Placing a Bastion in a Private Isolated Subnet

0

Hello,

I have an RDS instance placed in a Private Isolated Subnet, and I'm trying to create a Bastion that would allow me to gain access to this RDS instance. I can connect to the Bastion using SSM, I do not need SSH. The question is, since I assume that the Bastion needs to access the internet to download and update packages internally, would it "work" if I created it in the same subnet as the RDS instance, or else do I have to create a separate Private (only) subnet for it?

3 Answers
1

The hosts in private subnet can get access to internet by using a network address translation (NAT) gateway that resides in the public subnet. Your bastion host can connect to the internet for software updates using the NAT gateway, but the internet cannot establish connections to the bastion host. So, its up to you if you want your bastion host in the same subnet where your database server is or in a private subnet.

AWS
answered 2 years ago
0

Hello,

If you only want the bastion server to connect to SSM, you can configure VPC Endpoints for Instances with no Internet access.

AWS
SUPPORT ENGINEER
answered 2 years ago
  • Thank you. In this case can't I just add an RDS VPC Endpoint and connect to my RDS instance in my Private Isolated Subnet directly from my local machine without an EC2 instance altogether?

0

If you are only concerned with patches, you could do this:

How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1 or Amazon Linux 2?

Then you don't need the NAT Gateway, public subnet, or Internet Gateway.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions