Menu
Linux Bastion Hosts on the AWS Cloud
Quick Start Reference Deployment Guide

Step 2. Launch the Stack

  1. If you are using the CentOS operating system, subscribe to the CentOS AMI in AWS Marketplace.

  2. Use one of the following options to launch the AWS CloudFormation template into your AWS account. For more information about these options, see Deployment Scenarios.

    The template is launched in the US West (Oregon) region by default. You can change the region by using the region selector in the navigation bar.

         

    Each stack takes approximately 5 minutes to create.

    Note

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For cost estimates, see the pricing pages for each AWS service you will be using in this Quick Start.

  3. On the Select Template page, keep the default setting for the Amazon S3 template URL, and then choose Next.

  4. On the Specify Details page, review the parameters for the template, provide values for parameters that require your input, and customize the default settings as necessary. For example, you can change the instance types or IP addresses for the bastion host instances, or choose a banner that is displayed when you connect to the bastion host.

    In the following tables, parameters are listed and described separately for deploying the bastion host into a new VPC or an existing VPC.

    Note

    The templates for the two scenarios share most, but not all, of the same parameters. For example, the template for an existing VPC prompts you for the VPC and public subnet IDs in your existing VPC environment. You can also download the templates and edit them to create your own parameters based on your specific deployment scenario.

    Option 1: Parameters for deploying Linux bastion hosts into a new VPC

    View the template for new VPC

    Network Configuration:

    Parameter label Parameter name Default Description
    Availability Zones AvailabilityZones Requires input The list of Availability Zones to use for the subnets in the VPC. The Quick Start uses two Availability Zones from your list and preserves the logical order you specify.
    VPC CIDR VPCCIDR 10.0.0.0/16 CIDR block for the VPC.
    Private Subnet 1 CIDR PrivateSubnet1CIDR 10.0.0.0/19 CIDR block for the private subnet located in Availability Zone 1.
    Private Subnet 2 CIDR PrivateSubnet2CIDR 10.0.32.0/19 CIDR block for the private subnet located in Availability Zone 2.
    Public Subnet 1 CIDR PublicSubnet1CIDR 10.0.128.0/20 CIDR block for the public subnet located in Availability Zone 1.
    Public Subnet 2 CIDR PublicSubnet2CIDR 10.0.144.0/20 CIDR block for the public subnet located in Availability Zone 2.
    Allowed Bastion External Access CIDR RemoteAccessCIDR Requires input CIDR block that’s allowed SSH external access to the bastion hosts. We recommend that you set this value to a trusted CIDR block. For example, you might want to restrict access to your corporate network.

    Amazon EC2 Configuration:

    Parameter label Parameter name Default Description
    Key Pair Name KeyPairName Requires input Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region.
    Bastion AMI Operating System BastionAMIOS Amazon-Linux-HVM The Linux distribution for the AMI to be used for the bastion host instances. If you choose CentOS, make sure that you have a subscription to the CentOS AMI in AWS Marketplace.
    Bastion Instance Type BastionInstanceType t2.micro EC2 instance type for the bastion host instances.

    Linux Bastion Configuration:

    Parameter label Parameter name Default Description
    Number of Bastion Hosts NumBastionHosts 1 The number of Linux bastion hosts to run. Auto Scaling will ensure that you always have this number of bastion hosts running. The maximum is 4 bastion hosts.
    Enable Banner EnableBanner false Includes or suppresses the banner that is displayed when you connect to the bastion host via SSH. To display the banner, set this parameter to true. (See section on customizing the banner.)
    Bastion Banner BastionBanner Default URL URL for the ASCII text file that contains the banner text to display upon login. (See section on customizing the banner.)
    Enable TCP Forwarding EnableTCPForwarding false Setting this value to true will enable TCP forwarding (SSH tunneling). This can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required.
    Enable X11 Forwarding EnableX11Forwarding false Setting this value to true will enable X Windows over SSH. X11 forwarding can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required.

    AWS Quick Start Configuration:

    Parameter label Parameter name Default Description
    Quick Start S3 Bucket Name QSS3BucketName quickstart-reference S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.
    Quick Start S3 Key Prefix QSS3KeyPrefix linux/bastion/latest The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes, but should not start or end with a forward slash (which is automatically added).

    Option 2: Parameters for deploying Linux bastion hosts into an existing VPC

    View the template for existing VPC

    Network Configuration:

    Parameter label Parameter name Default Description
    VPC ID VPCID Requires input ID of your existing VPC (e.g., vpc-0343606e).
    Public Subnet 1 ID PublicSubnet1ID Requires input ID of the public subnet you want to provision the first bastion host into (e.g., subnet-a0246dcd).
    Public Subnet 2 ID PublicSubnet2ID Requires input ID of the public subnet you want to provision the second bastion host into (e.g., subnet-e3246d8e).
    Allowed Bastion External Access CIDR RemoteAccessCIDR Requires input CIDR block that’s allowed SSH external access to the bastion hosts. We recommend that you set this value to a trusted CIDR block. For example, you might want to restrict access to your corporate network.

    Amazon EC2 Configuration:

    Parameter label Parameter name Default Description
    Key Pair Name KeyPairName Requires input Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region.
    Bastion AMI Operating System BastionAMIOS Amazon-Linux-HVM The Linux distribution for the AMI to be used for the bastion host instances. If you choose CentOS, make sure that you have a subscription to the CentOS AMI in AWS Marketplace.
    Bastion Instance Type BastionInstanceType t2.micro EC2 instance type for the bastion host instances.

    Linux Bastion Configuration:

    Parameter label Parameter name Default Description
    Number of Bastion Hosts NumBastionHosts 1 The number of Linux bastion hosts to run. Auto Scaling will ensure that you always have this number of bastion hosts running. The maximum is 4 bastion hosts.
    Enable Banner EnableBanner false Includes or suppresses the banner that is displayed when you connect to the bastion host via SSH. To display the banner, set this parameter to true. (See section on customizing the banner.)
    Bastion Banner BastionBanner Default URL URL for the ASCII text file that contains the banner text to display upon login. (See section on customizing the banner.)
    Enable TCP Forwarding EnableTCPForwarding false Setting this value to true will enable TCP forwarding (SSH tunneling). This can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required.
    Enable X11 Forwarding EnableX11Forwarding false Setting this value to true will enable X Windows over SSH. X11 forwarding can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required.

    AWS Quick Start Configuration:

    Parameter label Parameter name Default Description
    Quick Start S3 Bucket Name QSS3BucketName quickstart-reference S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.
    Quick Start S3 Key Prefix QSS3KeyPrefix linux/bastion/latest The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes, but should not start or end with a forward slash (which is automatically added).

    When you finish reviewing and customizing the parameters, choose Next.

  5. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re done, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the check box to acknowledge that the template will create IAM resources.

  7. Choose Create to deploy the stack.

  8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the stack is ready.