Creating a bastion host
- Getting started
- Create an SSH key pair
- Create an external network and an internal one
- Create security groups
- Reserve a static public IP address
- Create a VM for the bastion host
- Test the bastion host
- Add a virtual server to the internal segment of the bastion host
- Connect to the created VM
- Additional connection options
- How to delete the resources you created
If you have ever had an interest in early modern fortifications, the word bastion should sound familiar to you. A bastion is a structure projecting outward from the outer wall of a fortification. Just like early modern fortresses, computer networks require multi-layer protection against external attacks. Such network bastions are called bastion hosts, and they form part of a network perimeter.
A bastion host is a virtual machine with a public IP address assigned to it to enable SSH access. With a bastion host configured, you get sort of a jump server
A bastion host will help you make your VPC servers less vulnerable. Administration of specific servers will be carried out within a proxy connection via a bastion host over SSH.
To create a bastion host:
- Prepare your cloud.
- Create an SSH key pair.
- Create networks.
- Create security groups.
- Reserve a static public IP address.
- Create a virtual machine for your bastion host.
- Test your bastion host.
- Add a virtual server to your bastion host's internal segment.
- Connect to the VM you created.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using an external IP address (see Yandex Virtual Private Cloud pricing).
Create an SSH key pair
To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.
Cisco Cloud Services Router (CSR) 1000v only supports keys generated using the RSA algorithm.
To create a key pair:
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t rsa -b 2048
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. Keys are created in the~/.ssh
directory.The public part of the key will be saved to the
<key_name>.pub
file.
-
Run
cmd.exe
orpowershell.exe
. -
Use the
ssh-keygen
command to create a new key:ssh-keygen -t rsa -b 2048
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. The keys are created inC:\Users\<username>\.ssh\
orC:\Users\<username>\
depending on the command-line interface.The public part of the key will be saved to a file named
<key name>.pub
.
Create keys using the PuTTY app:
-
Download
and install PuTTY. -
Make sure that the directory where you installed PuTTY is included in
PATH
:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select RSA for the type of pair to generate and set the length to 2048. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Save the key to a text file. To do this, copy the public key from the text field to a text file with the name
id_rsa.pub
. Please note that the key must be written as a single line (no returns or line breaks).
Warning
Save the private key in a secure location, as you will not be able to connect to the VM without it.
Create an external network and an internal one
Create an external network and subnet
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Virtual Private Cloud.
-
In the top-right corner, click Create network.
-
Enter the network name:
external-bastion-network
. -
Disable the Create subnets option.
-
Click Create network.
-
Create a subnet:
-
At the top right, click Create subnet.
-
Specify the subnet parameters:
- Name:
bastion-external-segment
- Zone:
ru-central1-b
- CIDR:
172.16.17.0/28
- Name:
-
Click Create subnet.
-
Create an internal network and subnet
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Virtual Private Cloud.
-
In the top-right corner, click Create network.
-
Enter the network name:
internal-bastion-network
. -
Disable the Create subnets option.
-
Click Create network.
-
Create a subnet:
-
At the top right, click Create subnet.
-
Specify the subnet parameters:
- Name:
bastion-internal-segment
- Zone:
ru-central1-b
- CIDR:
172.16.16.0/24
- Name:
-
Click Create subnet.
-
Create security groups
Create a security group for your bastion host
Create a security group and configure the rules for the bastion host's inbound traffic for it to be accessible from the internet.
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Virtual Private Cloud and the
external-bastion-network
network. -
In the left-hand menu, select
Security groups. -
Click Create security group.
-
Enter the security group name:
secure-bastion-sg
. -
Under Rules, go to the Ingress tab and click Add rule.
-
Specify the rule settings:
- Port range:
22
- Protocol:
TCP
- Source:
CIDR
- CIDR blocks:
0.0.0.0/0
- Port range:
-
Click Save in the rule creation window and then in the security group creation window.
Create a security group for internal hosts
Create a security group and set up rules for incoming traffic from the bastion host to internal hosts:
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Virtual Private Cloud and the
internal-bastion-network
network. -
In the left-hand menu, select
Security groups. -
Click Create security group.
-
Enter the security group name:
internal-bastion-sg
. -
Under Rules, go to the Ingress tab and click Add rule.
-
Specify the rule settings:
- Port range:
22
- Protocol:
TCP
- Source:
CIDR
- CIDR blocks:
172.16.16.254/32
- Port range:
-
Click Save in the rule creation window.
-
Go to the Egress tab and click Add rule.
-
Specify the rule settings:
- Port range:
22
- Protocol:
TCP
- Destination name:
Security group
- Security group:
Current
- Port range:
-
Click Save in the rule creation window and then in the security group creation window.
Reserve a static public IP address
The bastion host will need a static public IP address to run.
- In the management console
, go the folder where you want to create an infrastructure for your bastion host. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-b
availability zone. - Click ** Reserve**.
Create a VM for the bastion host
After you created the subnet and security group, proceed to create a virtual server for the bastion host:
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Compute Cloud.
-
At the top right, click Create virtual machine.
-
Enter the VM name:
bastion-host
. -
Select the
ru-central1-b
availability zone. -
Under Boot disk image:
- In the Marketplace tab, select the NAT instance powered by Ubuntu 22.04 LTS product.
- Click Use.
-
Under Network settings, configure the first network interface:
- Subnet:
bastion-external-segment
. - Public IP: Click List and select the IP address reserved earlier.
- Security groups:
secure-bastion-sg
.
- Subnet:
-
Click Add network interface and configure the second network interface:
-
Subnet:
bastion-internal-segment
-
Public IP:
No address
-
Security groups:
internal-bastion-sg
-
Expand the Advanced section:
-
In the Internal IPv4 address field, select List.
-
Click Reserve. In the window that opens:
- In the Internal IPv4 address field, enter
172.16.16.254
. - Click Create.
- In the Internal IPv4 address field, enter
-
Note
Make sure the first interface on the new VM belongs to an external segment, since the default gateway is automatically specified on this interface.
Specify a public IP address for the external segment only. For the internal segment, specify an internal static IP address.
-
-
Under Access, enter
bastion
for the username in the Login field. -
In the SSH key field, paste the contents of the public key file.
-
Click Create VM.
As soon as the server VM starts and gets the Running status, you will see the public IP address assigned to it in the Public IP address field.
Test the bastion host
After you start your bastion host, try to connect to it via the SSH client:
ssh -i ~/.ssh/<private_key_file_name> bastion@<public_IP_address_of_bastion_host>
Add a virtual server to the internal segment of the bastion host
To administer your servers, add a network interface to the internal network segment of the bastion host: bastion-internal-segment
.
If you already have a virtual machine, add another network interface to it. If not, create a new machine to test your bastion host configuration:
-
In the management console
, go the folder where you want to create an infrastructure for your bastion host. -
In the list of services, select Compute Cloud.
-
At the top right, click Create virtual machine.
-
Enter the VM name:
test-vm
. -
Select the
ru-central1-b
availability zone. -
Under Boot disk image, select an operating system.
-
Under Network settings, configure a network interface:
- Subnet:
bastion-internal-segment
- Public IP:
No address
- Internal IPv4 address:
Auto
- Security groups:
internal-bastion-sg
- Subnet:
-
Under Access:
- Disable the Access by OS Login option.
- In the Login field, enter the username:
test
. - In the SSH key field, paste the contents of the public key file.
-
Click Create VM.
Connect to the created VM
If connecting to the VM over SSH via an internal IP address, you will use your bastion host as a jump host.
To simplify and configure SSH access, add the -J
(ProxyJump) parameter to the SSH command:
ssh -i ~/.ssh/<private_key_file_name> -J bastion@<public_IP_address_of_bastion_host> test@<internal_IP_address_of_virtual_server>
The SSH client will automatically connect to the internal server.
You can use the -J
flag in OpenSSH version 7.3 or higher. In earlier versions, -J
is not available. In this case, the easiest and most secure way is to use standard I/O redirection (the -W
flag) for connection forwarding through the bastion host, e.g.:
ssh -i ~/.ssh/<private_key_file_name> -o ProxyCommand="ssh -W %h:%p bastion@<public_IP_address_of_bastion_host>" test@<internal_IP_address_of_virtual_server>
Additional connection options
Using an SSH agent for connections via the bastion host
By default, server access is only set up for authentication using a public SSH key. We do not recommend storing keys directly on your bastion hosts, especially without a passphrase. Use an SSH agent instead. In this case, private SSH keys will only be stored on your computer and you will be able to safely use them for authentication on the next server.
To add a key to an authentication agent, use the ssh-add
command. If the key is stored in the ~/.ssh/id_rsa
file, it is added automatically. You can also set a specific key to use by running the command below:
ssh-add <key_file_path>
macOS users can set up the ~/.ssh/config
file on their own. In this case, the keys can be uploaded to the agent with this command:
AddKeysToAgent yes
The following command used to connect to the bastion host allows you to perform agent forwarding and log in to the next server by providing the credentials from your local machine:
ssh -A bastion@<public_IP_address_of_the_bastion_host>
Windows users can use Pageant and upload their private key file to it. Next, to ensure agent forwarding, open the PuTTY
Access to services through SSH tunnels
Sometimes, SSH access alone is not enough to complete your task. If that is the case, use SSH tunnels to easily connect to web applications and other services used to process inbound connections.
The main types of SSH tunnels are local, remote, and dynamic:
-
A local tunnel is an open port in a local loopback interface, which connects to the
IP:port
address on your SSH server.For example, you can connect local port 8080 to the
web_server_IP_address:80
address accessible from your bastion host and then openhttp://localhost:8080
in your browser:ssh bastion@<public_IP_address_of_the_bastion_host> -L 8080:<web_server_IP_address>:80
-
A remote tunnel works in the direction opposite to that of the local tunnel by opening a local port for connection to a remote server.
-
A dynamic tunnel provides a SOCKS proxy on a local port with connections established from a remote host. For example, you can set up a dynamic tunnel on port 1080 and then specify it as a SOCKS proxy in your browser. As a result, you will be able to connect to any resources that are accessible from your bastion host and reside in a private subnet.
ssh bastion@<public_IP_address_of_the_bastion_host> -D 1080
These methods rely on simple replacement that often requires a VPN connection as well as a combination with ProxyJump or ProxyCommand connections.
Windows users can set up tunnels using PuTTY by selecting Connection → SSH → Tunnels.
For easy connections to Remote Desktop Services (RDS), i.e., Windows hosts running in a cloud, you can use port redirection (especially the local one) by establishing a tunnel connection to port 3389 and then connecting to the localhost
via an RDS client. If the RDS client is already awaiting connection on the local machine, you can choose a different port as shown in the example below:
ssh bastion@<public_IP_address_of_the_bastion_host> -L 3390:<IP_address_of_the_Windows_host>:3389
Transferring files
For the Linux clients and servers, you can configure SCP
scp -o "ProxyJump bastion@<public_IP_address_of_bastion_host>" <file_name> bastion@<internal_IP_address_of_virtual_server>:<file_path>
If you are a Windows client user, one of the most popular SCP applications for Windows is WinSCP
- Create a session to connect to a private host IP without a password. Set up an SSH key on the Linux machine.
- In the left-hand navigation menu, click Advanced and select Tunnel.
- Enter the IP address and username for your bastion host. In the Private key file field, select and set the private key file to use for authentication on your bastion host.
- In the left-hand navigation menu, select Authentication under SSH.
- Make sure to select Allow agent forwarding.
- Choose the private key to use for authentication on a private host.
This configuration enables a direct file transfer between your Windows machine and Linux private host. The bastion host will secure connections between them.
If using Windows hosts residing behind a Linux bastion, you can transfer files using RDP
How to delete the resources you created
To stop paying for the resources you created: