Why cant I SSH from my AWS Bastion Host to my EKS node

Question

I am deploying my AWS resources with Terraform, one of the resources happen to be of type aws_instance (EC2) this is acting as my Bastion Host. It is on the public subnet, I created a security group which allows SSH from my home IP. This security group works, as i am able to SSH into the Bastion Host.

resource "aws_security_group" "allow_home_to_bastion_ssh" {
  name        = "Home to bastion"
  description = "Allow SSH - Home to Bastion"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from Bastion"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["<My-Home-IP>/32"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "Home to bastion"
  }
}

I also created other security groups i'm adding to the node group configuration under the remote_access section as shown below

resource "aws_eks_node_group" "node_group" {
  cluster_name    = var.cluster_name
  node_group_name = var.node_group_name
  node_role_arn   = var.node_pool_role_arn
  subnet_ids      = [var.subnet_1_id, var.subnet_2_id]
  instance_types = ["t2.medium"]

  scaling_config {
    desired_size = 1
    max_size     = 1
    min_size     = 1
  }

  update_config {
    max_unavailable = 1
  }

  remote_access {
    ec2_ssh_key = "<My-Key-Pair.pem>"
    source_security_group_ids = [ 
      var.allow_http_id,
      var.allow_ssh_id,
      var.allow_tls_id,
      var.allow_bastion_to_eks_node_id
     ]
  }
}

The allow_ssh_id is shown below, as shown above this is added to the source_security_group_ids. I expect this to allow me to SSH from my Bastion Host to the EKS Node created by the node group since theyre all on the same CIDR range and VPC

resource "aws_security_group" "allow_ssh" {
  name        = var.sg_allow_ssh_name
  description = "Allow SSH from CIDR"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from VPC"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = [var.vpc_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = [var.vpc_cidr_block]
    ipv6_cidr_blocks = ["::/0"]
  }

the allow_bastion_to_eks_node_id is an additional security group i created which is also added to the node group, this is to specifically allow SSH the External IP of the Bastion Host onto the EKS Node. See code below

resource "aws_security_group" "bastion_allow_ssh" {
  name        = var.sg_allow_bastion_ssh_name
  description = "Allow SSH - Bastion to EKS"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from Bastion"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["${var.sg_allow_bastion_elastic_ssh}/32"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = var.sg_allow_bastion_ssh_name
  }
}

as shown above, i am using the bastion elastic ip. Yet i cannot SSH to my EKS node from the Bastion Host. Not sure what is going on.

Not the bastion host is in a public subnet but using the same VPC as the EKS Node which is in the private subnet

SSH ERROR

ssh: connect to host port 22: Operation timed out

Why whitelisting of EIP and not private ip of the bastion host or the eks nodes SG? IT's public ip, you are expecting the request go to internet and then access the private subnet which isn't possible. If it was possible there was no need of a bastion host. — Riz, Apr 15 '22 at 21:54
You are most likely using a private IP to SSH from your bastion host into into the node. Your route table wont route this connection through the internet gateway, so whitelisting a public IP would not work here. If you want strict connectivity from the bastion host only, you would want to allow connection from a security group assigned to this bastion host. — Ervin Szilagyi, Apr 15 '22 at 22:00
@ErvinSzilagyi that explanation makes sense, however what about the security group that allows ingress from the cidr_block 10.0.0.0/16. the bastion host is on the public subnet and the eks node is on the private subnet... both are from that cidr block — floormind, Apr 16 '22 at 08:25
@eagercoder Yeah, that should also work. Allowing traffic from the whole VPC cidr will allow connection from other instances from inside the VPC, which is usually fine, since this is internal communication anyway. You decide how granular you want to be with your sg rules. — Ervin Szilagyi, Apr 16 '22 at 08:55
@ErvinSzilagyi thats what i thought, and i have that security group outlined above in the code section, the security group is called "allow_ssh", and its been assigned into the remote_access as allow_ssh_id. is there something i'm doing wrong ? — floormind, Apr 16 '22 at 09:06
I see, if 'allow_ssh' is attached to the cluster nodes, than your networking should be fine. Most likely you have an issue somewhere else. — Ervin Szilagyi, Apr 16 '22 at 09:13
@eagercoder, you haven't specified by the way how aren't you able to ssh. Do you get a timeout or some other error? In case of other errors, have you checked the logs of the EKS node? Try telnet $EKSNodeIp 22 to see if the issue is related to whitelisting. — Riz, Apr 16 '22 at 22:21
There should be a route to in your subnet route table in which you can see `Destination` as your vpc CIDR(ex 10.0.0.0/16) having `Target` as `local`. If by any chance you don't have this(I doubt) , at it to the route table. If you have it, then contact aws as you have open access and inter vpc traffic is not flowing(if whitelisting is all done correctly as you say) — Riz, Apr 17 '22 at 21:58

Why cant I SSH from my AWS Bastion Host to my EKS node

0 Answers0