Using Bastion Hosts (Server) To SSH Into An EC2 Instance In the Private Subnet | Overview & Hands-On.

Using Bastion Hosts (Server) To SSH Into An EC2 Instance In the Private Subnet - Overview & Hands-On.

Scope:

• Concept of Bastion Host,
• Typical AWS Architecture,
• Security Layers & Description,
• Configuration Options (Option A – Traditional SSH Bastion, Option B – Modern SSM Session Manager),
• Best Practices,
• Visual Architecture Diagram.
• Project: Hands-On.

1. Concept of Bastion Host

• Bastion Host (also known as a Jump Box) is a special-purpose instance (server) that acts as a secure entry point into a private network.
•  Bastion Host allows administrators to SSH (Linux) or use Romote Desktop Protocol (RDP from Windows) into private EC2 instances without exposing the Private instance to the internet.

NB:

• In AWS, Bastion Hosts are often deployed in public subnets with strict access controls and used to reach private EC2 instances in private subnets.

 2. Typical AWS Architecture

Components:

• VPC (spanning 2 AZs)
• Public Subnet – contains Bastion Host
• Private Subnet(s) – contain application or database servers
• Internet Gateway (IGW) – allows Bastion to be accessed from the internet
• NAT Gateway – allows private instances to reach the internet (for patching, etc.)
• Route Tables – control traffic direction

 Traffic Flow

1. Admin (SSH/RDP) → connects via Public IP of Bastion Host.
2. Bastion Host → connects to Private EC2 instances via private IPs.
3. Private instances have no public IPs and cannot be reached directly from the internet.

 3. Security Layers & Description

Security Layer	Description
Network (VPC)	Bastion in public subnet, targets in private subnets
Security Groups	Bastion SG allows SSH (port 22) or RDP (3389) only from known IPs. Private instance SG allows SSH/RDP only from Bastion’s SG.
IAM Controls	Least privilege access to EC2, SSM, and CloudWatch
OS Hardening	Disable root login, enforce MFA via SSM Session Manager
Logging & Monitoring	CloudTrail, Session Manager logging, VPC Flow Logs, CloudWatch Logs
Key Management	Use SSH keys or AWS Systems Manager Session Manager (for keyless, auditable access)

 4. Configuration Options

Option A – Traditional SSH Bastion

• EC2 instance (Amazon Linux)
• Elastic IP in a public subnet
• SSH via port 22
• Use key pairs or IAM-backed SSM

Option B – Modern SSM Session Manager

• No public IP
• No need for SSH keys
• Managed entirely through AWS Systems Manager (SSM) Agent
• Much more secure — access controlled via IAM policies

 5. Best Practices

✅    Restrict SSH/RDP access by IP or use AWS SSM
✅    Rotate SSH keys regularly (if used)
✅    Disable direct root access
✅    Use CloudWatch alarms for suspicious login attempts
✅    Enable VPC Flow Logs for visibility
✅    Harden OS and update patches frequently
✅    Use AWS Network ACLs as an additional layer of defense

 6. Visual Architecture Diagram

Project: Hands-On

• How twtech uses Bastion Hosts to SSH into instances within the Private Subnets of its Custom VPC (twtech-VPC)

Search for AWS Service: EC2

Step-1:

• Follow the steps in blog posted 
• "Adding & Configuring Internet Gateway to AWS VPC | Overview & Hands-On" from twtech blog link below. 

https://think-with-tech.blogspot.com/2025/11/adding-and-configuring-internet-gateway.html

• To provision an EC2 instance in the Public subnet of the VPC with Name: Bastion-Host

Step-2:

•  Create another EC2 instance in the Private subnet of the VPC (twtechvpc).
•  Remember you need the keypair to do SSH forwarding into the Private subnet instance.
• Launch an instance into the Private subnet: twtechSpringAppPrivateServer

• Select the keypair that will be used to later SSH into the instance in the Private subnet.

NB:

• Keypair is needed because there would be SSH forwarding between the Public Instance (Bastion Host) and the Private subnets instance (server).
• Host is used here to also referre to:
• EC2 Instance,
• Server.

Edit network settings:

• Select the custom VPV: twtechvpc
• Select the Private subnet: twtechPrivateSubnetA
• Auto-assign public IP: Disable
• Create a security group: twtechSpringApp-PrivateSG

• Create instance in the private subnen of VPC (twtechvpc)

• Verify instance created for details: EC2 console

Step-3:

• SSH (connect) into Bastion Host (server or Instance in the Public Subnet):

Connect:

Step-4:

How twtech connects to EC2 instance in the private subnet from Bastion Host (in the public subnet) via SSH forwarding.

• twtech needs the Private IPv4 address of the instance in the Private subnet:

Step-5:

twtech Runs the command from Bastion Host:

ssh ec2-user@<Private IPv4 address of instance in private subnet>

Permission denied 

• twtech needs to create a file for the keypair in Bastion Host server and specified (referenced) in the run command.

# Vi , create key and save: :wq

sudo vi devsecopspat.pem

twtech verifies the content of the key saved:

cat devsecopspat.pem

       twtech Runs the ssh command again, referencing the keypair file.

ssh ec2-user@10.0.3.65 -i  twtechkey.pem

Bad permission still.

• twtech need to grant only read access to root-user and other permissions removed for security concern.
• Change permissions the keypair file created and verify permission  with command

sudo chmod 0400 twtechkey.pem

Successfully:

• twtech has successfully SSH into the server in the private subnet from Bastion Host (server) in the Public subnet (via SSH forwarding)

Final step:

• twtech needs to Test public connectivity from the Private subnet: 

ping think-with-tech.blogspot.com

• Impossible, this testifies that twtech Private subnet has no internet (public) access: 
• ... A Great Security Posture for twtechvpc.