Menu
AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)

Example: Launching an Elastic Beanstalk Application in a VPC with Bastion Hosts

If your Amazon EC2 instances are located inside a private subnet, you will not be able to connect to them remotely. To connect to your instances, you can set up bastion servers in the public subnet to act as proxies. For example, you can set up SSH port forwarders or RDP gateways in the public subnet to proxy the traffic going to your database servers from your own network. This section provides an example of how to create a VPC with a private and public subnet. The instances are located inside the private subnet, and the bastion host, NAT gateway, and load balancer are located inside the public subnet. Your infrastructure will look similar to the following diagram:


        Elastic Beanstalk and VPC Topology with Bastion Host

To deploy an Elastic Beanstalk application inside a VPC using a bastion host, you need to complete the following:

Create a VPC with a Public and Private Subnet

Complete all of the procedures in Example: Launching a Load-Balancing, Autoscaling Environment with Public and Private Resources in a VPC, including deployment of your application. When deploying the application, you must specify an Amazon EC2 key pair for the instances so you can connect to them remotely. For more information about how to specify the instance key pair, see Configuring the EC2 Instances in your Elastic Beanstalk Environment.

Create and Configure the Bastion Host Security Group

Create a security group for the bastion host, and add rules that allow inbound SSH traffic from the Internet, and outbound SSH traffic to the private subnet that contains the Amazon EC2 instances.

  1. Create the bastion host security group.

    To create a new security group

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Security Groups.

    3. Choose Create Security Group.

    4. In the Create Security Group dialog box, enter the following and choose Yes, Create.

      Name tag (Optional)

      Enter a name tag for the security group.

      Group name

      Enter the name of the security group.

      Description

      Enter a description for the security group.

      VPC

      Select your VPC.

      The security group is created and appears on the Security Groups page. Notice that it has an ID (e.g., sg-xxxxxxxx). You might have to turn on the Group ID column by clicking Show/Hide in the top right corner of the page.

  2. Configure the bastion host security group.

    To update the security group for the bastion host

    1. In the list of security groups, select the check box for the security group you just created for your bastion host.

    2. On the Inbound tab, choose Edit.

    3. If needed, choose Add another rule.

    4. If your bastion host is a Linux instance, under Type, select SSH.

      If your bastion host is a Windows instance, under Type, select RDP.

    5. Enter the desired source CIDR range in the Source field and choose Save.

      
                    Bastion Host Security Group

Update the Instance Security Group

By default, the security group you created for your instances does not allow incoming traffic. While Elastic Beanstalk will modify the default group for the instances to allow SSH traffic, you must modify your custom instance security group to allow RDP traffic if your instances are Windows instances.

To update the instance security group for RDP

  1. In the list of security groups, select the check box for the instance security group.

  2. On the Inbound tab, choose Edit.

  3. If needed, choose Add another rule.

  4. Enter the following values, and choose Save.

    Type

    RDP

    Protocol

    TCP

    Port Range

    3389

    Source

    Enter the ID of the bastion host security group (e.g., sg-8a6f71e8) and choose Save.

Create a Bastion Host

To create a bastion host, you launch an Amazon EC2 instance in your public subnet that will act as the bastion host.

For more information about setting up a bastion host for Windows instances in the private subnet, see Controlling Network Access to EC2 Instances Using a Bastion Server .

For more information about setting up a bastion host for Linux instances in the private subnet, see Securely Connect to Linux Instances Running in a Private Amazon VPC .