Bastion Servers (Jump Hosts)

A bastion server, or jump host, is a virtual machine that provides secure access to resources that are isolated within a private network (VPC). This is useful for managing resources like databases or Redis clusters that don't have a public endpoint.

Connections to the bastion server are established using SSM Session Manager, which leverages your IAM permissions for authentication. This eliminates the need to expose any ports, providing a highly secure way to access your private resources.

Basic usage


resources:
  myBastion:
    type: bastion

Example of a bastion server configuration.

Connecting to a bastion server

You can start an interactive shell session on a bastion server using the bastion:session command:


stacktape bastion:session --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>>

Creating a bastion tunnel

For resources that don't have a public endpoint, like a database, you can use a bastion tunnel to access them from your local machine. The bastion:tunnel command creates a secure pathway from a port on your local machine to the port of the target resource, using the bastion server as an intermediary.


stacktape bastion:tunnel --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>> --resourceName <<nameOfTargetResource>>

Once the tunnel is established, Stacktape will print the local endpoint that you can use to connect to the resource.

Tunnel example

A diagram showing a bastion tunnel to a database


resources:
  myBastion:
    type: bastion

  myDatabase:
    type: relational-database
    properties:
      # database is only accessible from withing VPC
      accessibility:
        accessibilityMode: vpc
      engine:
        type: postgres
        properties:
          version: '16.2'
          primaryInstance:
            instanceSize: db.t3.micro
      credentials:
        masterUserPassword: my_secret_pass

A bastion server with a database that is only accessible within the VPC.

To create a tunnel to the database, you would run:


stacktape bastion:tunnel --stage <<stage>> --bastionResource myBastion --resourceName myDatabase

The terminal output after starting a tunnel

Bastion tunneling is supported for the following resource types:

relational-database
redis-cluster
application-load-balancer
private-service (when using an application load balancer)

Using a bastion with scripts

You can also use bastion servers with scripts. For more information, see the documentation on bastion scripts and local scripts with bastion tunneling.


scripts:
  migrateDb:
    type: local-script-with-bastion-tunneling
    properties:
      executeScript: migrate.ts
      connectTo:
        - myDatabase

hooks:
  afterDeploy:
    - scriptName: migrateDb

resources:
  myBastion:
    type: bastion

  myDatabase:
    type: relational-database
    properties:
      # database is only accessible from withing VPC
      accessibility:
        accessibilityMode: vpc
      engine:
        type: postgres
        properties:
          version: '16.2'
          primaryInstance:
            instanceSize: db.t3.micro
      credentials:
        masterUserPassword: my_secret_pass

A Stacktape configuration that uses a bastion tunnel for a migration script.

Instance size

By default, bastion servers use a t3.micro instance, which is eligible for the AWS Free Tier. You can specify a different instance size using the instanceSize property. For a full list of available instance types, see the AWS documentation.


resources:
  myBastion:
    type: bastion
    properties:
      instanceSize: c5.large

Custom commands on launch

You can run a custom set of commands when the bastion server is launched using the runCommandsAtLaunch property. This is useful for installing dependencies or performing other setup tasks.

Commands are run as the root user (do not use sudo).
Modifying this list after bastion was already created will force replacement of the bastion instance. This means that any data that was manually created on the old bastion instance will be lost.
Use this if to install dependencies and packages that might be required for your bastion scripts


resources:
  myBastion:
    type: bastion
    properties:
      runCommandsAtLaunch:
        - yum update
        - yum install postgresql.x86_64 -y

All bastion hosts use the latest Amazon Linux 2023 operating system.

SSM sessions

Stacktape uses SSM Session Manager to provide secure access to bastion servers. This eliminates the need to manage SSH keys or open additional network ports, making it more secure than traditional SSH access.

Pricing

The price of a bastion server depends on its instance size. The default t3.micro instance is free for the first 12 months as part of the AWS Free Tier. After that, it costs approximately $7.50 per month.

API reference

Bastion API reference

type

Required

properties.instanceSize

Default: t3.micro

properties.runCommandsAtLaunch

properties.logging

overrides

BastionLoggingConfig API reference

Parent:Bastion

messages

secure

audit

BastionLogging API reference

Parent:BastionLoggingConfig

disabled

retentionDays

logForwarding