Scribd
Upload
5 views9 pages

Connect to Private subnet Ec2 Instance via Public subnet

This document outlines the steps to connect to a private EC2 instance via a bastion host, starting with the creation of a VPC and two subnets (public and private). It details the setup of route tables, an internet gateway, and the launch of two EC2 instances, one as a bastion host and the other as a private instance. Finally, it explains the process of logging into the private instance through the bastion host and adjusting security group settings to enable ICMP operations.

Uploaded by

upendra 7020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
5 views9 pages

Connect to Private subnet Ec2 Instance via Public subnet

This document outlines the steps to connect to a private EC2 instance via a bastion host, starting with the creation of a VPC and two subnets (public and private). It details the setup of route tables, an internet gateway, and the launch of two EC2 instances, one as a bastion host and the other as a private instance. Finally, it explains the process of logging into the private instance through the bastion host and adjusting security group settings to enable ICMP operations.

Uploaded by

upendra 7020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Connect to Private EC2 Instance via Bastion Host

Step 1: Create a VPC


● Go to VPC Dashboard

● Click Create VPC

● Choose VPC only option

● Example CIDR block: 10.0.0.0/16

● Name the VPC (e.g., MyVPC)

Step 2: Create Two Subnets

● Public Subnet (e.g., 10.0.1.0/24)

○ Enable Auto-assign public IP

● Private Subnet (e.g., 10.0.2.0/24)

● Attach both subnets to the same VPC


Step 3: Create Route Tables
1. Public Route Table

○ Create and name it (e.g., PublicRT)

○ Add route: 0.0.0.0/0 → Internet Gateway (to be created in next step)

○ Associate it with Public Subnet

2. Private Route Table

○ Create and name it (e.g., PrivateRT)

○ No route to IGW required

○ Associate it with Private Subnet


Step 4: Create and Attach Internet Gateway
● Go to Internet Gateways

● Create new IGW and attach it to the VPC

● Go to Public Route Table and attach the IGW as the target for 0.0.0.0/0

Now Connect IGW to Public Route as shown below


Now Create two Ec2 Machines/instance (private and public) respectively as shown below

Step 5: Launch Two EC2 Instances


1. Public Instance (Bastion Host):

○ Launch in Public Subnet

○ Select Amazon Linux or Ubuntu

○ Assign public IP

○ Use a key pair (e.g., vpc.pem)

○ Security Group: allow SSH (port 22) from your IP

2. Private Instance:

○ Launch in Private Subnet

○ Do not assign public IP


○ Use a separate key pair or the same one

○ Security Group: allow SSH (port 22) from the Bastion Host's security group

Now we will try login to Private subnet machine as shown below


Here it shows we are unable to login as we are using private subnet machine Ip and due to
unavailable of route in the route table which allow us to connect to IGW (internet) unlike public
subnet machine. So only two options are left with us

1) By assigning IGW
2) By login with a bastion host

So here we are going to login with a bastion host where we need to follow below procedure

1) Copy the content of Key pair which is attached while creating the private machine.
2) Now login to public instance which will act as bastion host and create a file by pasting the
copied data in it in it and further this file will be act as a key pair for private machine.
3) Now change the file permission to read only and use the ssh command to login.
4) Here in the ssh we need to use private IP instead of public IP to login.
Change of file permission

Now login to Private Ip using below SSh command


ssh -i privatekeypair [email protected] (private IP copied from private subnet machine)

Now we logged in Private Ip but unable to perform ping operation as shown below

So to enable this we need to get in to security group of private subnet machine and we need to add
custom ICMP port hence enabling to perform that action as shown below.

You might also like