0

I have a private RDS instance that I want to connect to using bastion host. I've found a couple of tutorial on how to set it up which doesn't seem too advanced, but I struggle to understand what a bastion host actually is.

All the tutorials I've seen just creates an empty ec2 instance (bastion host) and edit the RDS security group to allow incoming traffic from it and voila, connection from local machine is working.

What I struggle to understand is that there's no configuration on the ec2 instance that enables this behaviour. Wouldn't that mean that any server that have access to RDS could be used as a bastion host?

For example, I have an EKS cluster where I host a couple of services. Some of these services are supposed to have access to RDS. So in order for the services to access RDS I put RDS in the same VPC and Security Group as eks-nodegroups. Even though the services that need access to RDS aren't publicly accessible, there are publicly accessible services that are running in the same VPC and Security Group. Would I then be able to use one of the publicly accessible services as a bastion host in order to gain access to RDS from anywhere, thus making it public?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
user3677636
  • 331
  • 3
  • 14
  • The bastion host is running an SSH server. That SSH server has certain features. In addition to being able to accept inbound SSH connections, it includes a port forwarding feature that allows client traffic to [tunnel](https://www.ssh.com/academy/ssh/tunneling) over the SSH connection to the private server (e.g. RDS database server) on a specific port. No, not any server will do. It needs to have a running SSH server supporting port forwarding, that SSH server needs to be accessible from outside, and the targeted private server needs to be accessible on the relevant port from the SSH server. – jarmod Oct 25 '22 at 11:41

1 Answers1

3

From Bastion - Wikipedia:

A bastion or bulwark is a structure projecting outward from the curtain wall of a fortification, most commonly angular in shape and positioned at the corners of the fort:

Bastion

It 'sticks out' from the walled portion of the city and provides added security by being able to target attackers attempting to scale the wall. In a similar way, a bastion host 'sticks out' from a walled computer network, acting as a secure connection to the outside world.

When using an Amazon EC2 instance as a Bastion Host, users typically use SSH Port Forwarding. For example, if the Amazon RDS database is running on port 3306, a connection can be established to the Bastion server like this:

ssh -i key_file.pem ec2-user@BASTION-IP -L 8000:mysql–instance1.123456789012.us-east-1.rds.amazonaws.com:3306

This will 'forward' local port 8000 to the bastion, which will then forward traffic to port 3306 on the database server. Thus, you can point an SQL client to localhost:8000 and it would connect to the Amazon RDS server. All software for making this 'port forward' is part of the Linux operating system, which is why there is no configuration required.

Yes, you can use anything as a Bastion Host, as long as it has:

  • The ability to receive incoming connections from the Internet
  • The ability to (somehow) forward those requests to another server within the VPC
  • A Security Group that permits the inbound traffic from the Internet (or preferably just your IP address), and the target resource permits incoming traffic from this security group
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470