GithubHelp home page GithubHelp logo

janandababu2023 / bastion-host-nat-gateway Goto Github PK

View Code? Open in Web Editor NEW

This project forked from tusharthapliyal/bastion-host-nat-gateway

0.0 0.0 0.0 32 KB

This repo contains Terraform code to deploy a NAT-gateway to allow private instance access to internet and a Bastion host in public subnet which can be used to ssh into our instance in private subnet.

HCL 100.00%

bastion-host-nat-gateway's Introduction

Bastion host and NAT-gateway

Connecting our resources in AWS private subnet using Bastion-host and NAT-gateway. This repo contains Terraform code to deploy a NAT-gateway to allow private instance access to internet and a Bastion host in public subnet which can be used to ssh into our instance in private subnet.

Architectural diagram

Cloud Architecture

Use case

A Bastion host, also known as a jump host, is a server that sits in a public subnet and acts as a gateway to access servers in private subnets securely. You SSH into the bastion host first, and then from there, you can SSH into other servers in private subnets. This limits direct access to servers in private subnets from the internet, improving security.
A NAT gateway enables instances in a private subnet to initiate outbound traffic to the internet while preventing inbound traffic from initiating a connection with those instances. Instances in private subnets can use the NAT gateway to access the internet for software updates, fetching dependencies, etc., without exposing their private IP addresses to the internet.

Modules used

  1. ami : contains ubuntu ami data source to fetch latest ami id depending on the region used.
  2. instance : deploys two ec2 instance. one Bastion host in public subnet and one instance in private subnet.
  3. keyPair : fetch SSH key from ~/.ssh on our local machine.
  4. network : deploys VPC + public subnet + private subnet + internet gateway + NAT gateway + elastic ip.
  5. routeTable : deploys public route table (allowing route to igw) + private route table.
  6. securityGroup : deploys public security group + private security group. Ingress rules of private security group should only allow ssh from our public security group.

Installation

  1. initialize terraform directory and download necessary plugins
terraform init
  1. create a plan and save it as a file "plane-1"
terraform plan -out plan-1
  1. apply plan "plan-1"
terraform apply plan-1

File provisioner

Our Bastion host needs SSH key to SSH into our instance in private subnet. We can use file provisioner to send SSH key from our local machine to Bastion host.

connection {
    type        = "ssh"
    user        = "ubuntu"
    private_key = file("~/.ssh/jenkins-demo")
    host        = self.public_ip
  }
 provisioner "file" {
    source      = "~/.ssh/jenkins-demo"
    destination = "~/.ssh/jenkins-demo"
  }

Security best practices

  1. Your security group for private instance should only allow ssh connection coming from your public security group.
  2. You can improve security by only allowing traffic from your local machine to public security group.

bastion-host-nat-gateway's People

Contributors

tusharthapliyal avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.