Skip to content Skip to footer

How to SSH into Instance on Private Subnets ?

Introduction to Bastion Host

A Bastion Host is a server used as an intermediary to access instances in a private subnet. Since private instances do not have a public IP, direct SSH access is not possible. Instead, we first SSH into the Bastion Host, which has a public IP, and then from there, we SSH into the private instance.

Security Group Settings

Bastion Host Security Group (SG)

  • Inbound Rules: Allow SSH (port 22) from your local IP.
  • Outbound Rules: Allow all outbound traffic 

Private Server Security Group (SG)

  • Inbound Rules: Allow SSH (port 22) only from the Bastion Host’s private IP.
  • Outbound Rules: Allow necessary outbound traffic.

Step-by-Step Guide

1. Set Permissions for the Bastion Host Private Key

Before SSHing into the Bastion Host, ensure that the private key file of bastian server “AX-PROD-KEY-PAIR.pem” has the correct permissions:

chmod 400 AX-PROD-KEY-PAIR.pem

This prevents unauthorized access to the key file.

2. SSH into the Bastion Host

Use the following command to SSH into the Bastion Host:

ssh -i AX-PROD-KEY-PAIR.pem ec2-user@<Bastion-Public-IP>

Replace <Bastion-Public-IP> with the actual public IP of your Bastion Host.

3. Transfer the Private Server Key to the Bastion Host

Since the private instance’s SSH key (AX-PROD-KEY-PAIR-2022.pem) is required to access the private instance, transfer it from your local machine to the Bastion Host using SCP:

scp -i AX-PROD-KEY-PAIR.pem AX-PROD-KEY-PAIR-2022.pem ec2-user@<Bastion-Public-IP>:~

Now, the key is present on the Bastion Host.

4. Set Permissions for the Private Server Key on the Bastion Host

Log into the Bastion Host and set the correct permissions for the private key:

chmod 400 AX-PROD-KEY-PAIR-2022.pem

5. SSH into the Private Server

Now, SSH into the private instance from the Bastion Host:

ssh -i AX-PROD-KEY-PAIR-2022.pem ec2-user@<Private-Server-Private-IP>

Replace <Private-Server-Private-IP> with the actual private IP of your private instance.

Summary

  1. Set up Security Groups: Allow SSH from your local IP to the Bastion and from Bastion to the private server.
  2. SSH into Bastion: Use the AX-PROD-KEY-PAIR.pem key.
  3. Copy the private server key: Use scp to transfer AX-PROD-KEY-PAIR-2022.pem to the Bastion.
  4. Set correct permissions: Use chmod 400 on both keys.
  5. SSH into the private instance: From the Bastion Host, use the private key for the private instance.

By following these steps, you can securely SSH into an instance on a private subnet via a Bastion Host.

Was This Article Helpful?

0
0 Comments

There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *

Close Bitnami banner
Bitnami