Setting up a bastion

We will use the first host we are going to launch as a bastion host that will allow us to connect to other servers that are only accessible from within the private side of our VPC network.

We will be creating a security group to allow SSH traffic to this instance. We will use the aws ec2 create-security-group command to create a security group for our bastion host, as shown in the following command. A security group is an abstraction that AWS provides in order to group related firewall rules together and apply them to groups of hosts:

$ BASTION_SG_ID=$(aws ec2 create-security-group \
    --group-name ssh-bastion \
    --description "SSH Bastion Hosts" \
    --vpc-id $VPC_ID \
    --query GroupId --output text)  

Once we have created a security group, we can attach a rule to it to allow SSH ingress on port 22, as shown in the following command. This will allow you to access your host with an SSH client. Here, I am allowing ingress from the CIDR range 0.0.0.0/0, but if your internet connection has a stable IP address, you might want to limit access to just your own IP:

$ aws ec2 authorize-security-group-ingress \
  --group-id $BASTION_SG_ID \
  --protocol tcp \
  --port 22 \
  --cidr 0.0.0.0/0  

Now that we have set up the security group for the bastion host, we can go about launching our first EC2 instance. In this chapter, I will be using Ubuntu Linux (a popular Linux distribution). Before we can launch the instance, we will need to discover the ID of the AMI (Amazon machine image) for the operating system we want to use.

The Ubuntu project regularly publishes updated images to their AWS account that can be used to launch EC2 instances. We can run the following command to discover the ID of the image that we require:

$ UBUNTU_AMI_ID=$(aws ec2 describe-images --owners 099720109477 \
  --filters Name=root-device-type,Values=ebs \
            Name=architecture,Values=x86_64 \
            Name=name,Values='*hvm-ssd/ubuntu-xenial-16.04*' \
  --query "sort_by(Images, &Name)[-1].ImageId" --output text)  

We are going to use a t2.micro instance for the bastion host (as shown in the following command), as the usage for this instance type is included in the AWS free tier, so you won't have to pay for it for the first 12 months after you set up your AWS account:

$ BASTION_ID=$(aws ec2 run-instances \
  --image-id $UBUNTU_AMI_ID \
  --instance-type t2.micro \
  --key-name eds_laptop \
  --security-group-ids $BASTION_SG_ID \
  --subnet-id $PUBLIC_SUBNET_ID \
  --associate-public-ip-address \
  --query "Instances[0].InstanceId" \
  --output text)  

Note that we are passing the ID of the subnet we chose to use, the ID of the security group we just created, and the name of the key pair we uploaded.

Next, let's update the instance with a Name tag so we can recognize it when looking at the EC2 console, as shown in the following command:

$ aws ec2 create-tags \
  --resources $BASTION_ID \
  --tags Key=Name,Value=ssh-bastion  

Once the instance has launched, you should be able to run the aws ec2 describe-instances command to discover the public IP address of your new instance, as follows:

$ BASTION_IP=$(aws ec2 describe-instances \
  --instance-ids $BASTION_ID \
  --query "Reservations[0].Instances[0].PublicIpAddress" \
  --output text)  

You should now be able to access the instance with SSH, as follows:

$ ssh ubuntu@$BASTION_IP  

As you log in, you should see a message like the following:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1052-aws x86_64)
    
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
    
  Get cloud support with Ubuntu Advantage Cloud Guest:
        http://www.ubuntu.com/business/services/cloud
    
 0 packages can be updated.
 0 updates are security updates.
    
 
 To run a command as administrator (user "root"), use "sudo <command>".
 See "man sudo_root" for details.
    
 ubuntu@ip-10-0-26-86:~$