Creating a bastion host

If you have ever had an interest in early modern fortifications, the word bastion should sound familiar to you. A bastion is a structure projecting outward from the outer wall of a fortification. Just like early modern fortresses, computer networks require multi-layer protection against external attacks. Such network bastions are called bastion hosts, and they form part of a network perimeter.

A bastion host is a virtual machine with a public IP address assigned to it to enable SSH access. With a bastion host configured, you get sort of a jump server allowing you to establish secure connections to virtual machines that have no public IP addresses. In this guide, you will learn how to deploy a bastion host and secure your access to remote virtual machines residing inside your virtual private cloud (VPC).

A bastion host will help you make your VPC servers less vulnerable. Administration of specific servers will be carried out within a proxy connection via a bastion host over SSH.

To create a bastion host:

1. Prepare your cloud.
2. Create an SSH key pair.
3. Create networks.
4. Create security groups.
5. Reserve a static public IP address.
6. Create a virtual machine for your bastion host.
7. Test your bastion host.
8. Add a virtual server to your bastion host's internal segment.
9. Connect to the VM you created.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up for Yandex Cloud and create a billing account:

1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The infrastructure support cost includes:

• Fee for disks and continuously running VMs (see Yandex Compute Cloud pricing).
• Fee for using an external IP address (see Yandex Virtual Private Cloud pricing).

Create an SSH key pairCreate an SSH key pair

To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.

Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.

To create a key pair:

Create an external network and an internal oneCreate an external network and an internal one

Create an external network and subnetCreate an external network and subnet

Create an internal network and subnetCreate an internal network and subnet

Create security groupsCreate security groups

Create a security group for your bastion hostCreate a security group for your bastion host

Create a security group and configure the rules for the bastion host's inbound traffic for it to be accessible from the internet.

Create a security group for internal hostsCreate a security group for internal hosts

Create a security group and set up rules for incoming traffic from the bastion host to internal hosts:

Reserve a static public IP addressReserve a static public IP address

The bastion host will need a static public IP address to run.

Create a VM for the bastion hostCreate a VM for the bastion host

After you created the subnet and security group, proceed to create a virtual server for the bastion host:

Test the bastion hostTest the bastion host

After you start your bastion host, try to connect to it via the SSH client:

ssh -i ~/.ssh/<private_key_file_name> bastion@<public_IP_address_of_bastion_host>

Add a virtual server to the internal segment of the bastion hostAdd a virtual server to the internal segment of the bastion host

To administer your servers, add a network interface to the internal network segment of the bastion host: bastion-internal-segment.

If you already have a virtual machine, add another network interface to it. If not, create a new machine to test your bastion host configuration:

Connect to the created VMConnect to the created VM

If connecting to the VM over SSH via an internal IP address, you will use your bastion host as a jump host.

To simplify and configure SSH access, add the -J (ProxyJump) parameter to the SSH command:

ssh -i ~/.ssh/<private_key_file_name> -J bastion@<public_IP_address_of_bastion_host> test@<internal_IP_address_of_virtual_server>

The SSH client will automatically connect to the internal server.

You can use the -J flag in OpenSSH version 7.3 or higher. In earlier versions, -J is not available. In this case, the easiest and most secure way is to use standard I/O redirection (the -W flag) for connection forwarding through the bastion host, e.g.:

ssh -i ~/.ssh/<private_key_file_name> -o ProxyCommand="ssh -W %h:%p bastion@<public_IP_address_of_bastion_host>" test@<internal_IP_address_of_virtual_server>

Additional connection optionsAdditional connection options

Using an SSH agent for connections via the bastion hostUsing an SSH agent for connections via the bastion host

By default, server access is only set up for authentication using a public SSH key. We do not recommend storing keys directly on your bastion hosts, especially without a passphrase. Use an SSH agent instead. In this case, private SSH keys will only be stored on your computer and you will be able to safely use them for authentication on the next server.

To add a key to an authentication agent, use the ssh-add command. If the key is stored in the ~/.ssh/id_rsa file, it is added automatically. You can also set a specific key to use by running the command below:

ssh-add <key_file_path>

macOS users can set up the ~/.ssh/config file on their own. In this case, the keys can be uploaded to the agent with this command:

AddKeysToAgent yes

The following command used to connect to the bastion host allows you to perform agent forwarding and log in to the next server by providing the credentials from your local machine:

ssh -A bastion@<public_IP_address_of_the_bastion_host>

Windows users can use Pageant and upload their private key file to it. Next, to ensure agent forwarding, open the PuTTY configuration window and select Connection → SSH → Authentication.

Access to services through SSH tunnelsAccess to services through SSH tunnels

Sometimes, SSH access alone is not enough to complete your task. If that is the case, use SSH tunnels to easily connect to web applications and other services used to process inbound connections.

The main types of SSH tunnels are local, remote, and dynamic:

• A local tunnel is an open port in a local loopback interface, which connects to the IP:port address on your SSH server.

  For example, you can connect local port 8080 to the web_server_IP_address:80 address accessible from your bastion host and then open http://localhost:8080 in your browser:

  ssh bastion@<public_IP_address_of_the_bastion_host> -L 8080:<web_server_IP_address>:80
  

• A remote tunnel works in the direction opposite to that of the local tunnel by opening a local port for connection to a remote server.

• A dynamic tunnel provides a SOCKS proxy on a local port with connections established from a remote host. For example, you can set up a dynamic tunnel on port 1080 and then specify it as a SOCKS proxy in your browser. As a result, you will be able to connect to any resources that are accessible from your bastion host and reside in a private subnet.

  ssh bastion@<public_IP_address_of_the_bastion_host> -D 1080
  

These methods rely on simple replacement that often requires a VPN connection as well as a combination with ProxyJump or ProxyCommand connections.

Windows users can set up tunnels using PuTTY by selecting Connection → SSH → Tunnels.

For easy connections to Remote Desktop Services (RDS), i.e., Windows hosts running in a cloud, you can use port redirection (especially the local one) by establishing a tunnel connection to port 3389 and then connecting to the localhost via an RDS client. If the RDS client is already awaiting connection on the local machine, you can choose a different port as shown in the example below:

ssh bastion@<public_IP_address_of_the_bastion_host> -L 3390:<IP_address_of_the_Windows_host>:3389

Transferring filesTransferring files

For the Linux clients and servers, you can configure SCP for secure file transfer through the bastion host to internal hosts and back. Do this using the same ProxyCommand and ProxyJump options specified in the SSH command line. For example:

scp -o "ProxyJump bastion@<public_IP_address_of_bastion_host>" <file_name> bastion@<internal_IP_address_of_virtual_server>:<file_path>

If you are a Windows client user, one of the most popular SCP applications for Windows is WinSCP. To transfer files via your bastion host to a remote Linux machine:

1. Create a session to connect to a private host IP without a password. Set up an SSH key on the Linux machine.
2. In the left-hand navigation menu, click Advanced and select Tunnel.
3. Enter the IP address and username for your bastion host. In the Private key file field, select and set the private key file to use for authentication on your bastion host.
4. In the left-hand navigation menu, select Authentication under SSH.
5. Make sure to select Allow agent forwarding.
6. Choose the private key to use for authentication on a private host.

This configuration enables a direct file transfer between your Windows machine and Linux private host. The bastion host will secure connections between them.

If using Windows hosts residing behind a Linux bastion, you can transfer files using RDP via a tunnel. This method ensures an efficient and secure file transfer.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

• Delete the VM.
• Delete the static public IP address.