Securely Accessing Private Subnets in AWS: A Step-by-Step Guide

This article provides a step-by-step guide on how to securely access private subnets in AWS using a bastion host. This method ensures that internal APIs and resources remain protected from public access while allowing authorized users to connect and perform necessary tasks. We'll cover the entire process, from setting up the bastion host to establishing a secure connection.

Setting Up a Bastion Host in AWS

To access a private subnet in AWS, a bastion host acts as a secure gateway. It resides in a public subnet and allows you to connect to resources in the private subnet without exposing them to the internet.

Create an EC2 instance in a public subnet.
Configure the security group to allow SSH access from your IP address.
Ensure the private subnet's security group allows traffic from the bastion host.

Connecting to the Bastion Host

Once the bastion host is set up, you can connect to it via SSH. From there, you can access resources in the private subnet.

Use SSH to connect to the bastion host's public IP address: ssh -i your-key.pem ec2-user@<bastion-public-ip>
From the bastion host, SSH into the private instance or use curl to test internal APIs.

Security Considerations

Security groups are crucial for controlling traffic to and from your instances. Always configure them carefully to minimize potential security risks.

Restrict SSH access to the bastion host to your IP address.
Regularly review and update security group rules.
Tear down the bastion host when it's no longer needed to avoid unnecessary charges and potential vulnerabilities.

Example Use Case

Imagine you have an internal API (internal-api.mycompany.net) deployed within a private subnet. You need to test this API but cannot access it directly from your local machine. By setting up a bastion host, you can securely access and test the API.

curl http://internal-api.mycompany.net:8080/health

Conclusion