A Bastion Host acts as a secure entry point to access EC2 instances in private subnets.
How It Works
- Deployed in a public subnet with Internet access.
- Provides SSH access to private EC2 instances.
- Users connect to the Bastion Host over the Internet, then use it to connect to internal resources in private subnets.
Security Group Configuration
- Bastion Host Security Group:
- Inbound: Allow port 22 (SSH) only from trusted IP ranges (e.g., corporate public CIDR).
- Private EC2 Instance Security Group:
- Inbound: Allow SSH from the Bastion Host’s Security Group or from its private IP address.
This approach avoids exposing private EC2 instances directly to the Internet, enhancing security while still enabling administrative access.