Stacktape

Sign up for freeSign up



Bastion servers

Overview

  • Bastion server is a simple virtual machine used for accessing resources that are only accessible from within your VPC (private network, not accessible from the internet). Some resources, such as relational databases, redis clusters, might not have public endpoint, but you still need to access them from your scripts or to perform management tasks.
  • The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.

Using bastion tunnel

You can use bastion tunnels to give your script/command access to resources, which are only accessible from within the VPC (private network of your stack).

  • When using bastion tunnel, Stacktape sets up port-forwarding tunnel through the specified bastion host.
  • To use bastion tunnels, your stack must contain bastion resource.
  • Tunneling is performed using secure SSM session.
  • Environment variables passed to the script are automatically adjusted to use the tunneled endpoints.

Copy

scripts:
migrateDb:
executeCommands:
- python manage.py makemigrations
- python manage.py migrate
bastionTunnels:
- bastion: myBastion
target: mainDatabase
# injected environment variables are automatically adjusted during the script/command execution to use the tunneled endpoint
environment:
- name: STP_MAIN_DATABASE_CONNECTION_STRING
value: $ResourceParam('mainDatabase', 'connectionString')
hooks:
afterDeploy:
- executeNamedScript: migrateDb
resources:
myBastion:
type: bastion
mainDatabase:
type: relational-database
properties:
accessibility:
accessibilityMode: vpc
credentials:
masterUserName: admin_user
masterUserPassword: my_secret_password
engine:
type: aurora-postgresql-serverless

Using bastion tunnel to perform migration on VPC protected database

Targets for bastion tunnel

  • Resource types supported as a target for bastion tunnel:
    • relational-database
    • redis-cluster
    • mongo-db-atlas-cluster
    • application-load-balancer
    • private-service (with loadBalancing type application-load-balancer)
  • If target resource has multiple endpoints (for example redis-cluster can have reader and writer endpoint, or relational-database can have multiple read replicas etc.), all endpoints are tunneled automatically.
  • Environment variables passed to the script are automatically adjusted to use the tunneled endpoints.

Connecting to bastion

You can connect to bastion server and start a shell session using command bastion:session.

Copy

stacktape bastion:session --stage <<stage>> --region <<region>> --resourceName <<bastionName>>

The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.

Instance size

  • Optionally, you can specify instance size of your bastion host. By default, t3.micro instance is used (free tier eligible).

  • If you wish to use bigger instance for your bastion, you can specify instanceSize property.

  • To see full list of available instance sizes, refer to AWS docs.

Copy

resources:
myBastion:
type: bastion
properties:
instanceSize: c5.large

SSM sessions

With Stacktape, bastion hosts leverage SSM session manager.


SSM Session Manager is a service provided by AWS that enables secure and centralized management of instances without the need for direct access. Compared to traditional SSH, SSM Session Manager establishes a secure channel using AWS Systems Manager which eliminates the need for managing SSH keys, opening additional network ports, and dealing with potential security risks associated with SSH access - making it more secure.

Pricing

Price of the bastion depends on the instance size used for your bastion.

By default (if you do not specify instance size), t3.micro instance is used. This instance is free tier eligible. If you are not in a free tier, monthly cost of this instance is ~$7.5.

API reference

Bastion  API reference
type
Required
properties.instanceSize
Default: t3.micro
properties.logging
overrides
messages
secure
audit
BastionLogging  API reference
disabled
retentionDays

Need help? Ask a question on SlackDiscord or info@stacktape.com.