Guide: SSH Bastion Host
SSH Bastion Host
The Idea of the SSH Bastion Host is having a well-secured, regularly patched entry point that is the only service that is exposed to the internet, which has a sole purpose - allowing users to connect to the instances which have not an external IP address. This will give you the flexibility to connect to your environment, without exposure to the internet.
On WEkEO, we have provided a CentOS 7.5 image that has built-in SSH Bastion functions. To create an instance with this image, select "SSH BASTION HOST" in the "Type" tab in the new instance creation form.
Next steps to create a new instance are described in the guide here:
For example, we have created 2 instances. The first one was created from the image SSH Bastion Host and associated public IP address.
This instance has 2 Security Groups attached:
wekeo-tenant_security_group - this group allows to access the instance via SSH,
default - allows internal traffic in the private network.
The guide about using Security Groups is described here:
And a second instance which was created from a regular Ubuntu image with no public IP address attached.
This instance has only the "default" Security Group attached because this instance will be accessed through the SSH Bastion.
It should be remembered that in order for the instances to communicate in the private network they must have the "default" Security Group attached.
Access via SSH Bastion
In order to access your virtual machines with your bastion you can use the -J flag of the ssh command.
First, add your key to the SSH Agent on your local machine. You have to add the key every time you restart your machine.
Then you can connect:
ssh -J your.jump.host remote.internal.host
$ ssh-add user
$ ssh -J email@example.com firstname.lastname@example.org
Or, create a configuration file in your .ssh directory (.ssh/config) and set all the configurations there;
## Bastion Config
## Remote Host
After such configuration, you can just execute the command:
$ ssh 10.0.0.245
If you want to gain access only to the SSH Bastion, you can perform the following commands e.g:
$ ssh email@example.com
### Or if you have the appropriate configuration in .ssh/config
$ ssh bastion