Skip to content
/ terraform-aws-bastion Public

Example of using a 'bastion' VPC with a 'private' VPC that has instances hidden behind a NAT gateway

License

Apache-2.0 license
6 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

LeapBeyond/terraform-aws-bastion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
bootstrap-scripts
bootstrap-scripts
 
 
platform-scripts
platform-scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
architecture.png
architecture.png
 
 
gobastion.sh
gobastion.sh
 
 

Repository files navigation

terraform-aws-bastion

Example of using a 'bastion' VPC with a 'private' VPC that has instances hidden behind a NAT gateway. This is related to the simpler "VPC with public and private subnet" example.

This set of scripts is used to set up an example of this scenario, launching an EC2 instance in each of the subnets, and deploying SSH keys so that you can SSH to the "public" host, and from there to the "private" host, but the private host itself does not have a public IP. Both hosts are able to reach out to the internet for things like patching and software installation, and the "private" hosts are behind a NAT router.

Usage

Using these scripts assume you have Terraform installed and are familiar with it, and that you are running on some sort of Unix. It also assumes that you have an AWS account to target the scripts against, and a suitably empowered user set up to create VPCs, networking stuff, and EC2 instances.

To begin with, create the bootstrap/env.rc file from the template, then execute the bootstrap/bootstrap.sh. If all goes well, you should wind up with some PEM files in the data directory, and some new key pairs in the AWS account. You should also verify that the S3 bucket and DynamoDB table got created.

Next, from within the platform-scripts directory, create the terraform.tfvars from the template and update the backend.tf. Finally do a terraform init (if you have not already) followed by terraform apply.

After a certain amount of grinding, you should see some output from the scripts, e.g.:

bastion_private_dns = ip-172-21-20-59.eu-west-2.compute.internal
bastion_public_dns = ec2-35-178-47-224.eu-west-2.compute.amazonaws.com
connect_string = ssh -i vpc_test_bastion.pem [email protected]
nat_ip = 35.177.79.24
protected_private_dns = ip-172-21-10-45.eu-west-2.compute.internal

The gobastion.sh script should allow you to ssh to the bastion host. From there, you should be able to ssh to the protected host:

ec2-user@ip-172-21-20-59 ~]$ ssh -i .ssh/vpc_test_protected.pem [email protected]
ec2-user@ip-172-21-10-45 ~]$ dig +short myip.opendns.com @resolver1.opendns.com
35.177.79.24

The final step should return the address of the NAT gateway, demonstrating that the instance is hidden behind that gateway.

And there you have it! A host in a subnet which can reach the internet, but not be accessed from outside, and protected by a NAT gateway.

Cleanup

To cleanup, execute terraform destroy from within the platform-scripts directory, and then from within the bootstrap-scripts/terraform directory. You may also want to remove the data/*.pem files.

About

Example of using a 'bastion' VPC with a 'private' VPC that has instances hidden behind a NAT gateway

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

6 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages