Configuring Bastion server setup

Owned by Nikhil Mulinti
Last updated: Oct 12, 2024 by shivam Upadhyay
2 min read

Bastion Server Setup on AWS EC2

This guide outlines the steps to configure a Bastion server on AWS using an EC2 instance. The Bastion server will be deployed in a production VPC's public subnet and will have SSH access from the internet on port 22. Additionally, AWS CLI and Kubernetes kubectl tools will be installed on the instance for administrative tasks.

Step 1: Create an EC2 Instance

  1. Login to AWS Management Console:

  2. Launch a new EC2 instance:

    • AMI: Choose Ubuntu 24.04 AMI

    • Instance Type: Select t2.micro (1 vCPU, 1 GiB memory).

    • Network Configuration:

      • VPC: Select the production VPC.

      • Subnet: Choose a public subnet within the production VPC.

    • Storage: Configure the root volume with 20 GB of EBS storage.

    • Security Group: Create or choose a security group with the following inbound rule:

      • Port: 22 (SSH)

      • Source: 0.0.0.0/0 (for internet access). Restrict it to specific IPs for better security.

  3. Key Pair: Select or create a key pair for SSH access to the instance.

  4. Launch: Launch the instance and note the public IP address for SSH access.

Step 2: Connect to the EC2 Instance

  1. SSH into the EC2 instance:

    ssh -i "your-key-pair.pem" ubuntu@<ec2-public-ip>

    Replace your-key-pair.pem with your actual key pair and <ec2-public-ip> with the instance's public IP.

Step 3: Install AWS CLI

  1. Download the AWS CLI:

    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

  2. Install unzip tool (if not already installed):

    sudo apt update sudo apt install unzip -y

  3. Unzip the downloaded AWS CLI file:

  4. Install AWS CLI:

  5. Verify installation:

    You should see the installed version, such as: aws-cli/2.x.x

Step 4: Install Kubernetes kubectl

  1. Download the latest stable version of kubectl:

  2. Install kubectl:

  3. Verify kubectl installation:

    You should see the client version information.

Step 6: Create Ubuntu users

Create the ubuntu users with the same username as IAM user & provide necessary privileges.

Login to the user created and proceed

Step 7: (Optional) Configure AWS CLI

To configure AWS CLI with your credentials and default settings, run the following command:

You will be prompted for:

  • AWS Access Key ID

  • AWS Secret Access Key

  • Default Region Name (e.g., ap-south-1)

  • Default Output Format (e.g., json)

Step 8: Harden Security

  1. Limit SSH Access:

    • Consider restricting port 22 access to specific trusted IP addresses for enhanced security, instead of allowing open access (0.0.0.0/0).

  2. Install Security Updates:

    • Update all packages on the instance to the latest security patches:

Restricting the EKS Cluster only access to Bastion:

Step-by-Step Instructions:

  1. Open AWS Management Console:

  2. Select the Cluster:

    • From the EKS dashboard, select the cluster (in your case, it looks like the unified-qa cluster).

  3. Go to "Networking" Tab:

    • Once inside the cluster details, click on the Networking tab (as shown in your screenshot).

  4. Manage Endpoint Access:

    • Under the Networking section, you will see the option to Manage endpoint access. Click on this.

  5. Modify Public Access Source Allowlist:

    • In the API server endpoint access settings, you will see the option to modify the Public access source allowlist.

    • Add the following IP addresses (if not already present): (These values are for reference

      • x.x.x.x/32 (Jenkins NAT Gateway)

      • x.x.x.x/32 (Production Cluster NAT Gateway)

      • x.x.x.x/32 (Bastion Public IP)

  6. Save Changes:

    • After adding the IPs, and remove public access (0.0.0.0/0) configuration, ensure you save the configuration.

  7. Verify Access:

    • Ensure the changes are reflected, and test the access by trying to connect to the cluster API from those IPs.