A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. With the public cloud era, this is one of the favorite ways to access your private resources.

Let’s say you want to SSH your EC2 instance in your private subnet you can use the bastion which is in a public subnet to forward your traffic to your EC2 without to open public access to the EC2

Bastion in your infra

How to manage your SSH key

Managing your SSH keys in the bastion is the worst, it’s fine for a one-person project, as soon as you are a team with people leaving and some arriving you end up adding/removing keys all the time.

For this typical use case AWS has created a service called AWS Systems Manager Session Manager and as they said :

Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

You will ask me why creating a bastion if we have **Session Manager**?

A classic answer is to query a database located in a private subnet.

#engineering #cdk #aws #infrastructure-as-code #programming