How To Setup Bastion Host on AWS using CloudFormation Template
- Mohammad Abu Mattar
- Cloud Computing , DevOps
- 10 Jan, 2023
- 09 Mins read
Introduction
In previous post How To Setup Bastion Host on AWS using CloudFormation Template, we will learn how to setup a Bastion host on AWS using a CloudFormation template. We will walk through the process of creating a CloudFormation template, deploying it, and connecting to the instances created by the template. This is a simple and efficient way of setting up a Bastion host on AWS.
Prerequisites
Before starting, make sure that you have the following:
- AWS CLI installed and configured on your local machine. You can follow the instructions on Installing the AWS CLI to install and configure it.
- An IAM user with the following permissions:
- AmazonVPCFullAccess
- AmazonEC2FullAccess
- AWSCloudFormationFullAccess
- Basic knowledge of networking and SSH
- Familiarity with YAML and AWS CloudFormation
- AWS CLI version 2 or later.
- The AWS CLI configured with the desired credentials
- Knowledge of AWS basic building blocks such as VPCs, Subnets, Security Groups, Elastic IPs and EC2 instances.
To create an IAM user, follow the instructions on Creating an IAM User
Setup Bastion Host on AWS using CloudFormation Template
Create a CloudFormation Template
Create a new file called bastion-host-with-vpc.yml and include the CloudFormation template code. This should include the necessary resources such as VPC, subnets, security groups, Elastic IPs, Internet Gateway, NAT Gateway, and EC2 instances. Make sure to specify the correct parameters such as subnet IDs, security group IDs, and key pair names.
bastion-host-with-vpc.yml
1AWSTemplateFormatVersion: '2010-09-09'2Description: >-3 This template creates a VPC with 2 subnets, 1 public and 1 private. It also4 Internet Gateway, NAT Gateway, Route Tables, Security Groups and EC2 Instances5 for Bastion Host and Private Instance.6
7Parameters:8 EnvironmentName:9 Description: >-10 An environment name that will be prefixed to resource names11 Type: String12 AllowedValues:13 - dev14 - test15 - prod16 Default: dev17 VPCName:18 Description: >-19 The name of the VPC. This name is used as a tag value for the VPC and20 subnets.21 Type: String22 Default: bastion-host-vpc23 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$24 ConstraintDescription: >-25 VPC name can include numbers, lowercase letters, uppercase letters, and26 hyphens (-). It cannot start or end with a hyphen (-).27 VPCCIDR:28 Description: >-29 The CIDR block for the VPC. This should be a valid private (RFC 1918)30 CIDR range.31 Type: String32 Default: 10.0.0.0/1633 AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-9]|3[0-2]))$34 ConstraintDescription: >-35 CIDR block parameter must be in the form x.x.x.x/16-32, where x is a36 number from 0-255, and /16-32 is a valid CIDR range.37 PublicSubnetName:38 Description: >-39 The name of the public subnet. This name is used as a tag value for the40 subnet.41 Type: String42 Default: bastion-host-public-subnet43 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$44 ConstraintDescription: >-45 Subnet name can include numbers, lowercase letters, uppercase letters, and46 hyphens (-). It cannot start or end with a hyphen (-).47 PublicSubnetCIDR:48 Description: >-49 The CIDR block for the public subnet. This should be a valid private (RFC50 1918) CIDR range that is /24 or larger.51 Type: String52 Default: 10.0.0.0/2453 AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(2[4-9]|3[0-2]))$54 ConstraintDescription: >-55 CIDR block parameter must be in the form x.x.x.x/24-32, where x is a56 number from 0-255, and /24-32 is a valid CIDR range.57 PrivateSubnetName:58 Description: >-59 The name of the private subnet. This name is used as a tag value for the60 subnet.61 Type: String62 Default: bastion-host-private-subnet63 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$64 ConstraintDescription: >-65 Subnet name can include numbers, lowercase letters, uppercase letters, and66 hyphens (-). It cannot start or end with a hyphen (-).67 PrivateSubnetCIDR:68 Description: >-69 The CIDR block for the private subnet. This should be a valid private (RFC70 1918) CIDR range that is /24 or larger.71 Type: String72 Default: 10.0.16.0/2473 AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(2[4-9]|3[0-2]))$74 ConstraintDescription: >-75 CIDR block parameter must be in the form x.x.x.x/24-32, where x is a76 number from 0-255, and /24-32 is a valid CIDR range.77 InternetGatewayName:78 Description: >-79 The name of the Internet Gateway. This name is used as a tag value for the80 Internet Gateway.81 Type: String82 Default: bastion-host-igw83 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$84 ConstraintDescription: >-85 Internet Gateway name can include numbers, lowercase letters, uppercase86 letters, and hyphens (-). It cannot start or end with a hyphen (-).87 NATGatewayName:88 Description: >-89 The name of the NAT Gateway. This name is used as a tag value for the NAT90 Gateway.91 Type: String92 Default: bastion-host-ngw93 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$94 ConstraintDescription: >-95 NAT Gateway name can include numbers, lowercase letters, uppercase96 letters, and hyphens (-). It cannot start or end with a hyphen (-).97 PublicRouteTableName:98 Description: >-99 The name of the public route table. This name is used as a tag value for100 the route table.101 Type: String102 Default: bastion-host-public-route-table103 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$104 ConstraintDescription: >-105 Route table name can include numbers, lowercase letters, uppercase106 letters, and hyphens (-). It cannot start or end with a hyphen (-).107 PrivateRouteTableName:108 Description: >-109 The name of the private route table. This name is used as a tag value for110 the route table.111 Type: String112 Default: bastion-host-private-route-table113 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$114 ConstraintDescription: >-115 Route table name can include numbers, lowercase letters, uppercase116 letters, and hyphens (-). It cannot start or end with a hyphen (-).117 BastionHostName:118 Description: >-119 The name of the Bastion Host instance. This name is used as a tag value120 for the instance.121 Type: String122 Default: bastion-host-instance123 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$124 BastionHostKeyPair:125 Description: >-126 The name of an existing EC2 KeyPair to enable SSH access to the Bastion127 Host.128 Type: AWS::EC2::KeyPair::KeyName129 BastionHostType:130 Description: >-131 The instance type to use for the Bastion Host.132 Type: String133 AllowedValues:134 - t2.nano135 - t2.micro136 - t2.small137 - t2.medium138 - t2.large139 - t2.xlarge140 - t2.2xlarge141 - t3.nano142 - t3.micro143 - t3.small144 - t3.medium145 - t3.large146 - t3.xlarge147 - t3.2xlarge148 - m1.small149 - m1.medium150 - m1.large151 - m1.xlarge152 - m2.xlarge153 - m2.2xlarge154 - m2.4xlarge155 - m3.medium156 - m3.large157 - m3.xlarge158 - m3.2xlarge159 - m4.large160 - m4.xlarge161 - m4.2xlarge162 - m4.4xlarge163 - m4.10xlarge164 - m4.16xlarge165 - m5.large166 - m5.xlarge167 - m5.2xlarge168 - m5.4xlarge169 - m5.12xlarge170 - m5.24xlarge171 - m5d.large172 - m5d.xlarge173 - m5d.2xlarge174 - m5d.4xlarge175 - m5d.12xlarge176 - m5d.24xlarge177 - c1.medium178 - c1.xlarge179 - c3.large180 - c3.xlarge181 - c3.2xlarge182 - c3.4xlarge183 - c3.8xlarge184 - c4.large185 - c4.xlarge186 - c4.2xlarge187 - c4.4xlarge188 - c4.8xlarge189 - c5.large190 - c5.xlarge191 - c5.2xlarge192 - c5.4xlarge193 - c5.9xlarge194 Default: t2.micro195 ConstraintDescription: >-196 Must be a valid EC2 instance type.197 BastionHostAMI:198 Description: >-199 The ID of the Amazon Machine Image (AMI) that you want to use to launch200 the Bastion Host instance.201 Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>202 Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2203 BastionHostSecurityGroupName:204 Description: >-205 The name of the security group to assign to the Bastion Host instance.206 Type: String207 Default: bastion-host-security-group208 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$209 ConstraintDescription: >-210 Security group name can include numbers, lowercase letters, uppercase211 letters, and hyphens (-). It cannot start or end with a hyphen (-).212 BastionHostSecurityGroupDescription:213 Description: >-214 The description of the security group to assign to the Bastion Host215 instance.216 Type: String217 Default: Bastion Host security group218 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9\s]*[a-zA-Z0-9]$219 ConstraintDescription: >-220 Security group description can include numbers, lowercase letters,221 uppercase letters, and hyphens (-). It cannot start or end with a hyphen222 (-).223 PrivateInstanceName:224 Description: >-225 The name of the private instance. This name is used as a tag value for the226 instance.227 Type: String228 Default: bastion-host-private-instance229 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$230 ConstraintDescription: >-231 Instance name can include numbers, lowercase letters, uppercase letters,232 and hyphens (-). It cannot start or end with a hyphen (-).233 PrivateInstanceKeyPair:234 Description: >-235 The name of the Amazon EC2 key pair that you want to use to connect to the236 private instance.237 Type: AWS::EC2::KeyPair::KeyName238 ConstraintDescription: >-239 Must be the name of an existing Amazon EC2 key pair.240 PrivateInstanceType:241 Description: >-242 The instance type to use for the private instance.243 Type: String244 AllowedValues:245 - t2.nano246 - t2.micro247 - t2.small248 - t2.medium249 - t2.large250 - t2.xlarge251 - t2.2xlarge252 - t3.nano253 - t3.micro254 - t3.small255 - t3.medium256 - t3.large257 - t3.xlarge258 - t3.2xlarge259 - m1.small260 - m1.medium261 - m1.large262 - m1.xlarge263 - m2.xlarge264 - m2.2xlarge265 - m2.4xlarge266 - m3.medium267 - m3.large268 - m3.xlarge269 - m3.2xlarge270 - m4.large271 - m4.xlarge272 - m4.2xlarge273 - m4.4xlarge274 - m4.10xlarge275 - m4.16xlarge276 - m5.large277 - m5.xlarge278 - m5.2xlarge279 - m5.4xlarge280 - m5.12xlarge281 - m5.24xlarge282 - m5d.large283 - m5d.xlarge284 - m5d.2xlarge285 - m5d.4xlarge286 - m5d.12xlarge287 - m5d.24xlarge288 - c1.medium289 - c1.xlarge290 - c3.large291 - c3.xlarge292 - c3.2xlarge293 - c3.4xlarge294 - c3.8xlarge295 - c4.large296 - c4.xlarge297 - c4.2xlarge298 - c4.4xlarge299 - c4.8xlarge300 - c5.large301 - c5.xlarge302 - c5.2xlarge303 - c5.4xlarge304 - c5.9xlarge305 Default: t2.micro306 ConstraintDescription: >-307 Must be a valid EC2 instance type.308 PrivateInstanceAMI:309 Description: >-310 The ID of the Amazon Machine Image (AMI) that you want to use to launch311 the private instance.312 Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>313 Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2314 PrivateInstanceSecurityGroupName:315 Description: >-316 The name of the security group to assign to the private instance.317 Type: String318 Default: bastion-host-private-instance-security-group319 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$320 ConstraintDescription: >-321 Security group name can include numbers, lowercase letters, uppercase322 letters, and hyphens (-). It cannot start or end with a hyphen (-).323 PrivateInstanceSecurityGroupDescription:324 Description: >-325 The description of the security group to assign to the private instance.326 Type: String327 Default: Bastion Host private instance security group328 AllowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9\s]*[a-zA-Z0-9]$329 ConstraintDescription: >-330 Security group description can include numbers, lowercase letters,331 uppercase letters, and hyphens (-). It cannot start or end with a hyphen332 (-).333
334Metadata:335 Author: Mohammad Abu Mattar336 Version: 1.0337 AWS::CloudFormation::Interface:338 ParameterGroups:339 - Label:340 default: Environment341 Parameters:342 - EnvironmentName343 - Label:344 default: Natwork Configuration345 Parameters:346 - VPCName347 - VPCCIDR348 - PublicSubnetName349 - PublicSubnetCIDR350 - PrivateSubnetName351 - PrivateSubnetCIDR352 - InternetGatewayName353 - NATGatewayName354 - PublicRouteTableName355 - PrivateRouteTableName356 - Label:357 default: Bastion Host Configuration358 Parameters:359 - BastionHostName360 - BastionHostKeyPair361 - BastionHostType362 - BastionHostAMI363 - BastionHostSecurityGroupName364 - BastionHostSecurityGroupDescription365 - Label:366 default: Private Instance Configuration367 Parameters:368 - PrivateInstanceName369 - PrivateInstanceKeyPair370 - PrivateInstanceType371 - PrivateInstanceAMI372 - PrivateInstanceSecurityGroupName373 - PrivateInstanceSecurityGroupDescription374
375 ParameterLabels:376 EnvironmentName:377 default: Environment Name378 VPCName:379 default: VPC Name380 VPCCIDR:381 default: VPC CIDR382 PublicSubnetName:383 default: Public Subnet Name384 PublicSubnetCIDR:385 default: Public Subnet CIDR386 PrivateSubnetName:387 default: Private Subnet Name388 PrivateSubnetCIDR:389 default: Private Subnet CIDR390 InternetGatewayName:391 default: Internet Gateway Name392 NATGatewayName:393 default: NAT Gateway Name394 PublicRouteTableName:395 default: Public Route Table Name396 PrivateRouteTableName:397 default: Private Route Table Name398 BastionHostName:399 default: Bastion Host Name400 BastionHostKeyPair:401 default: Bastion Host Key Pair402 BastionHostType:403 default: Bastion Host Type404 BastionHostAMI:405 default: Bastion Host AMI406 BastionHostSecurityGroupName:407 default: Bastion Host Security Group Name408 BastionHostSecurityGroupDescription:409 default: Bastion Host Security Group Description410 PrivateInstanceName:411 default: Private Instance Name412 PrivateInstanceKeyPair:413 default: Private Instance Key Pair414 PrivateInstanceType:415 default: Private Instance Type416 PrivateInstanceAMI:417 default: Private Instance AMI418 PrivateInstanceSecurityGroupName:419 default: Private Instance Security Group Name420 PrivateInstanceSecurityGroupDescription:421 default: Private Instance Security Group Description422
423Resources:424 VPC:425 Type: AWS::EC2::VPC426 Properties:427 CidrBlock: !Ref VPCCIDR428 EnableDnsSupport: true429 EnableDnsHostnames: true430 Tags:431 - Key: Name432 Value: !Ref VPCName433
434 PublicSubnet:435 Type: AWS::EC2::Subnet436 DependsOn:437 - VPC438 Properties:439 VpcId: !Ref VPC440 CidrBlock: !Ref PublicSubnetCIDR441 AvailabilityZone: !Select [0, !GetAZs '']442 Tags:443 - Key: Name444 Value: !Ref PublicSubnetName445 PriveSubnet:446 Type: AWS::EC2::Subnet447 DependsOn:448 - VPC449 Properties:450 VpcId: !Ref VPC451 CidrBlock: !Ref PrivateSubnetCIDR452 AvailabilityZone: !Select [0, !GetAZs '']453 Tags:454 - Key: Name455 Value: !Ref PrivateSubnetName456
457 IGW:458 Type: AWS::EC2::InternetGateway459 DependsOn:460 - VPC461 Properties:462 Tags:463 - Key: Name464 Value: !Ref InternetGatewayName465 IGWAttachment:466 Type: AWS::EC2::VPCGatewayAttachment467 DependsOn:468 - VPC469 - IGW470 Properties:471 VpcId: !Ref VPC472 InternetGatewayId: !Ref IGW473
474 NATGatewayEIP:475 Type: AWS::EC2::EIP476 DependsOn:477 - VPC478 Properties:479 Domain: vpc480 NATGateway:481 Type: AWS::EC2::NatGateway482 DependsOn:483 - VPC484 - PublicSubnet485 - NATGatewayEIP486 Properties:487 AllocationId: !GetAtt NATGatewayEIP.AllocationId488 SubnetId: !Ref PublicSubnet489 Tags:490 - Key: Name491 Value: !Ref NATGatewayName492
493 PublicRouteTable:494 Type: AWS::EC2::RouteTable495 DependsOn:496 - VPC497 Properties:498 VpcId: !Ref VPC499 Tags:500 - Key: Name501 Value: !Ref PublicRouteTableName502 PrivateRouteTable:503 Type: AWS::EC2::RouteTable504 DependsOn:505 - VPC506 Properties:507 VpcId: !Ref VPC508 Tags:509 - Key: Name510 Value: !Ref PrivateRouteTableName511
512 PublicRoute:513 Type: AWS::EC2::Route514 DependsOn:515 - PublicRouteTable516 - IGW517 Properties:518 RouteTableId: !Ref PublicRouteTable519 DestinationCidrBlock: 0.0.0.0/0520 GatewayId: !Ref IGW521 PrivateRoute:522 Type: AWS::EC2::Route523 DependsOn:524 - PrivateRouteTable525 - NATGateway526 Properties:527 RouteTableId: !Ref PrivateRouteTable528 DestinationCidrBlock: 0.0.0.0/0529 NatGatewayId: !Ref NATGateway530
531 PublicSubnetRouteTableAssociation:532 Type: AWS::EC2::SubnetRouteTableAssociation533 DependsOn:534 - PublicSubnet535 - PublicRouteTable536 Properties:537 SubnetId: !Ref PublicSubnet538 RouteTableId: !Ref PublicRouteTable539 PrivateSubnetRouteTableAssociation:540 Type: AWS::EC2::SubnetRouteTableAssociation541 DependsOn:542 - PriveSubnet543 - PrivateRouteTable544 Properties:545 SubnetId: !Ref PriveSubnet546 RouteTableId: !Ref PrivateRouteTable547
548 BastionHostSecurityGroup:549 Type: AWS::EC2::SecurityGroup550 DependsOn:551 - VPC552 Properties:553 GroupDescription: !Ref BastionHostSecurityGroupDescription554 VpcId: !Ref VPC555 SecurityGroupIngress:556 - IpProtocol: tcp557 FromPort: 22558 ToPort: 22559 CidrIp: 0.0.0.0/0560 SecurityGroupEgress:561 - IpProtocol: tcp562 FromPort: 0563 ToPort: 65535564 CidrIp: 0.0.0.0/0565 Tags:566 - Key: Name567 Value: !Ref BastionHostSecurityGroupName568 PrivateInstanceSecurityGroup:569 Type: AWS::EC2::SecurityGroup570 DependsOn:571 - VPC572 Properties:573 GroupDescription: !Ref PrivateInstanceSecurityGroupDescription574 VpcId: !Ref VPC575 SecurityGroupIngress:576 - IpProtocol: tcp577 FromPort: 22578 ToPort: 22579 SourceSecurityGroupId: !Ref BastionHostSecurityGroup580 SecurityGroupEgress:581 - IpProtocol: tcp582 FromPort: 0583 ToPort: 65535584 CidrIp: 0.0.0.0/0585 Tags:586 - Key: Name587 Value: !Ref PrivateInstanceSecurityGroupName588
589 BastionHost:590 Type: AWS::EC2::Instance591 DependsOn:592 - PublicSubnet593 - BastionHostSecurityGroup594 Properties:595 ImageId: !Ref BastionHostAMI596 InstanceType: !Ref BastionHostType597 KeyName: !Ref BastionHostKeyPair598 NetworkInterfaces:599 - AssociatePublicIpAddress: true600 DeviceIndex: 0601 GroupSet:602 - !Ref BastionHostSecurityGroup603 SubnetId: !Ref PublicSubnet604 Tags:605 - Key: Name606 Value: !Ref BastionHostName607 PrivateInstance:608 Type: AWS::EC2::Instance609 DependsOn:610 - PriveSubnet611 - PrivateInstanceSecurityGroup612 Properties:613 ImageId: !Ref PrivateInstanceAMI614 InstanceType: !Ref PrivateInstanceType615 KeyName: !Ref PrivateInstanceKeyPair616 NetworkInterfaces:617 - AssociatePublicIpAddress: false618 DeviceIndex: 0619 GroupSet:620 - !Ref PrivateInstanceSecurityGroup621 SubnetId: !Ref PriveSubnet622 Tags:623 - Key: Name624 Value: !Ref PrivateInstanceName625
626Outputs:627 BastionHostSSH:628 Description: SSH command to connect to the bastion host629 Value: !Join630 - ''631 - - ssh -i ~/.ssh/632 - !Ref BastionHostKeyPair633 - .pem ec2-user@634 - !GetAtt BastionHost.PublicIp635 PrivateInstanceSSH:636 Description: SSH command to connect to the private instance637 Value: !Join638 - ''639 - - ssh -i ~/.ssh/640 - !Ref PrivateInstanceKeyPair641 - .pem ec2-user@642 - !GetAtt PrivateInstance.PrivateIpDeploying the stack
Use the AWS CLI or the AWS CloudFormation console to create a new stack using the bastion-host-with-vpc.yml template file. Provide the necessary parameters such as stack name and region. Make sure that the IAM user has the correct permissions to create the resources specified in the template.
Testing the stack
Once the stack is deployed, use the SSH commands provided in the outputs to connect to the bastion host and the private instance. Verify that the instances are running, and that the Internet connectivity is working by running the appropriate commands on the instances.
Step 1: Connect to the bastion host
We can use the SSH command provided in the outputs to connect to the bastion host.
ssh -i ~/.ssh/BastionHostKeyPair.pem ec2-user@<BastionHostPublicIp>
Step 2: Connect to the private instance
We can use the SSH command provided in the outputs to connect to the private instance.
ssh -i ~/.ssh/PrivateInstanceKeyPair.pem ec2-user@<PrivateInstancePrivateIp>Step 3: Test the connection
Now that you are connected to the private host, you can check if the host has internet connectivity by pinging a public IP or URL:
ping -c 4 google.comThe above command will send 4 ICMP echo requests to the IP address of Google’s website, and the private host will respond with 4 ICMP echo replies if it can reach the internet. This verifies that the NAT gateway and route tables are configured correctly.
Alternatively, you can also check internet connectivity by using curl command to download a webpage:
curl -s https://www.mkabumattar.techThis will download the website’s source code and will return it to the terminal, and check if the response is received from the website. If the private host has internet connectivity, it will show the webpage’s source code.
It is important to note that, if you are running these commands from the bastion host, you might not face the same restrictions as the private host, in that case you should run the commands from the private host, or you could use a specific website for the test that is blocked for your private network
Cleanup
When you are done testing and using the stack, it is a good practice to clean up and delete the stack using the AWS CLI, AWS Console, or the AWS CloudFormation console to avoid unnecessary charges.
Conclusion
In this tutorial, we’ve learned how to set up a Bastion Host on AWS using CloudFormation Templates. We’ve gone through the process of creating a CloudFormation Template, deploying the stack, testing the connection, and deleting the stack. By using CloudFormation Templates, we can easily provision and manage our infrastructure in an automated and repeatable way. It’s an efficient method to set up and scale infrastructure. However, it’s important to make sure to clean up the resources when no longer in use to avoid incurring unnecessary costs.
References
- AWS CloudFormation
- AWS CloudFormation Templates
- AWS CLI
- AWS IAM
- AWS VPC
- AWS EC2
- AWS CLI documentation
- AWS IAM documentation
- AWS VPC documentation
- AWS EC2 documentation
These references should provide you with more in-depth information on the various services and concepts used in this tutorial, such as VPC, EC2, IAM, and the AWS CLI. Additionally, it includes more information about bastion host. It would be very helpful if you go through those references to gain more knowledge and information in order to improve the setup even more.
