ssh-add -L
ssh-add -k ~/.ssh/id_rsa

Note: Don't forget to logout from the connection in the remote-client and then execute the commands.

Alright, so now, if we want to connect to a Bastion server, we'll have to make use of a -A option here, the isle presenter.

So at this stage, we have not really stored the private key at the Bastion level. We are making use of agent forwarding. Now, since agent forwarding is enable, if we'll try to connect to the private EC2, we can see the connection is completely successful.

So I hope at a high level overview, you understood the concept of Bastion host. The important concept to implement Bastion Host is SSH Agent Forwarding.

Thank you for your time.

Happy Learning:)