Securely Accessing Private Subnets in AWS: A Step-by-Step Guide

Securely Accessing Private Subnets in AWS: A Step-by-Step Guide

TB

Teqani Blogs

Writer at Teqani

July 1, 20253 min read

This article provides a step-by-step guide on how to securely access private subnets in AWS using a bastion host. This method ensures that internal APIs and resources remain protected from public access while allowing authorized users to connect and perform necessary tasks. We'll cover the entire process, from setting up the bastion host to establishing a secure connection.



Setting Up a Bastion Host in AWS

To access a private subnet in AWS, a bastion host acts as a secure gateway. It resides in a public subnet and allows you to connect to resources in the private subnet without exposing them to the internet.

  • Create an EC2 instance in a public subnet.
  • Configure the security group to allow SSH access from your IP address.
  • Ensure the private subnet's security group allows traffic from the bastion host.


Connecting to the Bastion Host

Once the bastion host is set up, you can connect to it via SSH. From there, you can access resources in the private subnet.

  1. Use SSH to connect to the bastion host's public IP address: ssh -i your-key.pem ec2-user@<bastion-public-ip>
  2. From the bastion host, SSH into the private instance or use curl to test internal APIs.


Security Considerations

Security groups are crucial for controlling traffic to and from your instances. Always configure them carefully to minimize potential security risks.

  • Restrict SSH access to the bastion host to your IP address.
  • Regularly review and update security group rules.
  • Tear down the bastion host when it's no longer needed to avoid unnecessary charges and potential vulnerabilities.


Example Use Case

Imagine you have an internal API (internal-api.mycompany.net) deployed within a private subnet. You need to test this API but cannot access it directly from your local machine. By setting up a bastion host, you can securely access and test the API.

curl http://internal-api.mycompany.net:8080/health



Conclusion

Using a bastion host is a secure and effective way to access private subnets in AWS. By following these steps and keeping security best practices in mind, you can ensure that your internal resources remain protected while still being accessible for development and testing.

TB

Teqani Blogs

Verified
Writer at Teqani

Senior Software Engineer with 10 years of experience

July 1, 2025
Teqani Certified

All blogs are certified by our company and reviewed by our specialists
Issue Number: #cf164f7f-6412-4574-bcd5-42a7c356b285