Terraforming Bastion Architecture: Secure AWS Access for Private Subnets


Introduction

In cloud-native environments, private subnets are essential for securely hosting backend services like databases and internal APIs. However, connecting to instances in these private subnets requires a secure and controlled access method. This is where a bastion host (a jump server) becomes essential. In this guide, we'll explore how to deploy a bastion host architecture using Terraform on AWS to enable secure SSH access to private EC2 instances, without compromising security.

What is a Bastion Host?

A bastion host is a secure EC2 instance configured as the only entry point to your private subnets. It resides in a public subnet and provides SSH access to resources in private subnets.

Key Benefits:

  • Centralized access control

  • Improved audit logging and compliance

  • Minimized attack surface

  • Enhanced security when combined with SSH key rotation or Session Manager

Terraform Architecture Overview

Using Terraform, we’ll define the following key components:

  1. VPC and Subnets

    • One public subnet (for bastion host)

    • One or more private subnets (for application/data servers)

  2. Security Groups

    • Bastion host SG allows inbound SSH access (restricted to your IP)

    • Private instances SG allows SSH only from the bastion's SG

  3. EC2 Instances

    • Bastion EC2 instance with a public IP

    • Private EC2 instances without public IPs

  4. IAM Roles (Optional)

    • For integrating AWS Systems Manager (SSM) as an alternative access method

  5. Key Pair Management

    • Define SSH key pair for secure instance access.

Terraform Configuration Snippets

Here’s a high-level look at the main components in Terraform:

1. VPC and Subnet


resource "aws_vpc" "main" {

  cidr_block = "10.0.0.0/16"

}


resource "aws_subnet" "public" {

  vpc_id     = aws_vpc.main.id

  cidr_block = "10.0.1.0/24"

  map_public_ip_on_launch = true

}


resource "aws_subnet" "private" {

  vpc_id     = aws_vpc.main.id

  cidr_block = "10.0.2.0/24"

}


2. Security Groups


resource "aws_security_group" "bastion_sg" {

  name        = "bastion-sg"

  description = "Allow SSH from known IP"

  vpc_id      = aws_vpc.main.id


  ingress {

    from_port   = 22

    to_port     = 22

    protocol    = "tcp"

    cidr_blocks = ["<Your-IP>/32"]

  }

}


resource "aws_security_group" "private_sg" {

  name        = "private-sg"

  description = "Allow SSH from Bastion"

  vpc_id      = aws_vpc.main.id


  ingress {

    from_port       = 22

    to_port         = 22

    protocol        = "tcp"

    security_groups = [aws_security_group.bastion_sg.id]

  }

}


3. Bastion EC2 Instance


resource "aws_instance" "bastion" {

  ami           = "<Amazon-Linux-AMI>"

  instance_type = "t3.micro"

  subnet_id     = aws_subnet.public.id

  key_name      = "your-key"

  security_groups = [aws_security_group.bastion_sg.name]

  associate_public_ip_address = true

}


Best Practices for Bastion Hosts

  • Use SSH agent forwarding or AWS Session Manager to avoid direct key storage.

  • Enable CloudTrail and VPC Flow Logs for auditing.

  • Auto-terminate or schedule shutdown for idle bastions

  • Limit user permissions via IAM.

  • Consider placing bastions behind a NAT Gateway if outbound internet access is required for private instances.

Advanced: Replacing SSH with AWS SSM

To avoid managing SSH keys altogether, integrate AWS Systems Manager (SSM) for secure and auditable access to private instances. Attach the appropriate IAM role and SSM agent, and connect using:


aws ssm start-session --target <instance-id>


Conclusion

Terraforming your bastion architecture empowers you with automated, secure, and repeatable deployment of access patterns for AWS private subnets. It ensures your private resources remain isolated while being reachable under controlled, auditable conditions.

By combining Infrastructure as Code (IaC) with security best practices, you create a scalable cloud environment that aligns with DevSecOps principles.

Comments

Post a Comment

Popular posts from this blog

ECS Deployment Best Practices: Blue/Green with CodePipeline and CodeDeploy

Image
DevOps engineers and AWS cloud architects looking to improve their container deployment processes will benefit from implementing blue/green deployments with Amazon ECS. This guide walks through setting up reliable, zero-downtime deployments using AWS CodePipeline and CodeDeploy for your containerized applications. We’ll cover how to configure your ECS environment properly, create automated deployment pipelines, and implement blue/green deployment strategies that minimize risk during updates. Understanding ECS Deployment Strategies What is Amazon ECS and why it matters Amazon Elastic Container Service (ECS) isn’t just another tool in AWS’s massive catalog—it’s the backbone of modern containerized applications. At its core, ECS is a fully managed container orchestration service that handles all the complex tasks of running, stopping, and managing Docker containers. Think of ECS as the conductor of an orchestra where each container is an instrument. Without proper coordination, you’d just...
Read more

Creating BI Solutions: AI/BI Genie Space Authoring Best Practices in Databricks

Image
Looking to build powerful business intelligence solutions in Databricks? This guide is for data analysts, BI developers, and data engineers who want to master the AI/BI Genie Space. We’ll cover essential authoring techniques that combine the best of AI and BI capabilities in Databricks. Learn about setting up your ideal authoring environment, preparing data for optimal performance, and designing effective visualizations that drive insights. Plus, discover how to implement proper security measures while enabling smooth team collaboration. Understanding the AI/BI Genie Space in Databricks Key features and capabilities of AI/BI Genie Space The AI/BI Genie Space isn’t just another BI tool—it’s Databricks’ answer to making data visualization and analytics dead simple while keeping all the power under the hood. Think of it as your command center for creating dashboards and reports without jumping between platforms. What makes it special? First off, real-time query processing. You ask a quest...
Read more

AWS Console Not Loading? Here’s How to Fix It Fast

Image
When the AWS Management Console refuses to load, it can be incredibly frustrating, especially when trying to deploy, debug, or manage production infrastructure. Fortunately, quick and effective fixes get you back on track. This guide outlines common causes and step-by-step solutions to resolve the issue quickly. 1. Check AWS Service Status Start by verifying if AWS itself is experiencing issues: Visit the AWS Health Dashboard to check for regional outages. Look for service-specific issues affecting IAM , EC2 , S3 , or the Console itself . Tip: Subscribe to AWS status updates on Twitter for real-time alerts. 2. Clear Browser Cache and Cookies Corrupted cache or cookies often prevent pages from rendering correctly. Steps: Open browser settings. Clear cache , cookies , and site data for aws.amazon.com . Reload the page. Try logging in using Incognito/Private Mode to rule out browser extensions interfering. 3. Try a Different Browser or Device Sometimes, browser-specific quirks b...
Read more

YouTube Channel