Set up a Bastion Host

A step-by-step guide to setting up a bastion host in the portal

Shameel Ahmed

Last Update vor 2 Monaten

When multiple VM instances are spun up in the portal, there arises a need to access these instances from the outside world, for example, from your computer. Allowing external access to all instances increases security risk and puts your infrastructure at risk. This is where the concept of a Bastion Host comes to the rescue. 

A Bastion Host is a special instance within your infrastructure that is configured to be accessed from public networks. This instance is fortified from external attacks through specialized software and hardened configuration. 

Once a Bastion Host is set up in your network, that is the only instance you connect from your computer and use it to access all other instances in your network. The other instances are private and are accessible from within the network only.

To demonstrate how Bastion Hosts work, we'll need at least two instances:

1. An instance that is publicly accessible with a Floating IP that servers as the Bastion Host

2. Another instance with a private IP that we will connect from the Bastion Host

In this example, you will see how to set up MySQL on the private instance and access it from your Bastion Host instance. The MySQL Server would only be accessible from within the network using the Bastion Host and not from the Internet. In this example, we have used MariaDB, a fully open-source fork of MySQL.

Setting up the Bastion Host

Setting up a Bastion involves the following steps:

Create the Bastion instance

Refer to the Create an Instance article to know how to create a VM instance. This example uses Ubuntu 20.04 for the Bastion Host instance.

Create and Assign a Floating IP

A Floating IP is a publicly accessible that is associated with your instance, and it enables you to connect to the instance from your computer. Refer to the Create a Floating IP article for more information.

Make sure that a Floating IP is assigned with this instance:

1. Click on the Instance

2. Go to Networking tab

3. Verify that a Floating IP is assigned to the Instance.

Create and Assign an SSH Key

An SSH key is used to connect to a VM instance from your computer through the Internet using the secure SSH protocol. Although you can connect to an instance with just a User Id and a Password without an SSH key, it is highly recommended that you use an SSH key as it the most secure way of connecting to your instances.

Refer to the Create an SSH Key article for information on how to create an SSH Key.

In the portal, SSH Key can be associated with an Instance only in the Instance creation screen. Once an instance is created, there is no way to assign or change SSH Keys through the portal. If you forgot to assign an SSH Key when creating an instance, you can login to the instance through the console using your password and then create and assign an SSH key.

Enable SSH access

SSH is a secure connection protocol that allows you to access your instance from anywhere in the world through the Internet. To enable SSH access, you need to create a Security Group with SSH Port (22) added to the Ingress rule and the Security Group must be attached to the instance.

The recommended approach is to create a separate Security Group with only SSH (Port 22) added in Ingress (Inbound) rules and associate this Security Group with the Bastion Host instance.

Refer to the Create a Security Group article to know more about creating Security Groups and configuring them.


Setting up the Target instance

Setting up the target instance involves the same process as setting up a Bastion Host, but without the public accessibility part. It basically means that you have to configure the instance in such a way that it is accessible from within the network only and not from the outside world. Since the Bastion Host is part of the network, you will be able to access the instance from the Bastion Host.

Create the Instance

Refer to the Create an Instance article to know how to create a VM instance. This example uses CentOS 8 for the MySQL Server.

Ensure Private only access

There is no special step needed to achieve this. Just make sure that no Floating IP is associated with this instance:

1. Click on the Instance

2. Go to Networking tab

3. Verify that only a local IP is assigned and there is no Floating IP.

Prevent SSH access

The recommended approach is to create a separate Security Group with only the ports needed in the Ingress (Inbound) rules and associate this Security Group with the target instance.

Refer to the Create a Security Group article to know more about creating Security Groups and configuring them.

For this example, create a Security Group called IdeaDC-SG-MySQL. When a Security Group is created, it has two rules by default allowing all inbound and outbound traffic. Delete the inbound rule and add this new Inbound rule to allow only MySQL client requests from the Bastion Host subnet.

Port: 3306 (MySQL port)

CIDR: 192.168.10.0/24 (allows all IPs between 192.168.10.0 and 192.168.10.255)

Once done, it should look like this:

You can then associate this Security Group to the MySQL instance from the Security Group tab of the Instance. After associating, it should look like this:

Install MySQL Server on the Private Instance

Login to the console from the Console menu on the instance, and execute the following commands to install MySQL.

To verify that MySQL is installed and running properly, try connecting locally:

If the installation was successful, you should see the MySQL prompt. Run the following commands to see the list of tables:

At this stage, you can only connect to MySQL from the local server. To enable connection from the Bastion Host, you need to grant privileges to the root user of the Bastion Host on the MySQL server by executing the following commands:

Note that the IP used is the local IP of the Bastion Host and not the Floating IP. The root user is used here is only to demonstrate the concept. In a real world setup, you should consider using a dedicated non-privileged user to access MySQL over the network.


Connect to the Bastion Host

Once the Bastion Host instance is set up and configured correctly, you are ready to connect to the instance. Refer to the Connect to an Instance from your computer for a detailed step-by-step guide on how to connect to an instance from your computer through the Internet. Follow these steps to connect to your Bastion Host instance.

Install MySQL Client by running the following commands:

You will now be able to connect to the MySQL Server by running the following command:

If the connection was successful, you should see the MySQL command line interface. You can verify by executing the following commands and you should see the same out you saw when you connected locally:

Summary

In this article, you learned about setting up a Bastion Host, setting up a private instance and configuring your whole setup to access the private instance by logging into the Bastion Host from the Internet. You can set up as many private instances as needed and access all of these instances from the Bastion Host.

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us