Bastion Hosts
In this tutorial, we are going to explore the Bastion hosts and EC2 Instance Connect Endpoint and their usefulness. A Bastion Host (a.k.a. jump box) is a special-purpose EC2 instance that acts as a gateway to access your private EC2 instances that don’t have public IPs.
A bastion host allows an SSH connection between the internet and EC2 instances provisioned in a private subnet. Internet traffic routes through the bastion host to access the private EC2 instances. It mainly filters incoming traffic and prevents suspicious traffic from entering the network.
Imagine you have a secure building with no windows or doors (your private AWS servers). The only way in is through a guard post at the entrance—that’s the Bastion Host.
Why Do We Need It?
In AWS:
- Your EC2 instances (virtual servers) are often placed in private subnets so they cannot be accessed directly from the internet.
- But sometimes, you (as an admin or developer) need to connect to them for maintenance, troubleshooting, or deployment.
So, the Bastion Host acts as the only door to get into those private servers securely.
EC2 instance is used as a bastion host and must be provisioned in a public subnet. The security group of the bastion host must allow SSH connections to the EC2 instances in the private subnets.
Note: The security group of the bastion host must be restricted as much as possible to prevent incoming traffic from unwanted sources to avoid hacking attacks.
How Does It Work?
- You create a Bastion Host (EC2 instance) in a public subnet.
- You assign it a public IP address.
- You SSH into it from your laptop using a key (like
ssh -i mykey.pem ec2-user@<bastion-public-ip>). - Once inside the Bastion Host, you can connect to other EC2 instances inside the private subnets, which do not have public IPs.
Pros of bastion hosts
- Gives secure access to private servers.
- You don’t expose sensitive servers to the public internet.
- Easy to monitor and control access.
Drawbacks of bastion hosts
Despite the usage of a bastion host, using it as a main component for exposing private resources to the internet is not recommended. Below are a few reasons that make the bastion host less secure and more prone to attacks.
- A bastion host is visible to the internet traffic and is mostly used for accessing private EC2 instances through SSH.
- SSH technology raises security concerns since it grants root-level resource access.
- Private SSH keys are not deleted or expire automatically.
- SSH doesn’t have an identity provider or other security measures. Once access is granted, commands can be executed directly on the instances.
How Bastion Hosts Secure?
- Only one server (the bastion) is exposed to the internet.
- You limit SSH access only from your IP (or your company’s network).
- You use key-based login (no passwords).
- Logs and monitoring can be added for extra safety.
Use case: Connecting private subnet using bastion hosts
Consider an organization running some applications on private EC2 instances. The organization’s employees must connect to these instances to perform some tasks. Since the instances are in a private subnet, the connection can’t be established with the instances. We can install a bastion host in a public subnet that has the public IP address and allows the incoming SSH connection from the internet and outgoing SSH traffic to the EC2 instance in the private subnet. The illustration below shows the flow of the traffic between users from the internet to the private instances.
In the diagram above, the users connect to the bastion host through SSH and then to the private instances.
EC2 Instance Connect Endpoint
This is AWS’s modern and more secure way to connect to private EC2 instances without a public IP or bastion host. The EC2 Instance Connect Endpoint (EIC Endpoint) is a feature that allows us to connect securely to private instances using SSH without needing a public IP address, IGW, or bastion host. EIC Endpoint uses identity and network-based access control, providing controlled access to meet any organization’s security requirements.
EIC Endpoint is used when we connect to the instance using the EC2 Instance Connect Endpoint Service. When using EIC Endpoints, we must consider the following important points:
- The VPC endpoint of the “EC2 Instance Connect Endpoint” type must be created in the same VPC where we want to access private instances.
- To control the traffic, a separate security group should be created (recommended) for the VPC endpoint.
- This security group is not required to have any inbound rule because it uses an elastic network interface to connect to the resources in a private subnet. So, this security group does not allow any incoming traffic.
- The outbound rules for this security group can be defined based on the destination instances or security groups.
- We must adjust the inbound rules for the security group of the destination EC2 instances to allow connection from the security group of the endpoint.
How does it work?
- You create an EIC Endpoint in a VPC subnet.
- The endpoint allows SSH or RDP access to EC2 instances in that subnet.
- You don’t need a public IP or open port
22. - AWS handles the underlying connection.
Security Advantages
- No public IPs needed.
- Port 22 doesn’t need to be open to the world.
- IAM controls who can connect.
- Uses temporary one-time SSH keys, so no key file management.
EC2 Instance Connect Endpoint vs Bastion Host
| Feature | Bastion Host | EC2 Instance Connect Endpoint |
|---|---|---|
| Requires Public IP | ✅ Yes | ❌ No |
| Exposes port 22 | ✅ Yes | ❌ No |
| Requires SSH key file | ✅ Yes | ❌ No (uses IAM + temp keys) |
| Costs | 💸 EC2 instance charges | 💸 VPC Endpoint charges |
| Security | 🔓 Manual key mgmt, risks | 🔐 IAM-based, no open SSH port |
| Simpler to maintain | ❌ Needs patching, updates | ✅ Fully managed by AWS |
| Connect via AWS Console | ❌ No | ✅ Yes |
That’s all about the AWS Bastion Hosts and EC2 Instance Connect Endpoint. If you have any queries or feedback, please write us at contact@waytoeasylearn.com. Enjoy learning, Enjoy AWS Tutorials.!!