If you consider scenarios in which you bastion is compromised for whatever reason, you basically compromised all of your instances across all of the regions. In the end, from a security perspective, granting access to all instances from a single bastion might not be best practice. So, it would be wise to consider what practical problem are you trying to solve (not shared in the question)? Afterwards, you could evaluate if there is an applicable managed service like SSM that is already provided by AWS.
Set up the appropriate security groups (SG). Overall, this answer to your question involves a lot of complexity and components that will definitely incur charges to your AWS account. The basic steps for creating a bastion host for your AWS infrastructure: Launch an EC2 instance as you normally would for any other instance. In this way, you enable yourself the connection while even your bastion is secured in private subnet. Therefore, if your Bastion is in private subnet you could use the capability of SSM to establish a port-forwarding session to your local machine. AWS : SSH to private subnet EC2 instance from public subnet EC2 instance via NAT GATEWAY is not happening. From private subnets you can always reach the internet via NAT Gateways (or NAT Instances) and stay protected from unauthorized external access attempts. Like with almost all use-cases relying on Amazon EC2 instances, I would stress to keep all the instances in private subnets.
#Aws bastion host vs nat instance windows
Since, you are dealing with peered VPCs you will need to properly allow your inbound access based on CIDR ranges.įinally, you need to decide how you will secure access to your Windows Bastion host.
Secondly, you need to arrange that access from your bastion is allowed in the inbound connections of your target's security group. Associate with your NAT instance and the resources behind your NAT instance to control inbound and outbound traffic. Otherwise, it will be impossible to properly arrange routing tables. However, among other, you would need to make sure that your VPC (and Subnet) CIDR ranges are not overlapping. Still, if you need to set-up bastion host for some other purpose not supported by SSM, the answer includes several steps that you need to do.įirstly, since you are dealing with multiple VPCs (across regions), one way to connect them all and access them from you bastion's VPC would be to set-up a Inter-Region Transit Gateway. Additionally, with SSM almost all access permissions could be regulated via IAM permission policies. With AWS System Manager you are getting a managed service that offers advance management capabilities with highest security principles built-in.
#Aws bastion host vs nat instance Patch
First of all, I would question what are you trying to achieve with a single bastion design? For example, if all you want is to execute automation commands or patches it would be significantly more efficient (and cheaper) to use AWS System Manager Run Commands or AWS System Manager Patch Manager respectively.
0 kommentar(er)
