Bastion servers
Overview
- Bastion server is a simple virtual machine used for accessing resources that are only accessible from within your VPC (private network, not accessible from the internet). Some resources, such as relational databases, redis clusters, might not have public endpoint, but you still need to access them from your scripts or to perform management tasks.
- The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.
Using bastion tunnel
You can use bastion tunnels to give your script/command access to resources, which are only accessible from within the VPC (private network of your stack).
- When using bastion tunnel, Stacktape sets up port-forwarding tunnel through the specified bastion host.
- To use bastion tunnels, your stack must contain
bastion
resource. - Tunneling is performed using secure SSM session.
- Environment variables passed to the script are automatically adjusted to use the tunneled endpoints.
Copy
scripts:migrateDb:executeCommands:- python manage.py makemigrations- python manage.py migratebastionTunnels:- bastion: myBastiontarget: mainDatabase# injected environment variables are automatically adjusted during the script/command execution to use the tunneled endpointenvironment:- name: STP_MAIN_DATABASE_CONNECTION_STRINGvalue: $ResourceParam('mainDatabase', 'connectionString')hooks:afterDeploy:- executeNamedScript: migrateDbresources:myBastion:type: bastionmainDatabase:type: relational-databaseproperties:accessibility:accessibilityMode: vpccredentials:masterUserName: admin_usermasterUserPassword: my_secret_passwordengine:type: aurora-postgresql-serverless
Using bastion tunnel to perform migration on VPC protected database
Targets for bastion tunnel
- Resource types supported as a target for bastion tunnel:
relational-database
redis-cluster
mongo-db-atlas-cluster
application-load-balancer
private-service
(with loadBalancing type application-load-balancer)
- If target resource has multiple endpoints (for example redis-cluster can have reader and writer endpoint, or relational-database can have multiple read replicas etc.), all endpoints are tunneled automatically.
- Environment variables passed to the script are automatically adjusted to use the tunneled endpoints.
Connecting to bastion
You can connect to bastion server and start a shell session using command bastion:session.
Copy
stacktape bastion:session --stage <<stage>> --region <<region>> --resourceName <<bastionName>>
The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.
Instance size
Optionally, you can specify instance size of your bastion host. By default,
t3.micro
instance is used (free tier eligible).If you wish to use bigger instance for your bastion, you can specify
instanceSize
property.To see full list of available instance sizes, refer to AWS docs.
Copy
resources:myBastion:type: bastionproperties:instanceSize: c5.large
SSM sessions
With Stacktape, bastion hosts leverage SSM session manager.
SSM Session Manager is a service provided by AWS that enables secure and centralized management of instances without the need for direct access. Compared to traditional SSH, SSM Session Manager establishes a secure channel using AWS Systems Manager which eliminates the need for managing SSH keys, opening additional network ports, and dealing with potential security risks associated with SSH access - making it more secure.
Pricing
Price of the bastion depends on the instance size used for your bastion.
By default (if you do not specify instance size), t3.micro
instance is used. This instance is free tier eligible. If
you are not in a free tier, monthly cost of this instance is ~$7.5.