CDK: Moving Bastion Host to Isolated Network

Question

Hello,

I have the following VPC created with CDK:

```
this.vpc = new Vpc(this, 'vpc', {
  cidr: '10.0.0.0/21',
  natGateways: 0,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      cidrMask: 24,
    },
    {
      subnetType: SubnetType.PRIVATE_ISOLATED,
      cidrMask: 28,
    },
  ],
});

```
The RDS instance is created in the private isolated subnet. When I create a Bastion to access RDS as follows:
```
const bastionSecurityGroup = new SecurityGroup(this, 'bastion-host-security-group', {
  vpc: props.vpc,
  allowAllOutbound: true,
});

new BastionHostLinux(this, 'bastion-host', {
  vpc: props.vpc,
  subnetSelection: props.vpc.selectSubnets({ subnetType: SubnetType.PUBLIC }),
  securityGroup: bastionSecurityGroup,
});

this.dbSecurityGroup.addIngressRule(bastionSecurityGroup, Port.tcp(5432), 'Allow Access from Bastion', true);
```
I'm able to access it via SSM normally from my machine. However, if I omit the `subnetSelection` property and the Bastion is placed in the private isolated network, it is no longer accessible.

I'm unable to get my head around what I need to do be able to access it without placing it in the public subnet. I understand that I may do so by adding a VPC Interface Endpoint, but I don't see how to do that in CDK above.

Answer

In order for an EC2 instance to register with Systems Manager, it requires connectivity to the [Systems Manager endpoints](https://docs.aws.amazon.com/general/latest/gr/ssm.html). This can either be over the public internet via an Internet Gateway, NAT Gateway, proxy server, etc. Alternatively, you can create [VPC endpoints for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html) to keep the traffic within the VPC.

If you do not have VPC endpoints created and the instance is placed in a private subnet, the instance will not have a route to the endpoints for registration and management with Systems Manager.

Here is the CDK documentation for InterfaceVpcEndpoints: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html

If you create the VPC endpoints, then you no longer need the public subnet as the instance can communicate directly with the VPC endpoints for Systems Manager.

CDK: Moving Bastion Host to Isolated Network

相关内容