
Bastions on demand in an AWS VPC - mooreds
https://theconsultingcto.com/posts/bastions-on-demand/
======
debaserab2
Alternately you can inventory your instances in AWS Systems Manager and start
an SSH session directly from the AWS CLI itself [1] -- no Bastion servers or
SSH key management necessary, pure IAM access only.

[1] [https://docs.aws.amazon.com/systems-
manager/latest/userguide...](https://docs.aws.amazon.com/systems-
manager/latest/userguide/session-manager-working-with-sessions-
start.html#sessions-start-cli)

~~~
WaxProlix
Always glad to see one of our products mentioned :)

Huge shameless plug for the coolness that is Session Manager, I can only think
of a few scenarios where you wouldn't just prefer it over the alternatives. If
you haven't played with it (or other SSM stuff), you totally should! It's cool
and useful and easy and more or less free.

~~~
debaserab2
It was a total no-brainer once we discovered it. Really nice work.

If you're interested in more feedback, I'd be happy to share. As with many
things AWS, there were some undocumented rougher edges that took some trial
and error to figure. Although the end result was well worth it. Totally
understand if you're not on HN to do that sort of thing, though.

~~~
WaxProlix
Hey, I'm all ears. Just an engineer, but customer feedback is taken super
seriously (albeit with a tragically long turnaround time - it's a surprisingly
large organization with a lot of irons on a lot of fires). I'll totally pass
on anything you have to say though.

e: or put an email in your profile and I'll even reach out!

~~~
debaserab2
I don't keep an email in my profile but you can find me here:
andy@threadsculture.com

------
oneplane
You can do this with a VPN as well, no bastion required.

Seems to me that the bastion approach is a bit weird at this point; no node
should be directly attached to the public internet (unless you enjoy
babysitting one). You usually have an LB in front of it, then perhaps a
CDN+WAF (like CloudFlare) in front of that. The same can be done for SSH and
even RDP.

The concept that your bastion is 'more secure' than your other systems needs
to go away, make _all_ of the systems that secure to begin with if you want to
allow human access and shells.

~~~
brodouevencode
Agreed on this. AWS Client VPN is a decent (though admittedly a little more
pricey) option:
[https://aws.amazon.com/vpn/pricing/](https://aws.amazon.com/vpn/pricing/).
But then again you're paying for the managed service.

~~~
oneplane
Yeah, the managed part does add to the cost (understandably) but if the half-
managed approach of appliances works for you I think OpenVPN-AS is an option
as well.

Some people are using wireguard containers on Fargate to do the same thing.

~~~
rrrix1
Do you happen to have a solid link / reference / GitHub repo for Wireguard on
Fargate? That's exactly what I'm looking for!

OpenVPN is a hot mess, but is currently the most supported mechanism across
platforms.

Background: I want to give my (100% global remote) development team network
access to our AWS dev environment Aurora Postgresql, EFS / NFS, redis,
microservices, etc. We already have a local env with docker-compose but need
to debug and test in the shared cloud dev environment.

~~~
oneplane
Sadly, no. A lot of the available 'nice' containers require host access that
isn't available on Fargate. The ones people tend to use on Fargate are pure
user-space versions that don't work as well as others. We have evaluated a
bunch of finds from blogs and public repositories but they all lack one way or
another.

Most of our setups use OpenVPN via OpnSense on AWS, second most popular option
is OpenVPN-AS with a paid license, third is AWS OpenVPN, because of the price
tag.

A few test setups rely on a small EC2 instance per group (t3.small for
example) with a single container and it's a bit quirky to automate, especially
on large user groups.

This is our main issue with WG in production so far: while the technology
seems totally fine, it's not at a point where you can smoothly roll out a
'service' and get going, there are too many hoops to jump through and too many
duct-tape constructions to make it integrate. (somewhat ironic, considering
OpenVPN)

------
tonymet
You can do this simply with an ec2 instance and starting it with aws cli as
needed .youre only billed while it runs

------
ldoughty
I manage a lot of ec2 instances on dozens of AWS accounts... I can't see a
reason to use this particular method... Even if you want to spin up bastion on
demand like this, why Fargate, why terraform?

In the simplest form, I'd go with AWS CloudFormation of an EC2 instance.
Remove the additional step of an ECS cluster if you don't already have one. An
EC2 instance can access cluster VMs, or other VPC objects just as easily. Can
it's wrap this in AWS SAM or CloudFormation + a controller like GitLab or
Jenkins...

The benefit here is that when you're done, you have an AWS CloudFormation
stack to kill... No need for anyone to have teraform installed to find and
remove all associated resources.

Of course, this is all if you can't use Systems manager or the CLI to achieve
your goals

~~~
brodouevencode
> why Fargate

Because it's easy to throw containers at the problem. Coupled with savings
plans this can be pretty cheap.

> why terraform

Because it's easier for most than CloudFormation, and has all the benefits of
decomposable stacks just like CF.

------
ashtonkem
I misread the title as “Bostonians demand an AWS VPC”. I was very confused on
why, and how.

------
acd
I don’t currently understand the additional security from bastion hosts. Yes
you can have them short lived. But if someone cracks the bastion it’s not very
good for security.

I think it’s better with VPN plus SSM.

------
dkdk8283
Arbitrary command execution via IAM is terribly scary to me - which is why I
don’t use AWS systems manager.

------
twblalock
Bastions are a bad pattern. They are a way to paper over bad systems of
authentication and access control. There are better ways to achieve the same
thing, especially with cloud providers.

~~~
mslate
Elaboration is welcome

