BASTION HOST SOLUTION in AWS
Consider a case of a company having a WEB-SERVER and a DATABASE SERVER in their infrastructure setup.
If for security purpose, the company has decided to hide the Database server from traffic from external network, such as the internet, but would want the Database server to be able to communicate with the internet, a solution called BASTION HOST can be deployed for this purpose.
A Simple Bastion Host Architecture
What is a Bastion Host:
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway.
The most common examples of bastion hosts are mail, domain name system, Web and File Transfer Protocol (FTP) servers. Firewalls and routers can also become bastion hosts.
LAB: ILLUSTRATING BASTION HOST.
I have put together a simple lab below to illustrate this solution.
AWS RESOURCES & SERVICES USED:
- AWS EC2 instance (Linux Base, in this case)
- Security Group
- VPC
- Subnet
- Internet Gateway
- Route Table
- NAT Gateway
Step1: VPC CREATION
I created VPC in the US-EAST-1 region.
VPC: 172.16.0.0/16
Virtual Private Cloud (VPC)
Step2: SUBNETS CREATION
I created 2 subnets in the VPC, in the same AZ
Webserver (Public) Subnet: 172.16.20.0/24
Database Server (Private) Subnet: 172.16.10.0/24
Subnets
Step3: SECURITY CONFIGURATIONS
I created 2 security groups:
One, is PUBLIC-SG to filter inbound traffics to the Webserver. In the SG, I allow traffic to ports:
Port 22: SSH Traffic from anywhere (internet), 0.0.0.0/0
Port 80: HTTP Traffic from anywhere (internet), 0.0.0.0/0, and
Two, is a PRIVATE-SG to filter traffic into the Database Server. In this SG, I allow SSH traffics, port 22 but limits inbound traffic to traffic originated from the webserver (public) subnet only.
Webserver SG
Database SG
Step4: EC2 INSTANCES SPINING
I created the EC2 instances each as a webserver and a Database server, with the webserver attached to the PUBLIC-SG and the Database server attached to the Private -SG.
I disabled the Public-IP auto-assignment on the Database server, so that no public IP is assigned.
Web & Database Servers
Step5: INTERNET GATEWAY
To provide internet access to the VPC, I created an Internet Gateway and attached it to the VPC.
Internet Gateway
Step6: NAT GATEWAY
Because, the Database needs to communicate to the internet and does not have a public IP, I created a NAT Gateway to translate the database private IP into public IP for that purpose.
NAT Gateway
Step7: ROUTING TABLES
To allow these network setup to communicate among each other, I configure route tables to determine the direction of travel of the traffic.
In the Webserver RT, I configured the server to direct all internet-bound traffic to the Internet Gateway, while the for the database, all internet bound traffic to be forwarded to the NAT Gateway.
Database-RT
Webserver-RT
Step8: HOW TO ACCESS THE SERVER
To access the database server, I connected to the webserver (which is the BASTION HOST, in this case) via SSH and the connect to the Database server, also via SSH. SSH connection requires keypair authentication and this was created during the EC2 instance spin-up.
To confirm my database can reach the internet, I ping google public IP: 8.8.8.8 and I received response.
Conclusion:
In the prevalent cases of cyber attacks and security threats, it is important to keep your sensitive infrastructure save as much as possible. One way to achieve this is to alienate it from public access. One way to achieve this, si through the use of bastion host.
I have provided links and hyperlinks to supporting documentation for your more information on the various concepts of AWS discussed in this article.
