The answer is Bastion Host.
- Create a VPC
- Create two subnets (they can be in same AZ or different)
- Name them public-subnet and private-subnet. Technically, both are private now. Linking them with an Internet Gateway via a Route table makes them public
- Associate a Route table with public-subnet with the following routes
That means, if a request is made from an instance in this subnet to an IP in the CIDR range of 172.31.0.0/16, the traffic should be redirected to VPC's default route i.e., it is a complete local communication within VPC.
If the request destination is Anywhere (0.0.0.0/0), the traffic should be redirected to the Internet Gateway. - Now, the public-subnet is PUBLIC in all senses (as it is connected to Internet Gateway)
- Add Web servers (EC2 instances) in this public-subnet (recommended)
- Add a NAT Gateway in this public-subnet
- Associate a Route table with private-subnet with the following routesThat means, if a request is made from an instance in this subnet to an IP in the CIDR range of 172.31.0.0/16, the traffic should be redirected to VPC's default route i.e., it is a complete local communication within VPC.
If the request destination is Anywhere (0.0.0.0/0), the traffic should be redirected to the NAT Gateway. - Add DB servers (EC2 instances) in this private-subnet (recommended). The Security group of these instances should allow RDP on port 3389 ONLY from the CIDR range of public-subnet. THESE ARE THE EC2 INSTANCES IN PRIVATE SUBENT AND YOU CAN'T RDP THEM.
- In order to RDP them, you have to create BASTION HOSTS (EC2 instances) in the public-subnet. You can RDP the Bastion host as it is in public-subnet and in turn you can RDP to the instances in private-subnet from Bastion host
- Create an instance in public-subnet and name it bastion-host
- The Security group of this bastion-host should allow RDP on port 3389 from source 0.0.0.0/0 i.e., from anywhere
- Can you RDP the bastion-host from your local machine? Yes, as its security group allows RDP from anywhere
- Can you RDP the instances in private-subnet from your local machine? No, as their security group does not allow RDP from anywhere except from (instances in) public subnet
- Can you RDP the instances in private-subnet from your local machine if you allow RDP from anywhere in security group? No, as these instances are linked to NAT gateway which can handle only outgoing traffic not incoming
- Can you RDP the instances in private-subnet from your local machine if you attach internet gateway to the private-subnet? Yes, but it is not advisable as we have private-subnets to allow only outgoing traffic not incoming
- Can you RDP the instances in private-subnet from the bastion-host? Yes, as their security group allows RDP from public-subnet (bastion-host is in public-subnet). It is the recommended way
- How do you check if the instances can access internet? Ping google.com in cmd from inside those instances
- Can bastion-host access internet now? Yes, as the route table its parent subnet (public-subnet) associated with is linked to internet gateway
- Can the instances in private-subnet access internet now? Yes, as the route table their parent subnet (private-subnet) associated with redirects all the traffic to internet (0.0.0.0/0) to the NAT gateway (which is present in public-subnet). The NAT gateway redirects all the traffic to internet via internet gateway
- The NAT gateway redirects all the traffic to internet via internet gateway - How? Because, the parent subnet of NAT gateway (public-subnet) is associated with a route table which redirects all the traffic with destination 0.0.0.0/0 to internet via internet gateway. The NAT gateway sends the traffic to the internet gateway, using the elastic IP address for the NAT gateway as the source IP address
Comments
Post a Comment