Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Bastion Server Setup on AWS EC2

This guide outlines the steps to configure a Bastion server on AWS using an EC2 instance. The Bastion server will be deployed in a production VPC's public subnet and will have SSH access from the internet on port 22. Additionally, AWS CLI and Kubernetes kubectl tools will be installed on the instance for administrative tasks.

Step 1: Create an EC2 Instance

  1. Login to AWS Management Console:

  2. Launch a new EC2 instance:

    • AMI: Choose Ubuntu 24.04 AMI

    • Instance Type: Select t2.micro (1 vCPU, 1 GiB memory).

    • Network Configuration:

      • VPC: Select the production VPC.

      • Subnet: Choose a public subnet within the production VPC.

    • Storage: Configure the root volume with 20 GB of EBS storage.

    • Security Group: Create or choose a security group with the following inbound rule:

      • Port: 22 (SSH)

      • Source: 0.0.0.0/0 (for internet access). Restrict it to specific IPs for better security.

  3. Key Pair: Select or create a key pair for SSH access to the instance.

  4. Launch: Launch the instance and note the public IP address for SSH access.

Step 2: Connect to the EC2 Instance

  1. SSH into the EC2 instance:

    ssh -i "your-key-pair.pem" ubuntu@<ec2-public-ip>

    Replace your-key-pair.pem with your actual key pair and <ec2-public-ip> with the instance's public IP.

Step 3: Install AWS CLI

  1. Download the AWS CLI:

    curl "<https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip>" -o "awscliv2.zip"

  2. Install unzip tool (if not already installed):

    sudo apt update
sudo apt install unzip -y

  3. Unzip the downloaded AWS CLI file:

    unzip awscliv2.zip

  4. Install AWS CLI:

    sudo ./aws/install

  5. Verify installation:

    aws --version

    You should see the installed version, such as: aws-cli/2.x.x

Step 4: Install Kubernetes kubectl

  1. Download the latest stable version of kubectl:

    curl -LO "<https://dl.k8s.io/release/$(curl> -L -s <https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl>"

  2. Install kubectl:

    sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

  3. Verify kubectl installation:

    kubectl version --client

    You should see the client version information.

Step 5: (Optional) Configure AWS CLI

To configure AWS CLI with your credentials and default settings, run the following command:

aws configure

You will be prompted for:

  • AWS Access Key ID

  • AWS Secret Access Key

  • Default Region Name (e.g., ap-south-1)

  • Default Output Format (e.g., json)

Step 6: Harden Security

  1. Limit SSH Access:

    • Consider restricting port 22 access to specific trusted IP addresses for enhanced security, instead of allowing open access (0.0.0.0/0).

  2. Install Security Updates:

    • Update all packages on the instance to the latest security patches:

      sudo apt update && sudo apt upgrade -y

Restricting the EKS Cluster only access to Bastion:

Step-by-Step Instructions:

  1. Open AWS Management Console:

  2. Select the Cluster:

    • From the EKS dashboard, select the cluster (in your case, it looks like the unified-qa cluster).

  3. Go to "Networking" Tab:

    • Once inside the cluster details, click on the Networking tab (as shown in your screenshot).

  4. Manage Endpoint Access:

    • Under the Networking section, you will see the option to Manage endpoint access. Click on this.

  5. Modify Public Access Source Allowlist:

    • In the API server endpoint access settings, you will see the option to modify the Public access source allowlist.

    • Add the following IP addresses (if not already present): (These values are for reference

      • x.x.x.x/32 (Jenkins NAT Gateway)

      • x.x.x.x/32 (Production Cluster NAT Gateway)

      • x.x.x.x/32 (Bastion Public IP)

  6. Save Changes:

    • After adding the IPs, and remove public access (0.0.0.0/0) configuration, ensure you save the configuration.

  7. Verify Access:

    • Ensure the changes are reflected, and test the access by trying to connect to the cluster API from those IPs.

  • No labels