Debrief: Configuring Access to the Application Instance via the Bastion Host

In the latest challenge lab I did, I configured access for an Application Instance (running in a private subnet) via a Bastion Host (in a public subnet). From setting up bastion hosts for secure access to configuring VPCs, subnets, route tables, NAT gateways, and security groups, every step brought me closer to mastering cloud infrastructure.

Here’s a summary of what and how I set it up:

---

1. Configurations for Accessing the Application Instance via the Bastion Host Bastion Host Setup Launched a Bastion Host in the Public Subnet (with a public IP). Attached a Security Group (SG) allowing inbound SSH (Port 22) from your IP. Connected to the Bastion Host using SSH and a private key (.ppk for PuTTY).

Application Instance (Private Subnet) Configuration
Launched an Application EC2 Instance in a Private Subnet (no public IP).
Created a Security Group allowing inbound SSH (Port 22) only from the Bastion Host's SG.
Used SSH from the Bastion Host to access the Private Instance.

Network ACL Configuration
Allowed inbound and outbound SSH traffic (Port 22) from the Bastion Host.
Configured ephemeral port rules (1024-65535) for return traffic.

2. Traffic Flow from the Internet to the Application Server
I defined traffic flow using multiple configurations:
**Security Group Rules
**For Bastion Host: Allowed inbound SSH (Port 22) from my IP.
For Application Server: Allowed SSH (Port 22) inbound only from the Bastion Host SG.

Route Tables
Public Subnet Route Table: Had a default route (0.0.0.0/0) pointing to the Internet Gateway (IGW).
Private Subnet Route Table: No direct internet access (default route pointed to a NAT Gateway).

Network ACLs (NACLs)
Configured Inbound & Outbound ACLs to allow SSH and return traffic.
Modified rules to block or allow ICMP traffic when required.

---

Summary of Traffic Flow

1. From My Computer → Bastion Host (Public Subnet)
   Used SSH (Port 22) with a key pair.
   Security Group & NACL allowed traffic.

2. From Bastion Host → Application Instance (Private Subnet)
   Used SSH (Port 22) to private IP.
   Security Group allowed only Bastion Host’s SG.

3. From Application Instance → Internet (for updates)
   Used NAT Gateway for outbound access (no public IP).

A heartfelt thank you to the ALX team and AWS Cloud Computing program coordinators, especially for their guidance and unwavering support.
As I continue sharpening my skills in AWS Solutions Architecture, I am eager to contribute my expertise to innovative projects. If you’re looking for a passionate cloud computing enthusiast ready to solve complex infrastructure challenges, let’s connect!