CDK: Moving Bastion Host to Isolated Network

0

Hello,

I have the following VPC created with CDK:

this.vpc = new Vpc(this, 'vpc', {
  cidr: '10.0.0.0/21',
  natGateways: 0,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      cidrMask: 24,
    },
    {
      subnetType: SubnetType.PRIVATE_ISOLATED,
      cidrMask: 28,
    },
  ],
});

The RDS instance is created in the private isolated subnet. When I create a Bastion to access RDS as follows:

const bastionSecurityGroup = new SecurityGroup(this, 'bastion-host-security-group', {
  vpc: props.vpc,
  allowAllOutbound: true,
});

new BastionHostLinux(this, 'bastion-host', {
  vpc: props.vpc,
  subnetSelection: props.vpc.selectSubnets({ subnetType: SubnetType.PUBLIC }),
  securityGroup: bastionSecurityGroup,
});

this.dbSecurityGroup.addIngressRule(bastionSecurityGroup, Port.tcp(5432), 'Allow Access from Bastion', true);

I'm able to access it via SSM normally from my machine. However, if I omit the subnetSelection property and the Bastion is placed in the private isolated network, it is no longer accessible.

I'm unable to get my head around what I need to do be able to access it without placing it in the public subnet. I understand that I may do so by adding a VPC Interface Endpoint, but I don't see how to do that in CDK above.

1 Answer
0

In order for an EC2 instance to register with Systems Manager, it requires connectivity to the Systems Manager endpoints. This can either be over the public internet via an Internet Gateway, NAT Gateway, proxy server, etc. Alternatively, you can create VPC endpoints for Systems Manager to keep the traffic within the VPC.

If you do not have VPC endpoints created and the instance is placed in a private subnet, the instance will not have a route to the endpoints for registration and management with Systems Manager.

Here is the CDK documentation for InterfaceVpcEndpoints: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html

If you create the VPC endpoints, then you no longer need the public subnet as the instance can communicate directly with the VPC endpoints for Systems Manager.

Erik_W
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions