Forem

Baraa Mohamed
Baraa Mohamed

Posted on • Edited on

Accessing EC2 In Private Subnet | Bastion | VPC | AWS

#aws #linux #awschallenge #cloud

Bastion - VPC - AWS - Archeticture

Accessing Private EC2 Instances in AWS: A Guide

Cloud architectures commonly use public and private subnets to balance accessibility and security. Public subnets host resources like bastion hosts or load balancers, while private subnets house sensitive workloads such as application servers. This setup ensures a secure environment, as private EC2 instances are only accessible through specific configurations.

Two Approaches to Access Private EC2 Instances

Depending on your requirements, you can access an EC2 instance in a private subnet through one of two methods: SSH access or traffic forwarding.

Method 1: SSH Access to a Private EC2

This method is ideal for performing configurations or debugging directly on the private EC2 instance.

Steps:

  1. Start the SSH-Agent to manage your private keys:

    eval "$(ssh-agent -s)"

  2. Add the private EC2 key to the agent:

    ssh-add <file-key-of-private-app>

  3. Connect to the bastion host in the public subnet, forwarding the SSH-Agent:

    ssh -v -i <file-key-of-bastion> -A <public-instance>

  4. From the bastion host, SSH into the private EC2:

    ssh -v -i <file-key-of-private-app> <private-instance>

By forwarding the agent (-A), you securely authenticate to the private instance without transferring your private keys.

Method 2: Port Forwarding

If you need to access a service (e.g., Jenkins) running on the private EC2, port forwarding allows you to securely forward traffic through the bastion host.

Example: Forwarding Jenkins Dashboard

  1. Start the SSH-Agent and add the private key:

    eval "$(ssh-agent -s)"
ssh-add <file-key-of-private-app>

  2. Forward traffic from port 8080 on the private EC2 to port 4040 on your local machine:

    ssh -v -i <file-key-of-bastion> -A -L 4040:<ip-of-private-jenkins-ec2>:8080 <public-instance>

  3. Open http://localhost:4040 in your browser to access the Jenkins dashboard.

Note:

To retrieve the Jenkins setup password, use:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Enter fullscreen mode Exit fullscreen mode

This approach avoids exposing Jenkins to the internet, improving security.

Best Practices

  • Use SSH-Agent to securely store keys during your session.
  • Enable agent forwarding (A) only when necessary to minimize security risks.

  • Clean up your SSH session by removing keys after use:

    ssh-add -D

Conclusion

With these methods, you can securely access private EC2 instances while maintaining a robust and secure cloud architecture.

๐Ÿค I'd love to connect with you on LinkedInโ€”let's grow our network and share ideas! here

Top comments (0)

Read next

dhoang1905 profile image

SNS vs. SQS vs. EventBridge: Choosing the Right AWS Messaging Service

Donovan HOANG -

imsushant12 profile image

Introduction to Amazon VPC and Its Fundamentals

Sushant Gaurav -

payalgupta4639 profile image

Glue cross-account setup

Payal Gupta -

julie_ryan_df9e4e895cdcff profile image

Transform Your Cloud Migration Strategy: Transition Microsoft workloads to Linux on AWS with AI Solutions

Julie Ryan -