Bastion servers (Jump hosts)
Overview
- Bastion server is a simple virtual machine used for accessing resources that are only accessible from within your VPC (private network, not accessible from the internet). Some resources, such as relational databases, redis clusters, might not have public endpoint, but you still need to access them from your scripts or to perform management tasks.
- The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.
Usage
Copy
resources:myBastion:type: bastion
Example config with bastion
Connecting to bastion (interactive session)
You can connect to bastion server and start a shell session using command bastion:session.
Copy
stacktape bastion:session --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>>
The connection from your system to the bastion server is securely established using SSM session manager, leveraging your IAM permissions. This means that your bastion does NOT expose any ports resulting in high security.
Creating bastion tunnel
Some resources, such as relational databases, redis clusters, might not have public endpoint, but you still might want to access them from your local workstation.
With bastion:tunnel command, you can start a tunneling session to access resources protected in the VPC through your bastion.
Copy
stacktape bastion:tunnel --stage <<stage>> --region <<region>> --bastionResource <<bastionResourceName>> --resourceName <<nameOfTargetResource>>
Tunneling, is a technique that allows network traffic to be redirected from one network port to another. It establishes a secure pathway between a source and destination port, facilitating the transmission of data across networks.
When using Stacktape, pathway is created between target resource port (for example a port of your database) and local port on the local host (where Stacktape is running). Bastion resource is used as an intermediary between your local host and the target resource.
After tunnel is created, Stacktape prints the tunneled endpoint (which you can use for connecting to the resource) into terminal.
Tunnel example
Copy
resources:myBastion:type: bastionmyDatabase:type: relational-databaseproperties:# database is only accessible from withing VPCaccessibility:accessibilityMode: vpcengine:type: postgresproperties:version: '16.2'primaryInstance:instanceSize: db.t3.microcredentials:masterUserPassword: my_secret_pass
Bastion with database accessible only in VPC
Considering the config above, following command creates tunnel to the database:
Copy
stacktape bastion:tunnel --stage <<stage>> --bastionResource myBastion --resourceName myDatabase
After tunnel is created, Stacktape prints the tunneled endpoint (which you can use for connecting to the resource) into terminal.
Bastion tunneling is supported for following resource types:
relational-databaseredis-clusterapplication-load-balancerprivate-service(with loadBalancing type application-load-balancer)
Using bastion with scripts
You can use bastion with the scripts specified in scripts section of your config.
For more information refer to following doc pages:
Copy
scripts:migrateDb:type: local-script-with-bastion-tunnelingproperties:executeScript: migrate.tsconnectTo:- myDatabasehooks:afterDeploy:- scriptName: migrateDbresources:myBastion:type: bastionmyDatabase:type: relational-databaseproperties:# database is only accessible from withing VPCaccessibility:accessibilityMode: vpcengine:type: postgresproperties:version: '16.2'primaryInstance:instanceSize: db.t3.microcredentials:masterUserPassword: my_secret_pass
Stacktape config using the migration script with tunneling
Instance size
Optionally, you can specify instance size of your bastion host. By default,
t3.microinstance is used (free tier eligible).If you wish to use bigger instance for your bastion, you can specify
instanceSizeproperty.To see full list of available instance sizes, refer to AWS docs.
Copy
resources:myBastion:type: bastionproperties:instanceSize: c5.large
Custom commands on bastion launch
You can use runCommandsAtLaunch property to run custom set of commands when the bastion is launched.
Running custom commands can be useful for installing dependencies or setting up your bastion in any other way:
- Commands are run as the root user (do not use sudo).
- Modifying this list after bastion was already created will force replacement of the bastion instance. This means that any data that was manually created on the old bastion instance will be lost.
- Use this if to install dependencies and packages that might be required for your bastion scripts
Copy
resources:myBastion:type: bastionproperties:runCommandsAtLaunch:- yum update- yum install postgresql.x86_64 -y
All bastion hosts are using latest Amazon Linux 2023 operating system.
SSM sessions
With Stacktape, bastion hosts leverage SSM session manager.
SSM Session Manager is a service provided by AWS that enables secure and centralized management of instances without the need for direct access. Compared to traditional SSH, SSM Session Manager establishes a secure channel using AWS Systems Manager which eliminates the need for managing SSH keys, opening additional network ports, and dealing with potential security risks associated with SSH access - making it more secure.
Pricing
Price of the bastion depends on the instance size used for your bastion.
By default (if you do not specify instance size), t3.micro instance is used. This instance is free tier eligible. If
you are not in a free tier, monthly cost of this instance is ~$7.5.