Create a Bastion Host on AWS

This submit is a part of our sequence on how you can Create a Multi-Tier Auto-Scaling WordPress Website on Amazon Net Companies. In case you haven’t checked out our earlier posts, you should definitely click on the hyperlink above.

As a reminder, we’ll observe the AWS Reference structure as shut as doable; nonetheless, we are going to attempt to use Free Tier sources at any time when accessible. For this tutorial, we’re going to create a Bastion Host to handle our WordPress structure.

Scalability does include some drawbacks with regard to holding themes/plugins updated; nonetheless, all of it will depend on your aim and what you want on your web site. The best way you’ve historically managed WordPress will likely be completely different with this structure and that must be taken into consideration long-term.

Please observe that we’re going to put the entire WordPress set up on EFS which does have some latency and efficiency considerations. We’ll attempt to overcome this with caching and CDN; nonetheless, if that’s not performant sufficient on your use case, chances are you’ll need to solely put the “uploads” listing on EFS after which have a course of to replace the bottom AMI going ahead.

Prerequisite: AWS Reference Structure and Earlier Posts

As talked about above, please make sure that you take a look at the AWS Reference structure in addition to our earlier posts.

What’s a Bastion Host?

A bastion host is a server that gives entry to a non-public community from a public community. It’s designed to be a hardened entrance door and restrict entry to sources behind it. For our use case, it is going to be used for SSH entry to our internet/app servers, and in addition to determine connections to our database on RDS and cache on ElastiCache.

Create your Bastion Host EC2 Occasion

Our first step goes to be to create a brand new EC2 Occasion to behave as your Bastion Host and have it reside on considered one of our public subnets.

Login to your AWS Administration Console after which go to the “EC2” service.

Then click on on “Instances” to get to the Cases Dashboard.

Click on on “Launch instance” within the prime proper.

Choose a Free Tier AMI

As soon as there, choose a Free Tier eligible AMI. I’m aware of Ubuntu, so I’ll choose that picture.

Choose an Occasion Kind

I’m going to begin with a t2.nano occasion and if I come throughout any points, I can all the time change the occasion kind in a while.

Click on on “Next: Configure instance details”.

Configure your occasion to make use of your VPC and Public Subnet

Make certain to pick out the VPC you created, in addition to considered one of your public subnets the place you need the host to reside.

Click on on “Next: Add Storage”.

Configure Storage

I’ll go away the scale as 8GB since we received’t be doing a lot with this host.

Add Tags to your Occasion

Then you’ll be able to add “Tags” within the subsequent step when you’d like, after which proceed to “Next: Configure Security Group”

Choose our Bastion Hosts Safety Group

Choose the the Safety Group we created earlier in our sequence for Bastion Hosts. Observe that we permit SSH entry from ANY tackle; nonetheless, we are able to lock this down simply to our personal IP tackle for added safety (that is what we suggest in a Manufacturing situation).

Launch your Occasion and choose SSH Keys

Now click on on “Review and Launch”! You might even see warnings on Free Tier eligibility in addition to your Safety Group being open to the world. Needless to say we suggest locking issues right down to your IP tackle, however we are going to transfer ahead for the aim of this tutorial.

You probably have an SSH Key Pair already created and have entry to the important thing, go forward and use that or create a brand new one. Make sure you obtain the important thing at this time limit as you received’t see it once more!

Go forward and “Launch Instances”.

Identify your Occasion for straightforward identification

I like to call my cases for straightforward identification. I’ll name this occasion “3T – Bastion Host”.

Take a look at SSH Entry to your Bastion Host

In case you click on on the Occasion ID, you’ll get further particulars about your occasion. Moreover, you could find the Public IP tackle within the Occasion dashboard in addition to the small print. Observe this IP tackle down and check SSH entry together with your SSH Shopper of alternative.

I’m a fan of “Termius” in order that’s what I’ll use to check out the connection.

Non-obligatory: Add a Banner when customers Login

Personally, I wish to know once I’m logging right into a Bastion Host. Thus, I create the next file “/etc/motd” and add within the textual content that I need to show. Right here is an instance of what I see what I login.

Replace Your Server

Guarantee your server is up to date with the next two instructions. Comply with prompts as wanted or add the “-y” flag.

$ sudo apt-get replace
$ sudo apt-get dist-upgrade

Go forward and reboot the server for good measure as nicely!

Observe: In case you reboot from the AWS Administration Console as an alternative of the command line, your IP tackle might change. Be at liberty to configure an Elastic IP when you’d like a constant IP.

Take a look at Connection to RDS

We need to check the connection to our RDS MySQL Database from our Bastion Host, so we’ll set up the mysql-client with the next command.

sudo apt-get set up mysql-client

Subsequent, we’ll run the next command, after you hit Enter, you’ll be prompted on your password.

mysql -h  -P  -u  -p

In case you get the mysql immediate, every little thing labored as anticipated! You’ll be able to run the next command to make sure that you see the database that you simply created in our final submit to make use of for our WordPress set up.


Kind within the following, after which hit Enter to exit out of the mysql purchaser prompts.


You can too double-check our connection by going to the RDS Dashboard and searching on the database metrics. Beneath you’ll see our DB Connection Depend go as much as 1 after we had been related and drop again right down to 0 after we exited.

Non-obligatory: Take a look at Connection to ElastiCache

You must have your ElastiCache particulars from an earlier submit. We’ll merely run a telnet command to make sure that our host can talk with the Redis Cache on ElastiCache.

$ telnet  

In case you see the next, you’re all set! we’ll do the identical factor together with your occasion in our personal subnet in a while.

Take a look at Connection to Occasion in Non-public Subnet

Let’s be sure that our VPC/subnet and Safety Group configurations are good to go. Rapidly create an EC2 occasion in your personal subnets with Net/App Server Safety Group.

I’m simply going to point out the ultimate step with the small print because you now know how you can create an EC2 occasion. Use the identical key that you simply created/used earlier.

You’ll see that this new occasion doesn’t have a Public IP since it’s in our Non-public Subnet.

Configure ssh-agent

I’m utilizing a Mac so ssh-agent is fortunately already put in as a part of MacOS. We simply want so as to add our key to our keychain by working the next command. Guarantee your *.pem file has the correct permissions (600).

ssh-add -Ok myPrivateKey.pem

SSH to Bastion Host

Subsequent, we’ll SSH to our Bastion Host with the next command. The -A flag implies that we’re utilizing the ssh agent and forwarding.

ssh –A [email protected]

SSH to Occasion in Non-public Subnet from Bastion Host

Now get the Non-public IP of your server in your Non-public Subnet and run the next command out of your Bastion Host.

ssh [email protected]

In case you see a profitable connection, every little thing labored as anticipated!

Set up MySQL Shopper and Take a look at Connection to RDS

Just like what we did on the Bastion Host itself, let’s set up the mysql-client after which check the connection to the RDS MySQL Database. Use the identical instructions from earlier on this submit.

We efficiently related to RDS; due to this fact, after we arrange our WordPress occasion, we all know we’ll be capable to connect with the database.

Non-obligatory: Take a look at Connection to ElastiCache

You must have your ElastiCache endpoint famous from earlier. We’ll merely run a telnet command to make sure that our host can talk with the Redis Cache on ElastiCache.

In case you see the next, you’re all set!

Non-obligatory: Take a look at Outbound Web Connection on Occasion in Non-public Subnet

Presently, we don’t have a NAT Gateway configured on our server within the Non-public Subnet. Thus, when you strive to hook up with something outbound on the Web, it would fail (which is anticipated). You’ll be able to run a easy ping command to try it out.

$ ping

Since I’ve a NAT Gateway occasion created, in addition to the proper Safety Teams, all I must do is add the proper Safety Group to my occasion within the Non-public Subnet, and I can run the ping once more and get responses.

Observe: You’ll need an outbound web connection for OS updates/upgrades, in addition to primary WordPress performance. Both use the NAT Gateway service, or use this hyperlink to create your personal NAT Gateway EC2 Occasion.

Leave a Reply

Your email address will not be published. Required fields are marked *