Stacktape
Stacktape


Bastion Servers (Jump Hosts)



A bastion server, or jump host, is a virtual machine that provides secure access to resources that are isolated within a private network (VPC). This is useful for managing resources like databases or Redis clusters that don't have a public endpoint.

Connections to the bastion server are established using SSM Session Manager, which leverages your IAM permissions for authentication. This eliminates the need to expose any ports, providing a highly secure way to access your private resources.

Basic usage

resources:
myBastion:
type: bastion

Example of a bastion server configuration.

Connecting to a bastion server

You can start an interactive shell session on a bastion server using the bastion:session command:

stacktape bastion:session --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>>

Creating a bastion tunnel

For resources that don't have a public endpoint, like a database, you can use a bastion tunnel to access them from your local machine. The bastion:tunnel command creates a secure pathway from a port on your local machine to the port of the target resource, using the bastion server as an intermediary.

stacktape bastion:tunnel --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>> --resourceName <<nameOfTargetResource>>

Once the tunnel is established, Stacktape will print the local endpoint that you can use to connect to the resource.

Tunnel example

A diagram showing a bastion tunnel to a database

resources:
myBastion:
type: bastion
myDatabase:
type: relational-database
properties:
# database is only accessible from withing VPC
accessibility:
accessibilityMode: vpc
engine:
type: postgres
properties:
version: '16.2'
primaryInstance:
instanceSize: db.t3.micro
credentials:
masterUserPassword: my_secret_pass

A bastion server with a database that is only accessible within the VPC.

To create a tunnel to the database, you would run:

stacktape bastion:tunnel --stage <<stage>> --bastionResource myBastion --resourceName myDatabase

The terminal output after starting a tunnel

Bastion tunneling is supported for the following resource types:

  • relational-database
  • redis-cluster
  • application-load-balancer
  • private-service (when using an application load balancer)

Using a bastion with scripts

You can also use bastion servers with scripts. For more information, see the documentation on bastion scripts and local scripts with bastion tunneling.

scripts:
migrateDb:
type: local-script-with-bastion-tunneling
properties:
executeScript: migrate.ts
connectTo:
- myDatabase
hooks:
afterDeploy:
- scriptName: migrateDb
resources:
myBastion:
type: bastion
myDatabase:
type: relational-database
properties:
# database is only accessible from withing VPC
accessibility:
accessibilityMode: vpc
engine:
type: postgres
properties:
version: '16.2'
primaryInstance:
instanceSize: db.t3.micro
credentials:
masterUserPassword: my_secret_pass

A Stacktape configuration that uses a bastion tunnel for a migration script.

Instance size

By default, bastion servers use a t3.micro instance, which is eligible for the AWS Free Tier. You can specify a different instance size using the instanceSize property. For a full list of available instance types, see the AWS documentation.

resources:
myBastion:
type: bastion
properties:
instanceSize: c5.large

Custom commands on launch

You can run a custom set of commands when the bastion server is launched using the runCommandsAtLaunch property. This is useful for installing dependencies or performing other setup tasks.

  • Commands are run as the root user (do not use sudo).
  • Modifying this list after bastion was already created will force replacement of the bastion instance. This means that any data that was manually created on the old bastion instance will be lost.
  • Use this if to install dependencies and packages that might be required for your bastion scripts
resources:
myBastion:
type: bastion
properties:
runCommandsAtLaunch:
- yum update
- yum install postgresql.x86_64 -y

All bastion hosts use the latest Amazon Linux 2023 operating system.

SSM sessions

Stacktape uses SSM Session Manager to provide secure access to bastion servers. This eliminates the need to manage SSH keys or open additional network ports, making it more secure than traditional SSH access.

Pricing

The price of a bastion server depends on its instance size. The default t3.micro instance is free for the first 12 months as part of the AWS Free Tier. After that, it costs approximately $7.50 per month.

API reference

Bastion  API reference
type
Required
properties.instanceSize
Default: t3.micro
properties.runCommandsAtLaunch
properties.logging
overrides
BastionLogging  API reference
disabled
retentionDays
logForwarding

Contents