Bastion Host is a fairly common term when designing AWS Cloud architectures. Bastion Host aka Jump Host is an EC2 Instance used to allow external users to access the private subnet of the VPC (Virtual Private Cloud).
Suppose we design a VPC on AWS Cloud with 02 subnets: 1 public subnet, 1 private subnet.
- The public subnet contains applications exposed to the internet such as web servers. Example: WEB-ABC
- The private subnet contains resources that need to be protected, such as a database. Example: DB-ABC
The problem is that as an administrator you sometimes need to remote into DB-ABC administration, but because DB-ABC is private, you will have 2 ways as follows:
Method 1: Remote to WEB-ABC, then from WEB-ABC remote to DB-ABC.
- Advantages: Simple, does not have to generate more resources.
- Cons: Having to expose the remote port of WEB-ABC can be a security risk. With the word WEB-ABC accessing DB-ABC you must save the credential of DB-ABC on WEB-ABC, this can also be a second security risk.
Method 2: Use Bastion host. Build more bastion host in public subnet and allow remote access.
- Pros: More security.
- Cons: Higher cost.
Bastion Host is a secure way to access resources located in the private subnet on AWS Cloud.
Bastion Host Usually to ensure security you need to reinforce the rules about Nacl and security group. Moreover, when you need to connect to a private resource, you just turn it on, normally you shouldn’t turn it on for cost saving.
Do you use Bastion Host on AWS Cloud? please share.