DEV Community

Baraa Mohamed
Baraa Mohamed

Posted on • Edited on

1

Accessing EC2 In Private Subnet | Bastion | VPC | AWS

Bastion - VPC - AWS - Archeticture

Accessing Private EC2 Instances in AWS: A Guide

Cloud architectures commonly use public and private subnets to balance accessibility and security. Public subnets host resources like bastion hosts or load balancers, while private subnets house sensitive workloads such as application servers. This setup ensures a secure environment, as private EC2 instances are only accessible through specific configurations.

Two Approaches to Access Private EC2 Instances

Depending on your requirements, you can access an EC2 instance in a private subnet through one of two methods: SSH access or traffic forwarding.


Method 1: SSH Access to a Private EC2

This method is ideal for performing configurations or debugging directly on the private EC2 instance.

Steps:

  1. Start the SSH-Agent to manage your private keys:

    eval "$(ssh-agent -s)"
    
  2. Add the private EC2 key to the agent:

    ssh-add <file-key-of-private-app>
    
  3. Connect to the bastion host in the public subnet, forwarding the SSH-Agent:

    ssh -v -i <file-key-of-bastion> -A <public-instance>
    
  4. From the bastion host, SSH into the private EC2:

    ssh -v -i <file-key-of-private-app> <private-instance>
    

By forwarding the agent (-A), you securely authenticate to the private instance without transferring your private keys.


Method 2: Port Forwarding

If you need to access a service (e.g., Jenkins) running on the private EC2, port forwarding allows you to securely forward traffic through the bastion host.

Example: Forwarding Jenkins Dashboard

  1. Start the SSH-Agent and add the private key:

    eval "$(ssh-agent -s)"
    ssh-add <file-key-of-private-app>
    
  2. Forward traffic from port 8080 on the private EC2 to port 4040 on your local machine:

    ssh -v -i <file-key-of-bastion> -A -L 4040:<ip-of-private-jenkins-ec2>:8080 <public-instance>
    
  3. Open http://localhost:4040 in your browser to access the Jenkins dashboard.

Note:

To retrieve the Jenkins setup password, use:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Enter fullscreen mode Exit fullscreen mode

This approach avoids exposing Jenkins to the internet, improving security.


Best Practices

  • Use SSH-Agent to securely store keys during your session.
  • Enable agent forwarding (A) only when necessary to minimize security risks.
  • Clean up your SSH session by removing keys after use:

    ssh-add -D
    

Conclusion

With these methods, you can securely access private EC2 instances while maintaining a robust and secure cloud architecture.

🤍 I'd love to connect with you on LinkedIn—let's grow our network and share ideas! here

Image of Datadog

How to Diagram Your Cloud Architecture

Cloud architecture diagrams provide critical visibility into the resources in your environment and how they’re connected. In our latest eBook, AWS Solution Architects Jason Mimick and James Wenzel walk through best practices on how to build effective and professional diagrams.

Download the Free eBook

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more