Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

CDK: Moving Bastion Host to Isolated Network

0

Hello,

I have the following VPC created with CDK:

this.vpc = new Vpc(this, 'vpc', {
  cidr: '10.0.0.0/21',
  natGateways: 0,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      cidrMask: 24,
    },
    {
      subnetType: SubnetType.PRIVATE_ISOLATED,
      cidrMask: 28,
    },
  ],
});

The RDS instance is created in the private isolated subnet. When I create a Bastion to access RDS as follows:

const bastionSecurityGroup = new SecurityGroup(this, 'bastion-host-security-group', {
  vpc: props.vpc,
  allowAllOutbound: true,
});

new BastionHostLinux(this, 'bastion-host', {
  vpc: props.vpc,
  subnetSelection: props.vpc.selectSubnets({ subnetType: SubnetType.PUBLIC }),
  securityGroup: bastionSecurityGroup,
});

this.dbSecurityGroup.addIngressRule(bastionSecurityGroup, Port.tcp(5432), 'Allow Access from Bastion', true);

I'm able to access it via SSM normally from my machine. However, if I omit the subnetSelection property and the Bastion is placed in the private isolated network, it is no longer accessible.

I'm unable to get my head around what I need to do be able to access it without placing it in the public subnet. I understand that I may do so by adding a VPC Interface Endpoint, but I don't see how to do that in CDK above.

Temas
Redes y entrega de contenidoHerramientas para desarrolladoresGestión y gobierno
Etiquetas
Amazon VPCHerramientas para desarrolladoresAWS CloudFormationAWS Systems Manager
Idioma
English
NetbizUp
preguntada hace 2 años702 visualizaciones
1 Respuesta
0

In order for an EC2 instance to register with Systems Manager, it requires connectivity to the Systems Manager endpoints. This can either be over the public internet via an Internet Gateway, NAT Gateway, proxy server, etc. Alternatively, you can create VPC endpoints for Systems Manager to keep the traffic within the VPC.

If you do not have VPC endpoints created and the instance is placed in a private subnet, the instance will not have a route to the endpoints for registration and management with Systems Manager.

Here is the CDK documentation for InterfaceVpcEndpoints: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html

If you create the VPC endpoints, then you no longer need the public subnet as the instance can communicate directly with the VPC endpoints for Systems Manager.

AWS
Erik_W
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante