AWS Networking Series: Designing a Secure Bastion Architecture

Designing a Secure Bastion Architecture

Introduction

In this article, we will explore the essential building blocks of a Virtual Private Cloud (VPC) and discuss key features that every cloud engineer, cloud architect, or DevOps engineer should know when working with AWS. We will also dive into a hands-on exercise to design and implement a basic multi-tier application networking architecture using VPC.

As part of this exercise, we will deploy two EC2 instances:

1. Jump Server (Bastion Host): This instance will reside in the public subnet and act as the gateway for securely accessing resources in the private subnet.

2. Private EC2 Instance: This instance will be deployed in the private subnet and will not be directly accessible from the internet. However, it will be able to access the internet indirectly through a NAT gateway configured in the architecture.

This hands-on approach will help you understand how to interact and configure a basic AWS VPC.

What is AWS VPC

AWS VPC (Amazon Virtual Private Cloud) is a foundational service in AWS that enables you to create a logically isolated virtual network where you can launch and manage AWS resources such as EC2 instances, RDS databases, and more. A VPC offers fine-grained control over your networking environment, including IP address ranges, subnets, routing tables, security groups, and internet connectivity.

Key Features and Benefits of AWS VPC:

• Logical Isolation: Each VPC is isolated from other VPCs and AWS customers, ensuring secure environments for your applications.

• Customizable Networking: Define your own IP ranges, configure subnets, and create routing rules to suit your application's architecture.

• Enhanced Security: Use features such as network ACLs, security groups, and private subnets to secure your resources and control access.

• Internet Connectivity: VPCs enable seamless internet connectivity through Internet Gateways for public resources and NAT Gateways for private resources that require outbound access.

Feature provided by AWS VPC

AWS Virtual Private Cloud (VPC) provides a comprehensive set of features that enable you to design and manage a secure, customizable virtual network tailored to your application's needs. Below are the key features:

Virtual Private Clouds (VPCs)

A VPC is a virtual network in AWS that mimics a traditional network in your on-premises data center. Once you create a VPC, you can add resources like subnets, gateways, and route tables to build your network infrastructure.

Subnets

A subnet is a range of IP addresses within your VPC, confined to a single Availability Zone (AZ). Subnets allow you to segment your VPC into logical sections, such as public and private subnets, for deploying resources like EC2 instances.

IP Addressing

You can assign IPv4 and IPv6 addresses to your VPC and subnets. AWS also allows you to bring your own public IPv4 and IPv6 addresses and allocate them to resources, such as EC2 instances, NAT gateways, and load balancers.

Routing

Route tables control how network traffic is directed within your VPC and between other networks. By configuring routes, you can determine the flow of traffic between subnets, gateways, and endpoints.

Gateways and Endpoints

• Gateways: Connect your VPC to external networks. For example:

  • Internet Gateway: Enables access to the internet for resources in public subnets.

  • NAT Gateway: Allows resources in private subnets to access the internet without being directly exposed.

• VPC Endpoints: Privately connect your VPC to AWS services without requiring an internet gateway, NAT device, or public IP addresses.

VPC Peering

Establish a private connection between two VPCs, enabling direct traffic routing without traversing the internet.

Traffic Mirroring

Mirror network traffic from specific network interfaces to monitoring appliances for security analysis and packet inspection.

Transit Gateways

A central hub that simplifies connectivity between multiple VPCs, on-premises networks, and VPN connections, enabling a scalable and efficient networking architecture.

VPC Flow Logs

Capture metadata about the IP traffic to and from network interfaces within your VPC for monitoring and troubleshooting.

VPN Connections

Use AWS Virtual Private Network (VPN) to securely connect your on-premises networks to your VPC, enabling hybrid cloud architectures.

Building the Bastion architecture

In this guide, we will build a Bastion architecture by creating essential AWS VPC resources and deploying two EC2 instances: one in a private subnet and another in a public subnet. This architecture ensures secure access to the private instance through the bastion (jump) server while maintaining isolation for the private resources.

AWS VPC Resources to Be Created

In the following guide we will be creating the following AWS VPC resources then we will deploy 2 EC2 instances one in the private zone and the other in the public zone

• VPC: A logically isolated virtual network for hosting your resources.

• Public Subnet: A subnet with internet access, designed to host the bastion server.

• Private Subnet: A subnet isolated from direct internet access for hosting sensitive resources.

• EC2 Instances:

  • Public EC2 Instance: Acts as the bastion server, enabling secure access to private resources.

  • Private EC2 Instance: Resides in the private subnet, accessible only via the bastion server.

• Internet Gateway (IGW): Provides internet connectivity for resources in the public subnet.

• Routing Table: Directs traffic between subnets and external networks (e.g., the internet or a NAT gateway).

• Security Groups:

  • For the bastion server: Allows SSH access from specific IP addresses.

  • For the private instance: Allows access only from the bastion server.

• NAT Gateway: Allows the private instance to initiate outbound connections to the internet (e.g., for updates) without exposing it to inbound internet traffic.

1.Create the AWS VPC

Follow these steps to create and configure an AWS VPC:

Step 1: Access the VPC Management Console

1. Go to the AWS Management Console.

2. Navigate to the VPC Dashboard.

3. Click on Create VPC.

Step 2: Configure Your VPC

1. Set IP Addressing:

   • Select IPv4 only for.

   • Configure the CIDR block carefully, keeping future scalability in mind.

Scalability Tip: Plan for potential integration scenarios, such as:

• VPC Peering: Avoid overlapping CIDR blocks with other VPCs you may peer with in the future.

• On-Premises Connection: Ensure the CIDR block does not overlap with your on-premises network to prevent routing conflicts.

Step 3: Verify VPC Status

• Once the VPC is created, confirm its status in the VPC Dashboard.

• Ensure the VPC is listed as Active.

2.Create the two subnets

Follow these steps to create and configure the public and private subnets in your VPC:

Step 1: Access the Subnets Section

1. From the VPC Dashboard, navigate to Subnets.

2. Click on Create Subnet.

Step 2: Create subnets

1. In the Create Subnet page, choose the VPC you created earlier from the dropdown menu.

2. Provide a meaningful name for easy identification, such as:

• Public-Subnet for the public subnet. (Assign an IPv4 CIDR block (e.g., 10.0.1.0/24)

• Private-Subnet for the private subnet. (Assign a separate IPv4 CIDR block (e.g., 10.0.2.0/24) that does not overlap with the public subnet.)

Step 3: Verify the Subnet Status

1. After creating both subnets, verify their status in the Subnets section of the VPC Dashboard.

   • Check the State column to ensure both subnets are listed as Available.

3.Create a security Group

Follow these steps to create a security group in your VPC:

Step 1: Access the Security Groups Section

1. From the VPC Dashboard, navigate to Security Groups.

2. Click on Create Security Group.

Step 2: Configure the Security Group

1. Provide a descriptive name for the security group, such as:

   • ssh-access.

2. Select the VPC you created earlier to associate the security group with it.

3. Add a description to explain its purpose. For example:

   • "ssh-access for public subnet."

Step 3: Leave Inbound and Outbound Rules Empty

• Inbound Rules: Leave this section empty for now, which means no incoming traffic will be allowed by default.

• Outbound Rules: Leave this section empty, restricting all outgoing traffic initially.

Note: For the purpose of learning, leaving the rules empty lets you observe how the security group interacts with other VPC components. However, in real-world scenarios, you would define specific rules to allow or deny traffic based on your application's requirements.

Step 4: Create and Verify

1. Click Create Security Group to finalize the configuration.

2. Verify the security group is listed in the Security Groups section of the VPC Dashboard.

4.Deploy two EC2 instance

Now we are ready to deploy two EC2 instances to begin testing and troubleshooting the network configuration. This setup will help us build a multi-tier network architecture and deepen our understanding of how VPC components work together.

Objective

We will deploy:

1. Public EC2 Instance: In the public subnet to act as a bastion host or jump server.

2. Private EC2 Instance: In the private subnet, accessible only through the bastion server.

Steps to Create an EC2 Instance

Step 1: Choose an Amazon Machine Image (AMI)

1. Select the Amazon Linux 2 AMI or another AMI of your choice that is free-tier eligible.

Step 2: Select Instance Type

1. Choose an instance type such as t2.micro (free-tier eligible) to minimize costs during this exercise.

Step 3: Configure Instance Details

1. Public EC2 Instance:

   • Select the public subnet from your VPC.

   • Enable Auto-assign Public IP to ensure the instance gets a public IP address for internet access.

   • Attach the security group created earlier and update its inbound rules to allow SSH (port 22) and HTTP (port 80) traffic.

2. Private EC2 Instance:

   • Select the private subnet from your VPC.

   • Ensure that Auto-assign Public IP is disabled to maintain its isolation.

   • Attach a security group that allows only SSH traffic from the public EC2 instance’s security group.

Step 4: Review and Launch

1. Verify all configurations, including instance details, network settings, and security groups.

2. Launch the instances.

5.Connect to the public EC2 instance

If you attempt to SSH into the public EC2 instance, the connection will fail. This is because there is no Internet Gateway (IGW) attached to the VPC, which is required to allow the EC2 instance to be reachable from the internet.

Expected Error

To resolve this, we need to:

1. Deploy and attach an Internet Gateway.

2. Update the security group to allow inbound SSH traffic (port 22).

3. Configure the route table to direct traffic to the Internet Gateway.

Steps to Resolve

Step 1: Deploy and Attach an Internet Gateway

1. From the AWS VPC Dashboard, navigate to Internet Gateways.

2. Click Create Internet Gateway and give it a name, such as Test-VPC-IGW.

3. Once created, select the Internet Gateway, click Actions, and choose Attach to VPC.

4. Attach the IGW to the VPC where your EC2 instances are deployed.

Figure

Step 2: Update Security Group Rules

1. Go to the Security Groups section of the VPC Dashboard.

2. Select the security group associated with your public EC2 instance (e.g., ssh-access).

3. Add an Inbound Rule:

   • Type: SSH

   • Protocol: TCP

   • Port Range: 22

   • Source:

     • Select Anywhere IPv4

Avoid usingAnywhere IPv4 as this allows access from any IP address, which is not recommended for production environments.

Step 3: Add a Route Table for the Public Subnet

1. From the AWS VPC Dashboard, go to Route Tables.

2. Click Create Route Table and name it Public-Subnet-Route.

3. Associate the route table with the Public Subnet:

   • Select the public subnet from your VPC and attach it to this route table.

     

4. Add a route to direct internet-bound traffic:

   • Destination: 0.0.0.0/0

   • Target: Select the Internet Gateway created earlier.

     

Connect to the public EC2 instance

6.connect to the private EC2 instance

Since the private EC2 instance is deployed in a private subnet, it cannot be accessed directly from the internet. To connect, we must first access the public EC2 instance (bastion host) and then connect to the private instance. This setup aligns with the bastion architecture. However, before proceeding, we need to configure security groups and network settings.

Step 1: Configure Security Groups

1. Create a Security Group for the Private EC2 Instance:

   • Go to the VPC Dashboard → Security Groups → Create Security Group.

   • Name it something like Private-SSH-SG.

   • Add an Inbound Rule:

     • Type: SSH

     • Source: Specify the private IP range of the public subnet (e.g., 10.0.1.0/24).

   • This ensures only SSH traffic from the public subnet can reach the private instance.

2.Update the Public EC2 Security Group:

• Add an Outbound Rule to allow all outgoing traffic (Type: All Traffic, Destination: 0.0.0.0/0).

• This enables the public EC2 instance to forward SSH traffic to the private instance.

Step 2: Connect to the Private EC2 Instance

1. SSH into the Private EC2 Instance from the Public Instance: On the public EC2 instance, use the following command:

2. Handle Permission Errors: If you encounter a permission error with the key, modify its permissions:

3. Verify Connection: Once connected, you are successfully logged into the private EC2 instance.

7-Enable Internet Access for the Private EC2 Instance (Outbound Only)

The private EC2 instance cannot access the internet directly. To install updates or download packages, we need to configure a NAT Gateway.

If you tried for example to

sudo apt-get update

we will get a timeout

Step 1 : Create a NAT Gateway:

• Go to the VPC Dashboard → NAT Gateways → Create NAT Gateway.

• Deploy the NAT Gateway in the public subnet.

• Attach an Elastic IP (EIP) to the NAT Gateway.

Step 2 : Check NAT Gateway Status:

• Wait for the status to become Available.

Step 3 : Create a Route Table for the Private Subnet:

• Go to the Route Tables section of the VPC Dashboard and click Create Route Table.

• Name it something like private-route-table.

• Associate it with the private subnet.

Step 4 : Add a Route to the NAT Gateway:

• Add a route with the following configuration:

  • Destination: 0.0.0.0/0

  • Target: NAT Gateway (select the one you created earlier).

Step 5 : Update Security Group for Outbound Traffic:

• Go to the security group attached to the private EC2 instance and add an Outbound Rule:

  • Type: All Traffic

  • Destination: 0.0.0.0/0

Step 6 : Test Internet Access

1. On the private EC2 instance, run the following command to update the system

2. If everything is configured correctly, the command will complete successfully without a timeout error.

References

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html