Linux Bastion Hosts on the AWS Cloud
Linux Bastion Host Quick Start


Deploying this Quick Start with the default parameters builds the following virtual networking environment in the AWS Cloud. (Note that the diagram doesn’t show all the components of the VPC architecture. For details about that architecture, see the Amazon VPC Quick Start.)

	  Linux bastion host architecture on AWS

Figure 1: Linux bastion host architecture on AWS


The Quick Start builds a networking environment that includes the following components. If you already have an AWS infrastructure, the Quick Start also provides an option for deploying Linux bastion hosts into your existing VPC. (The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks.)

  • A highly available architecture that spans two Availability Zones.*

  • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*

  • An Internet gateway to allow access to the Internet. This gateway is used by the bastion hosts to send and receive traffic.*

  • Managed NAT gateways to allow outbound Internet access for resources in the private subnets.*

  • A Linux bastion host in each public subnet with an Elastic IP address to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.

  • A security group for fine-grained inbound access control.

  • An Amazon EC2 Auto Scaling group with a configurable number of instances.

  • A set of Elastic IP addresses that match the number of bastion host instances. If the Auto Scaling group relaunches any instances, these addresses are reassociated with the new instances.

  • An Amazon CloudWatch Logs log group to hold the Linux bastion host shell history logs.

AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see Getting Started with AWS.)

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of an IP address range, creation of subnets, and configuration of route tables and network gateways.

  • Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-level storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes provide the consistent and low-latency performance needed to run your workloads.

  • NAT Gateway – NAT gateways are network address translation (NAT) devices, which provide outbound Internet access to instances in a private subnets, but prevent the Internet from accessing those instances. NAT gateways provide better availability and bandwidth than NAT instances. The NAT Gateway service is a managed service that takes care of administering NAT gateways for you.

  • Auto Scaling – Auto Scaling helps you ensure that you have the desired number of EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. When you deploy the Quick Start, you can specify the desired number of instances in each Auto Scaling group, and Auto Scaling ensures that your group has this number of instances at all times.

  • Amazon CloudWatch Logs – You can use Amazon CloudWatch Logs to monitor, store, and access your log files from EC2 instances, AWS CloudTrail, and other sources. You can retrieve the log data from CloudWatch Logs, and monitor your EC2 instances in real time.

Bastion Hosts

Including bastion hosts in your VPC environment enables you to securely connect to your Linux instances without exposing your environment to the Internet. After you set up your bastion hosts, you can access the other instances in your VPC through Secure Shell (SSH) connections on Linux. Bastion hosts are also configured with security groups to provide fine-grained ingress control.

Best Practices

The architecture built by this Quick Start supports AWS best practices for high availability and security:

  • Linux bastion hosts are deployed in two Availability Zones to support immediate access across the VPC. You can configure the number of bastion host instances at launch.

  • An Auto Scaling group ensures that the number of bastion host instances always matches the desired capacity you specify during launch.

  • Bastion hosts are deployed in the public (DMZ) subnets of the VPC.

  • Elastic IP addresses are associated with the bastion instances to make it easier to remember and allow these IP addresses from on-premises firewalls. If an instance is terminated and the Auto Scaling group launches a new instance in its place, the existing Elastic IP addresses are reassociated with the new instances. This ensures that the same trusted Elastic IP addresses are used at all times.

  • Access to the bastion hosts are locked down to known CIDR scopes for ingress. This is achieved by associating the bastion instances with a security group. The Quick Start creates a BastionSecurityGroup resource for this purpose.

  • Ports are limited to allow only the necessary access to the bastion hosts. For Linux bastion hosts, TCP port 22 for SSH connections is typically the only port allowed.

We recommend that you follow these best practices when you’re using the architecture built by the Quick Start:

  • When you add new instances to the VPC that require management access from the bastion host, make sure to associate a security group ingress rule, which references the bastion security group as the source, with each instance. It is also important to limit this access to the required ports for administration.

  • During deployment, the public key from the selected Amazon EC2 key pair is associated with the user ec2-user in the Linux instance. For additional users, you should create users with the required permissions and associate them with their individual authorized public keys for SSH connectivity.

  • For the bastion host instances, you should select the number and type of instances according to the number of users and operations to be performed. The Quick Start creates one bastion host instance and uses the t2.micro instance type by default, but you can change these settings during deployment.


    You can also change the number and type of bastion host instances after deployment, by updating the AWS CloudFormation stack and changing the parameters. Reconfiguring the bastion host instances updates the related Elastic IP addresses and changes the bootstrapping logic in the launch configuration and Auto Scaling group. However, before you update the stack, you must terminate the instances you want to replace while keeping the Elastic IP addresses. When you update the stack, Auto Scaling will launch the new instances with the updated instance type, and bootstrapping will assign the Elastic IP addresses from the existing pool of IP addresses that were provisioned during the initial deployment.

  • Set your desired expiration time directly in the CloudWatch Logs log group for the logs collected from each bastion instance. This ensures that bastion log history is retained only for the amount of time you need.

  • Keep your CloudWatch log files separated for each bastion host restarting the instance so that you can filter and isolate logs messages from individual bastion hosts more easily. Every instance that is launched by the bastion Auto Scaling group will create its own log stream based on the instance ID.