I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. So, there is a NAT server in public subnet which forward all outbound traffic from private subnet to outer network.
Currently, I can SSH from public subnet to private subnet, also SSH from NAT to private subnet.
However, what I want is SSH from any machine(home laptop, office machine and mobile) to instances in private subnet.
I have done some research that I can setup the NAT box to forward SSH to instance in private subnet. But I got not luck for this.
Can anyone list what I need to setup to make this possible.
Naming are :
laptop (any device outside the VPC)
nat (the NAT server in the public subnet)
destination (the server in the private subnet which I want to connect to)
Not sure following are limitations or not:
The "destination" does not have a public IP, only a subnet ip, for example 10.0.0.1
The "destination" can not connect to "nat" via nat's public.
There are several "destination" servers, do I need to setup one for each?
Thanks
Answer
You can set up a bastion host to connect to any instance within your VPC:
You can choose to launch a new instance that will function as a bastion host, or use your existing NAT instance as a bastion.
If you create a new instance, as an overview, you will:
1) create a security group for your bastion host that will allow SSH access from your laptop (note this security group for step 4)
2) launch a separate instance (bastion) in a public subnet in your VPC
3) give that bastion host a public IP either at launch or by assigning an Elastic IP
4) update the security groups of each of your instances that don't have a public IP to allow SSH access from the bastion host. This can be done using the bastion host's security group ID (sg-#####).
5) use SSH agent forwarding (ssh -A user@publicIPofBastion) to connect first to the bastion, and then once in the bastion,SSH into any internal instance (ssh user@private-IP-of-Internal-Instance). Agent forwarding takes care of forwarding your private key so it doesn't have to be stored on the bastion instance (never store private keys on any instance!!)
The AWS blog post above should be able to provide some nitty gritty regarding the process. I've also included the below in case you wanted extra details about bastion hosts:
Concept of Bastion Hosts:
http://en.m.wikipedia.org/wiki/Bastion_host
If you need clarification, feel free to comment.