Creating a bastion host

If you have ever had an interest in early modern fortifications, the word bastion should sound familiar to you. A bastion is a structure projecting outward from the outer wall of a fortification. Just like early modern fortresses, computer networks require multi-layer protection against external attacks. Such network bastions are called bastion hosts, and they form part of a network perimeter.

A bastion host is a virtual machine with a public IP address assigned to it to enable SSH access. Once set up, the bastion host acts as a jump server allowing you to securely connect to VMs with no public IP addresses. In this guide, you will learn how to deploy a bastion host and secure your access to remote virtual machines residing inside your virtual private cloud (VPC).

A bastion host will help you make your VPC servers less vulnerable. You will administer specific servers via a proxy connection through a bastion host over SSH.

To create a bastion host:

1. Get your cloud ready.
2. Create an SSH key pair.
3. Create networks.
4. Create security groups.
5. Reserve a static public IP address.
6. Create a virtual machine for your bastion host.
7. Test your bastion host.
8. Add a virtual server to your bastion host internal segment.
9. Connect to the VM you created.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up in Yandex Cloud and create a billing account:

1. Navigate to the management console and log in to Yandex Cloud or register a new account.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The infrastructure support cost includes:

• Fee for disks and continuously running VMs (see Yandex Compute Cloud pricing).
• Fee for a public IP address (see Yandex Virtual Private Cloud pricing).

Create an SSH key pairCreate an SSH key pair

To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.

Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.

To create a key pair:

Create an external and internal networkCreate an external and internal network

Create an external network and subnetCreate an external network and subnet

Create an internal network and subnetCreate an internal network and subnet

Create security groupsCreate security groups

Create a security group for your bastion hostCreate a security group for your bastion host

Create a security group and make the bastion host accessible from the internet by configuring its inbound traffic rules.

Create a security group for internal hostsCreate a security group for internal hosts

Create a security group and set up rules for inbound traffic from the bastion host to internal hosts:

Reserve a static public IP addressReserve a static public IP address

The bastion host will need a static public IP address.

Create a VM for the bastion hostCreate a VM for the bastion host

After you created the subnet and security group, create a virtual server for the bastion host:

Test the bastion hostTest the bastion host

After you start your bastion host, try to connect to it with the SSH client:

ssh -i ~/.ssh/<name_of_private_key_file> bastion@<public_IP_address_of_bastion_host>

Add a virtual server to the bastion host internal segmentAdd a virtual server to the bastion host internal segment

To administer your servers, add a network interface to the internal network segment of the bastion host, bastion-internal-segment.

If you already have a virtual machine, add another network interface to it. If not, create a new VM to test your bastion host configuration:

Connect to the created VMConnect to the created VM

When connecting to the VM internal IP address over SSH, you will use your bastion host as a jump host.

To configure SSH access via jump host, add the -J (ProxyJump) parameter to the SSH command:

ssh -i ~/.ssh/<name_of_private_key_file> -J bastion@<public_IP_address_of_bastion_host> test@<internal_IP_address_of_virtual_server>

The SSH client will automatically connect to the internal server.

You can use the -J flag in OpenSSH version 7.3 or higher. In earlier versions, -J is not available. The easiest and most secure alternative is to use standard I/O redirection (the -W flag) to forward the connection through the bastion host. Here is an example:

ssh -i ~/.ssh/<name_of_private_key_file> -o ProxyCommand="ssh -W %h:%p bastion@<public_IP_address_of_bastion_host>" test@<internal_IP_address_of_virtual_server>

Additional connection optionsAdditional connection options

Using an SSH agent for connection via the bastion hostUsing an SSH agent for connection via the bastion host

By default, you can only authenticate on the server using a public SSH key. We do not recommend storing keys directly on your bastion host, especially without a passphrase. Use an SSH agent instead. In this case, you will store private SSH keys on your computer only and will be able to safely use them for authentication on the internal server.

To add a key to your authentication agent, use the ssh-add command. If the key is stored in the ~/.ssh/id_rsa file, it is added automatically. You can also select a specific key by running the command below:

ssh-add <key_file_path>

If you use macOS, you can configure the ~/.ssh/config file and use the following command to add keys to the agent:

AddKeysToAgent yes

The following command connects you to the bastion host and forwards your agent to log in to the internal server using the credentials from your local computer:

ssh -A bastion@<public_IP_address_of_bastion_host>

If you use Windows, add your private keys to the Pageant tool, then open the PuTTY configuration window, select Connection → SSH → Authentication, and configure your agent forwarding.

Access to services through SSH tunnelsAccess to services through SSH tunnels

Sometimes, SSH access alone is not enough to accomplish your task. In this case, use SSH tunnels allowing you to connect to services requiring inbound connections, e.g., web applications.

There are three main types of SSH tunnels: local, remote, and dynamic:

• A local tunnel is an open port on a loopback interface routing your connections to your SSH server IP:port address.

  For example, you can connect local port 8080 to the web_server_IP_address:80 address accessible from your bastion host and then open http://localhost:8080 in your browser:

  ssh bastion@<public_IP_address_of_bastion_host> -L 8080:<web_server_IP_address>:80
  

• A remote tunnel works in the direction opposite to that of the local tunnel by opening a local port for incoming connections from a remote server.

• A dynamic tunnel is a SOCKS proxy on your local port with connections originating from a remote host. For example, you can set up a dynamic tunnel on port 1080 and then specify it as a SOCKS proxy in your browser. As a result, you will be able to connect to any resources residing in a private subnet and accessible from your bastion host.

  ssh bastion@<public_IP_address_of_bastion_host> -D 1080
  

Those techniques are a simpler replacement that in many cases would require VPN connection and can be combined with ProxyJump or ProxyCommand connections.

If you use Windows, you can set up tunnels in PuTTY by selecting Connection → SSH → Tunnels.

You can use port forwarding, especially a local one, to establish connections to Remote Desktop Services (RDS), i.e., Windows hosts running in a cloud, by tunneling port 3389 and then connecting to localhost with an RDS client. If the RDS client is already listening on the local machine, you can use another port as shown in the example below:

ssh bastion@<public_IP_address_of_bastion_host> -L 3390:<Windows_host_IP_address>:3389

File transfersFile transfers

Linux clients and servers can securely transfer files through the bastion host to internal hosts and back via SCP by using ProxyCommand and ProxyJump options. Here is an example:

scp -o "ProxyJump bastion@<public_IP_address_of_bastion_host>" <file_name> bastion@<internal_IP_address_of_virtual_server>:<path_to_file>

If you use Windows, one of the most popular SCP applications is WinSCP. To transfer files through your bastion host to a remote Linux machine:

1. Create a session with a private host IP address without a password. Configure an SSH key on the Linux machine.
2. In the left-hand navigation menu, click Advanced and select Tunnel.
3. Specify your bastion host IP address and username. In the Private key file field, select the private key you will use to authenticate with your bastion host.
4. In the left-hand navigation menu, under SSH, select Authentication.
5. Make sure to select Allow agent forwarding.
6. Select the private key you will use to authenticate with the private host.

This configuration enables direct file transfer between your Windows machine and Linux private host protected by bastion.

For Windows hosts behind a Linux bastion, you can transfer files by using RDP and tunneling. This method ensures an efficient and secure file transfer.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

• Delete the VM.
• Delete the static public IP address.