What is Bastion Host and why it is so important? - Step by Step tutorial (Part-6)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome back to the AWS series and in this chapter we will be talking about the concept of a Bastion host in AWS before we jump into the details of our basan host it's really important for you to understand the concept of our basan host and for that I have taken a very simplistic example which is really easy to understand so here onto the screen you can see the three objects on the top right corner you will see a castle in the middle you will see a tunnel which is like entrance for this particular Castle and on the left hand side you will see a intruder or a trespasser the idea over here is anyone who wants to access to this particular Castle has to go through this particular tunnel and this is not an ordinary tunnel this is an heavily guarded tunnel with Armory so anyone with a valid access to this particular Castle will not have a problem but anyone who is a intruder or who doesn't have a valid access to this particular tunnel a necessary action will be taken against him and he will be prohibited from entering into this particular Castle now you might be wondering that how it makes sense when we are talking about AWS and I'm talking about this tunnel and this Castle so here this particular tunnel is heavily guarded and this is a tunnel for doing all the security checks for us so same thing applies for the basan host also so in AWS context we will be calling this tunnel as our basan host where everyone who wants to access our AWS Network or AWS resources has to go through this particular tunnel and this particular cast C on the right hand side will be our AWS environment where our resources will be running compare our Castle example with this AWS setup which I'm showing to you right now so here on the left hand side you will see a user which has access to Internet Gateway so that he can access our AWS network but here we are having public subnet and the private subnet so whenever we talk about the basan host then basan host is always available into the public subnet so that any user can access that basan host and if that user has a proper access then he eventually will be able to access the resources into our private subnet so if we compare these both example which is our Castle example and this AWS setup then here you will see the tunnel will sit over here into the public subnet where it will be safeguarded and any access will be screened over here and this ec2 will be the area where our Castle will sit in so here any user who is coming to our AWS network has to go through our basan host and if the access has been granted to that particular user then he will or she will be able to access our resources into our private subnet and the private subnet I mean the castle which the example I have shown you previously you know the concept of a basan h so let's jump on to our AWS console and start setting up this whole environment so that we can see how the basan host work in actual AWS environment so let's start with our demo and here onto the screen you can see this is my AWS console so let's jump come back to our slide and start with our first element which is needed for this whole setup so here onto the screen you can see this is the architecture or this is the desired environment which we want to implement so here the first block which you will see is the AWS boundary but this AWS boundary means you need to have an AWS account so here onto the screen you can see I have a AWS console so which means I have an proper AWS account so let's take a look again onto this diagram so the second boundary which I see over here is the VPC so we need to create a VPC so VPC is a virtual private Cloud so it's actually a physical data center if you compare with our physical world scenario so VPC is just like a virtual physical data center for us so that any resource which we create will be residing inside our VPC so let's go back to our AWS console over here and the search bar type VPC click on this VPC and here you will find an option to create an VPC so click on create VPC so here you need need to uh click on VPC only there are one more option VPC and more but we'll we are going to stick with our very basic option which is VPC only so here you need to enter the name so I'm just going to put test VPC here you need to enter the IP range because any resource which you want to create inside the VPC need to have the IP addresses so for that we are just going to define the IP ranges we are not going to define a single IP we are defining a IP ranges so that any resource which you create inside the VPC will get the IP address out of that particular range so here I'm just going to for this demo going to keep this IP ranges which is 12.0.0 sl16 so this is a uh cider block which you need to pay careful attention when you're creating an VPC all right so now we have entered the VPC name IP ranges we have assigned so here this is a tax which it has generated automatically which is name and the value so I'm just going to stick with that and I'm just going to click on create VPC all right so here uh just go back to the VPC link over here and here you can see there are two vpcs so click on it and here you can see I'm just going to refresh it so here you can see this is a test VPC which I have created and this is a default VPC which you generally get so I'm not going to use any default VPC but I'm just going to stick with my own VPC which I have just created so now we have created our VPC the next item which we need to create from this diagram is to create a internet gateway so that any user can access our uh AWS network with the internet gate so again go to AWS console over here in the uh search bar uh you can either type VPC because we have the internet gateway option available inside our VPC so here uh you will either find from the left hand side here you will see internet gateway option or either you can see this internet gateway tile which is a rectangular tiles which is present onto our VPC dashboard so I'm just going to click on this internet gateway and here you can see this is a default gateway which has been created previously but we are not going to use that one I'm just going to click on create internet gateway and here I'm just going to type uh igw for uh internet gateway abbreviation and I'm just going to type test over here and that's it and then just simply click on create internet gway and we can verify it just go over here and here you can see this is our uh test internet gateway which I have just created the next thing which we need to do over here is this internet gateway is not attached with our VPC so if you go back to our diagram over here then you can see this VPC and this internet gateway has to be attached so what I'll do I'll just click on this internet gateway ID over here click on action go to attach VPC and here you can see the option of ATT test VPC which we have just created so select this VPC attach internet gway and that's how we create our VPC and we attach our internet gway so now after creating the internet gway the next item which we need to create from the diagram is to create our public subnet as well as our private private subnet so these are the two element which we are going to create so again go back to our AWS console and you can click on this VPC dashboard over here and here you will find an option for a subnet so click on it and here you will find some default subnet which has been already created by AWS for you but we are not going to use those one we are just going to create two subnets one is public and one is private subnet so click on this create subnet and here you can type or here you need to select the VPC because if you take a look onto this particular diagram then everything happening inside the VPC so the subnets also exist inside our VPC so here first of all you need to select the VPC so we going to select this test VPC because that's the one which we have created so select this one and here we need to enter the name of our subnet so what I'm just going to do I'm just going to put the name of my Subnet so here I'm just going to put test uh public subnet and here I'm just going to put 1 a I'm just going to show you why I'm putting 1 a so here you need to select the availability zone so since I'm based in Europe so that's why I'm just going to choose the nearest reason so I'm just going to choose Central 1 a that's why I have chosen a 1 a so that I know like in which reason my Subnet exists so that's the one thing which you need to keep in mind otherwise it's not a problem if you just keep a test public subnet that's also up to you that's absolutely fine the next thing which we need to do over here is we need to specify the IP range for that particular subnet so if you create an to instance uh inside that particular subnet then it will get the IP address from that particular range so that's a key thing over here okay so I'm just going to put the IP address so 12.0.1 do0 which is similar in the range of our VPC in the VPC we have defined a 12.0.0 do0 so here I'm just choose here I have choosen the value which is 12.0.1 for this particular public subnet okay so here uh we have created our public subnet then we are going to do one more thing we're just going to create the private subnet at the same time so click on ADD subnet over here and I'm just going to copy this name I'm just being a little lazy over here so I'm just going to put it as a private availability zone I'm just going to Select 1 a and here I just need to specify the IP address sorry I will just remove this one I'll just copy the IP address from here but here this time I need to select a different IP range for uh this private subnet so I'm just going to paste it and I'm just going to choose let's say three over here okay and then uh the TX I'm just going to stick with the default one and after that I'm just going to verify the details so here we have the VPC inside that VPC we have a public subnet we have the IP range for that one and we have a uh private subnet with the IP range and the tax also created so just click on create subnet over here and here you can see our subnets has been created so let's take a look onto the diagram which we are trying to achieve over here into our AWS environment so here you can see we have created VPC we have created internet gateway public subnet and private subnet the one thing which I forgot to tell you in the initial uh example is the route table so we need to have a route table so that our request which is coming from our internet gateway can be routed to our public subnet as well as to our private subnet so for that we need to create a route table also so for that what we need to do we just need to go back to our AWS console click on this VPC dashboard and here there is option for a route table so click on Route tables and then click on create route table but before that you can see there are some default route table which has already been created so you just don't need to use those default route table I'm just going to uh close this uh successful messages so I'm just going to click on create route table over here and here you need to enter the name of your route table so I'm just going to copy that name which I have already pasted into my notepad so this is the name of my route table and this route table is for public subnet so that's why I'm adding the keyword public over here so that we can use this route table only for our public subnet all right next thing again we need to choose the VPC which is our test VPC because as you can see into the diagram everything we are doing we are doing inside our VPC so that's why I'm choosing the VPC every time whenever I'm creating any new resource all right so that's been done and the TXS I'm just going to keep as it is uh the default one which has already been created that is test public rt4 route table click on create route table and here you can see our route table has been created but this route table has not been associated with our public subnet so if you take a look onto this diagram then if you create a route table which you can see in the middle has to be associated with the subnet since this route table is only for public subnet so I'm just going to associate with our public subnet so again go back to AWS console over here here click on this subnet Association and remember I'm inside my route table so if you're confused then again go back to Route tables this is my route table which I have created test public Rd click on this ID then go to subnet Association click on edit subnet Association here I'm just going to associate the public subnet and then save Association so here you can see our public uh route table has been associated with our public subnet important thing over here in the route table is whenever you're working with the public route table which is associated with a public uh subnet then you need to provide an internet access right now you have just defined the routes and we we have just defined the route table and we have associated with our public subnet but we have not provided a internet access to that particular route table and internet gateway so what I'm just going to do I'm just going to define a route so that we can access the internet or that particular subnet can have an access to Internet so for that what you need to do you just need to click on routes over here again I'm just going to start from the uh First Step so here this is these are the route tables here this is my route table I'm just going to click on this route table ID and here you will find an option to routes subnet we have already associated with our public subnet so we don't need to do anything click on this routes click on edit routes and here you need to select add routes so here you need to enter the IP address so so for providing the internet address uh internet access you need to choose the IP address which is 0.0.0.0 so which means anyone can access this particular route table or at least this internet gateway and this route table has an internet access next thing is the Target in the Target you need to choose the internet gateway which we have just created so select the internet gateway over here and here you will find the option automatically which is internet gateway test so select that one and then click on Save changes so now if we go back to our diagram so you can see see so now we have the VPC we have the internet gateway we have the route table for public subnet and this public subnet needs an internet access so that a user can access this basan host so for that purpose we have just defined the public route or the internet access uh for that particular route table we have created the public route table so similarly we also need to create a private route table for our private subnet so again go back to our AWS console and here you just need to click on the route tables click on create route table just enter the name that is test private route table and once you select the name or enter the name then you need to choose the VPC so here the VPC is test VPC which we have just created and the name and the TX I'm just going to keep as it is I'm just going to click on create route table and now our route table has been created and remember this is a private uh subnet route table and it doesn't need an internet access so I'm just going to stick with the default route with this IP address which means that it will not have an access to Internet but it will have an internal access within the VPC so which means if we take a look onto this particular diagram then this ec2 or any resource which is running into this private subnet will can access a public subnet or it can be a vice versa so anyone which which has a public subnet or any resource which is present into the public subnet can access the private subnet resources as well all right so let's go back back uh to our AWS console and here we need to associate this route table with our private subnet so I'm just going to click on subnet Association click on edit subnet select the private subnet and save Association and that's been done so now we have also created the route table which is public as well as private so now we have created the route table we have created the public subnet and the private subnet now it's time for us to create our basan host as well as our ec2 instance in our private subn and if I compare with the example which I have taken for a castle so we just need to create this tunnel which is a basan host and we also need to create a castle which is an ec2 instance running into private subnet so we'll be creating two ec2 instances and then we will see how this basan host can access this ec2 instan which is running into our private subnet so here is my AWS console and I'm onto the dashboard homepage of my AWS console in the search box search box you need to type ec2 we are just going to first create our Bashan host ec2 instance so click on ec2 and click on launch instance and here you need to enter the name of your basan host or which is present which will be create which we will be creating inside our public subet so here I'm just going to enter the name that is test ec2 public instance after that I I need to choose the operating system which I want to get installed onto my virtual machine so I'm just going to choose BTU I'm just going to stick with the free tire because I'm just doing this for demo purpose but if you're not doing this for demo purpose and if you want this to be in actual environment so then just choose some suitable high performance CPU all right so now we have uh choosen the uban to just choose the architecture uh whatever feels suitable to you I'm just going to choose 64bit and here I'm just sticking with t2. micro here we need to select the key pair so that we can SSH into our E2 instance so if you don't know like how to create this uh SSH key pair then you can simply click on create new key pairer so click on this and here you can see here you need to enter the uh key name so what will happen over here is it will create two keys for you one is the public key and another one is the private key so once I enter the name uh like Keys uh for uh Bashan host Bashan host demo I'm just doing it for the demo purpose so I'm just going to show you like how it is going to generate the key but I have already generated those keys so I'm just going to use those keys but you can just follow these step if in case you're doing the keys generation for the first time so just click on create key paer and as soon as you will click on this create key PA it will download you the private key which you can see over here like keys for Bashan host demo. Pam that is your private key which you need to keep with you and it has already Associated the public key with this ec2 instance which you can see which we are just trying to create over here that is test ec2 public instance and here it has already Associated the public key which is key for basan host demo so this public key is already associated with this ec2 instance once you select from this drop down okay so that's the step you need to follow uh in case if you don't have the keys already with you I have already generated my key so here I'm just going to choose this one that is AWS ec2 that the key I generally use for demo purpose okay so that about the keys the next thing which we need to pay careful attention over here is the network setting because here we need to carefully assign the VPC subnet what we are going to uh use for this particular ec2 instance so click on this network setting and click on edit and let's take a look onto the diagram once again I'm just going to open the slide so here we need to choose the VPC uh the one which we have created so I'm just going to go over here drop down here we are going to choose test VPC here we need to choose the subnet since this is a E2 instance basan host that need that needs to be available into our public subnet so if you can take a look onto this diagram once again so here you can see this is our public subnet so I'm just going to choose the public subnet I think I can see yeah here is the public subnet which is already selected Auto assign public IP that's really important because you need to enable the public IP so that you can access this particular machine from your remote system so I will be accessing this uh machine this particular basan host from my uh from my own laptop so I'm just going to sit enable Security Group that's also important so you just need to assign the security group name so here I'm just going to use the existing name public instance I'm just going to change use that one and I'm just going to put and suffix with the SG for security group uh you can put the same description over here and here you can set the SSH type uh because we need to SSH into our ec2 install that's why we need to enable this SSH Security Group and we need to Define this particular rule so that we can open the port 22 otherwise we will not be able to SSH into our machine all right that's been done and after that just check how much memory or you need so I'm just using the 8GB if you need more just just add it more and after that we can just click on the launch instance so I'm just clicking over here so here you can see our ec2 instance has been launched or our basan host has been launched which you can verify from here so here you can see uh test ec2 public instance so that's the ec2 instance which is in a pending state so it will be started pretty soon it will get start pretty soon actually I'm just going to refresh it just it might take a couple of minutes so just wait for it and here you can see our state uh it is in running State actually so if I go back to here click on ec2 there is a filter also uh where it only shows the running instances so here you can see I have a filter running and now you can see the ec2 public instance which is our basan host now is running one thing which came into my mind I would like to rename this instance to suffix it with the name like a Bastion so that it's easy to identify which is our Bastion host so that's the change I would like to do it the next thing which we need to do right now is to create an E2 instance into our private subnet so if I take a look onto this diagram once again so here we have done with creation of a Bashan host now we need to create an ec2 instance which is into our private subnet and if I compare with my example then that's our Castle so again what we need to do we just need to go to E ec2 dashboard click on launch instances and select the name over here so I'm just going to copy the name from my notepad so that is going to be our test ec2 private instance so here this is the private instance I'm just going to select tubin two is my base operating system I'm just going to select the key pair uh which is uh the one which I have already created in case if you are just creating then choose that the key name which we which you have just created for you all right I'm just going to edit the network setting here I'm just going to select the test VPC I'm just going to select the private subnet over here and yeah just I'm just making sure that I'm selecting yeah that's correct and aut to assign public IP I don't need a public IP this is an easy to instance into my private subnet that's why we don't need a public IP after that here I'm just going to create the security group so I'm just going to suffix it with the SJ private same thing over here now we need to define the Security Group rules that's really important here we need to SSH we need to access that particular private ec2 install that's why we are just going to enable the SSH for Port 22 but Source type so from where you need to access this private ec2 instance so we need to access from our uh public subnet from our basan H so we need to access this EC instance from our basan host and this basan host is residing into this IP address that is 12.0.1 do0 so that's our public IP uh not public but the IP range of my public subnet so I'm just going to copy this IP range onto the source so I'm just going to go over here click on custom and here I'm just going to specify this IP range over here select this one that's been done and I think we are quite good with that and after that we can just verify the other settings so other settings seems good I'm just going to click on launch instances and here you can see our ec2 instance has been launched so which we can verify I'm just going to go back to dashboard once again click on instance running uh just wait for a minute I'm just going to remove this filter so here you can see this is our private instance which is in pending state which should come uh up and running in a minute and here you can see our both instances are running our Bash host is running and our t uh test ec2 private instance is also running so now we have done the infra setup for our basan host now the first thing which we need to do is we need to access our ec2 instance of our basan host so this is the user and now we will try to access our basan host so for that what we need to do we just need to go to dashboard our ec2 dashboard here click on this public Bashan host click on this uh idid and here we need to copy the public IP for address of this particular Bastion host so that's the public IP which you can copy but key thing over here how would you connect to this ec2 instance which is our Bashan host so just you need to click on connect and here you will find all the instruction which is necessary to copy uh into your terminal so first of all what you need to do you just need to identify your public uh uh your private key actually so the private key is the one which is which you have downloaded when you are creating your EC 2 instance so in my case the public uh the private key with the name AWS ec2 terraform that's the one for me but in case if you have seen like we have created a key like key for basan host. demo that's your own private key but you can keep the name of your choice when you have created so just select that particular key and uh I'm just going to open the terminal over here so here you can see this is my terminal and I'm just going to run the lslt command and here you can see this is the private key of me but in case in your case that private key might be ending with the extension. Pam that's absolutely fine you don't need to worry about it all right the next thing which you need to do over here we need to change the mode of that particular private key so I'm just going to copy this command CH mode 400 I'm just going to clear the screen and after that I'm just going to type a cc2 terraform that's my private key but change this name to your private key which you have created during the E2 launch I have changed it the next thing which we need to do is we need to copy this SSH command from here that will help you to SSH into your public uh ec2 instance of basan host okay I'm just going to copy this particular command and here we need to remove few things over here so I'm just going to first of all remove the pub extension because that's not a public key and that's I don't need it and I don't have a Pam extension at the end so I'm just going to stick with this simple thing okay so here this is S command this is the I and this is the private key and this is the uban to that is user and this is the public IP of my ec2 instance I'm just going to hit enter and it's going to say are you sure you want to connect connecting so I said [Music] yes and here you can see we are now entered into our ec2 instance of our Bastian host so here you can see this is the IP range which is within the range of my public subnet that is 12.01 214 that's the IP address which you can verify from here also so that's the IP address which has been assigned to my basan host so now our user on this diagram you can see already entered into the basan host now we need to enter into the ec2 instance which is present into our private subnet so we are already into our Bashan host and from there we will access our private subnet so how to do that so for that purpose I'm just going to do I'm just going to open one more terminal so this is a one more terminal and remember we are we have used the same SSH Keys uh for ec2 into the Bashan uh into the public subnet as well we have used the same SSH key pair for our private subnet ec2 instance also so what we need to do we need to copy that private key into our basan host so for that I'm just going to go to the directory where I'm storing my SSH key and here uh I will just go and copy the AWS ec2 my private key so I'm just going to run the cat command and after that I'm just going to copy the whole content go to my Bashan Host this is my Bashan host I'm just going to clear it I'm just going to uh create a file AWS ec2 uh instance let's put name as key okay I'm just going to open into the vi mode paste the content of a key save and quit after that I need to change the mode of this one so 400 aw cc2 public key and hit enter that's been done so now we have copied our private key into our basan host so you can see over here into this diagram so now we have copied that key so that we can access this E2 instance using that particular key so the next thing which we need we need to have the private IP of my ec2 instance running into the private subnet so for that what I'll do I'll just go back to my console so here is my console click on ec2 click on I just need to refresh it here you can see two instances click on it and here we need to click the private instance click on this instance ID and here you can see there is no public IP address because that's our private ec2 instance into private subnet all right so here I'm just going to copy this private IP of my private instance go back to my terminal over here and here we need to form that particular command once again so that is SSH /i and then we need to enter the AWS key which is our private key after thattu the name of the user for the uh E2 instance and after that we need to enter the IP address the private IP address of my ec2 instance click enter type yes and here you can see we already entered into our ec2 instance running into private subnet so which you can verify this is the IP address 12.03.13 and which you can verify from here so that's a private instance which is available for you so this is how this whole Bastion setup works so now we have set up the VPC internet gateway Public Sub private subnet we have created an ec2 instance which is our basan host and now we are able to First access the basan host and then we are able to access our ec2 instance also which is running into our private subnet hope you like the today's session on setting up your Bastion host and all the AWS Network related stuff which is necessary for this whole setup and if you're interested into the similar content there are many more session which I have planned for AWS which will be uh coming into the upcoming weeks so stay tuned for and if you have any question then please put down into the comment section and if you have any suggestion for any new topic then also those are welcome so stay tuned uh see you into the next session of a devops and AWS till then take care and bye-bye
Info
Channel: Rahul Wagh
Views: 13,575
Rating: undefined out of 5
Keywords: bastion host, what is bastion host, how to create bastion host, devops, aws, cloud engineering
Id: pI6glWVEkcY
Channel Id: undefined
Length: 32min 10sec (1930 seconds)
Published: Wed Oct 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.