DEV Community

Cover image for The Classic Way to Access EC2 in Private Subnets (That Still Works Today)
Aakash Choudhary
Aakash Choudhary

Posted on

The Classic Way to Access EC2 in Private Subnets (That Still Works Today)

You know that moment when you're trying to SSH into an EC2 in a private subnet, and AWS just silently judges you because... there's no public IP?

So what’s the fix? We sneak in through a side door( by setting up another EC2 instance in a public subnet ). This one does have a public IP, and acts like your inside man.
That’s the Bastion Host, the jump server of your VPC.

But here’s the thing:
Have you ever paused to wonder how this setup actually works? How one EC2 lets you magically hop into another( which even doen’t existed over the internet )?

In this article, I’ll walk you through how Bastion Hosts work, the architecture, the why, and the “ohhh” moment.

Let’s take a quick 3-minute trip into the jumpy world of Bastion Hosts.

What is Bastion Host?

A bastion host, also known as jump server, is like a middleman between you and the private EC2 instance. A bastion host is indirectly a EC2 instance( server ) to which you can SSH , and this jump server is allowed to connect with the EC2 in private subnet.

Summarizing, Bastion host is a server which acts as a link between the EC2 in private subnet and you.

Why do we need Bastion Host?

Lets say, I have an EC2 instance in public subnet. This have a public IP attached to it. To connect with this instance, i can easily SSH into the VM via its public IP. What if this EC2 is in private subnet and it don’t have any public IP associated to it.

At this point, we have two solutions, to proceed with:

  • Connect to EC2 in private subnet via Bastion Host
  • Connect to EC2 in private subnet via Session Manager( using VPC endpoint )

Architecture of Bastion host

How EC2 in private subnet access the internet?

Lets break down the architecture of Bastion host. A Bastion host generally contains an EC2 instance in public subnet and one EC2 instance in private subnet. The goal is to connect with EC2 instance in private subnet.

We SSH to EC2 in public subnet( via the public IP of the public EC2 instance ). This EC2 instance has allowed outbound to go inside the EC2 instance in private subnet( target instance ).

We can either configure port-forwarding from the public EC2 instance to private EC2 instance, or we can just run the SSH command in public EC2 instance mentioning the SSH command with private IP address of the private EC2 instance.

All the network inside the VPC is communicated between AWS services( like from subnet to NAT Gateway ) using the private IP address attached to the aws resources.

Working model of Bastion host

Lets have a scenario where i have a ec2 deployed in public subnet, and one ec2 in private subnet. I want to connect with EC2 in private subnet but there is no direct way to connect with it.

We will be going through a classic two-tier network architecture in AWS, where the Bastion Host acts as a controlled gateway to access EC2 instances residing in a private subnet.

Below are the components involved in the working of Bastion host:

User (Admin/Developer)

  • Initiates an SSH connection from a local machine.

Public Subnet

Contains an EC2 instance (the Bastion Host) with a public IP address.
Connected to the Internet Gateway, enabling SSH from the external world.
Enter fullscreen mode Exit fullscreen mode

Private Subnet

Contains an EC2 instance with no public IP, isolated from direct internet access.
Cannot be accessed directly from the internet for security purposes.
Enter fullscreen mode Exit fullscreen mode

Internet Gateway

  • Attached to the VPC.
  • Allows the public subnet’s EC2 (Bastion Host) to receive SSH traffic from the internet.

NAT Gateway (Optional)

  • Present in the public subnet.
  • Allows outbound internet access for the private EC2 (to download packages, reach external services, etc.)
  • Route to NAT Gateway from private subnet is only required if outbound internet access is needed.

How It All Connects

  • The user SSHs into the Bastion Host in the public subnet.
  • From the Bastion Host, the user SSHs into the private EC2 instance.
  • The private EC2 instance can remain isolated from the internet unless it needs internet access via the NAT Gateway.

Security Group Rules for public and private EC2

We need to have different configuration for the target server and the bastion host.

Security Group of Bastion Host:

  • Allows inbound SSH (port 22) only from trusted IPs (your local machine).

Security Group of Private EC2:

  • Allows inbound SSH only from the Bastion Host’s security group or private IP.
  • No Public IP for private EC2:
  • Ensures it cannot be reached directly from the internet.

Follow for More

If this helped or sparked an idea, drop a comment, a clap, or reach out!

Top comments (0)