Placing a Bastion in a Private Isolated Subnet

Question

Hello,

I have an RDS instance placed in a Private Isolated Subnet, and I'm trying to create a Bastion that would allow me to gain access to this RDS instance. I can connect to the Bastion using SSM, I do not need SSH. The question is, since I assume that the Bastion needs to access the internet to download and update packages internally, would it "work" if I created it in the same subnet as the RDS instance, or else do I have to create a separate Private (only) subnet for it?

Devinder-theDBGuy · Answer

The hosts in private subnet can get access to internet by using a network address translation (NAT) gateway that resides in the public subnet. Your bastion host can connect to the internet for software updates using the NAT gateway, but the internet cannot establish connections to the bastion host.
So, its up to you if you want your bastion host in the same subnet where your database server is or in a private subnet.

kentrad · Answer

If you are only concerned with patches, you could do this:

[How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1 or Amazon Linux 2?](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-al1-al2-update-yum-without-internet/)

Then you don't need the NAT Gateway, public subnet, or Internet Gateway.

JosueAWS · Answer

Hello,

If you only want the bastion server to connect to SSM, you can configure [VPC Endpoints](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html)  for Instances with no Internet access.

Placing a Bastion in a Private Isolated Subnet

Relevant content