Bastion jumping on aws

Mar 15, 2019

In the production environment, database security should always be the top priority. Deploying any database on a public subnet is totally insecured and could be attacked by the hackers.

public-rds Bad practice, seen only in development.

In VPC, instances are able to communicate to each other by default because of route table target <local>. Adding a bastion host acting as the proxy between client and database and also moving databases from the public to private subnet make the environment invincible.


Now, I am going to give you 2 scenarios which have some different settings: EC2 and RDS.

EC2 in the private subnet

To access EC2 sitting in the private subnet, the bastion instance has to allow access TCP port 22 from client's ip , and the private EC2 instance has to allow access TCP port 22 from bastion's ip.

Then, configure ~/.ssh/config in a client machine.

Host bastion
   IdentityFile ~/test_key.pem
   User ubuntu
   ForwardAgent yes

# EC2 instance with private ip
   IdentityFile ~/test_key.pem
   User ubuntu
   ProxyCommand ssh bastion -W %h:%p

After that, execute $ ssh to land on your private instance!

RDS in the private subnet

The bastion's security group has to allow access of TCP port 22 from client's IP, and the RDS's security group has to allow access of TCP port 5432 (postgresql's port) from bastion's IP.

To access RDS in the private subnet, we use the method called local forward port by securely connecting through ssh tunnel. Thus, you have to manually instantiate that from your client machine using this command:

$ ssh -i test_key.pem -N -L ubuntu@

Now, you can use any favorite GUI tools and CLI to connect to private db instance via localhost:5555 such as:

$ psql -d mydb -h localhost -p 5555 -U pgadmin -W
© Copyright 2021 - Created with by Momorith