Przejdź do głównej zawartości

Servers on a private network without public access. Do we need a Bastion host?

No. The Session Manager help us. We can connect to the instancje if we connecting service with our VPC.

Ways of connecting in a private network

  1. If the instance have access to the internet, we can installed earile some agent wich set up connection.
  2. If the instance don't have access to the internet, we can use some other Bastion Host which have access.
  3. We have VPN connection to this network.
  4. If we don't have access to the ineternet from this server, other servers, bastion host, vpn-a we can use Session Manager

VPC endpoint

We need to set upd connection service with vpc. If you have more than one subnet in the same Availability Zone, you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface. One endpoint on the VPC should be enough if you have the ability to connect from another subnet to a subnet with endpoints.

List of endpoints:

  • com.amazonaws.region.ssm (Interface)
  • com.amazonaws.region.ec2messages (Interface)
  • com.amazonaws.region.ec2 (Interface) - without the EC2 endpoint defined, a call to enumerate attached Amazon EBS volumes fails
  • com.amazonaws.region.ssmmessages (Interface)
  • com.amazonaws.region.kms (Interface)
  • com.amazonaws.region.logs (Interface)
  • com.amazonaws.region.s3 (Gateway)

VPC endpoint policies in AWS allow you to control access to AWS services from within your VPC. The policies are essentially a set of permissions that define which resources in your VPC are allowed to access which AWS services. It is important to use VPC endpoint policies to ensure that your resources are only accessing the AWS services that are required for their function and to ensure that access to these services is secure and controlled. This helps prevent unauthorized access to your resources and also helps to reduce the attack surface of your VPC.

Read more: