Creating the Security Group for the Bastion Host

In order to connect to the bastion from the Internet and perform the configuration and installation tasks, you must open the connection on the default SSH port (port 22) from any address.

Optionally, you can limit the access to the bastion by specifying your own public, static IP address while adding your own inbound rule as described below. Replace 0.0.0.0/0 with your own public IP address. If you choose to specify your own IP address, talk to your AWS infrastructure administrator before proceeding.

To create the security group for the bastion host:

  1. Run the following command:
    # aws ec2 create-security-group \
    --description "Enables SSH Access to Bastion Hosts" \
    --group-name <group name> --vpc-id <VpcId>

Where:

<group name>: A descriptive security group name of your choice; in our examples we will use srgdemo-bastion-sg.

<VpcID>:The VPC ID of the VPC you created earlier.

Example:

aws ec2 create-security-group \
--description "Enables SSH Access to Bastion Hosts" \
--group-name srgdemo-bastion-sg \
--vpc-id vpc-0143197ca9bd9c117
{
   "GroupId":"sg-00b5fcc4294d234f6"
}
  1. Record the bastion security group ID in your AWS worksheet.

Adding the Inbound Rule

You will connect to the bastion using SSH on default port 22, so the newly-created security group needs to be opened to inbound connection on port 22 and the TCP protocol.

To add the inbound rule:

  1. Open the security group to inbound connections on the default SSH port 22 (TCP) by running the following command:
    aws ec2 authorize-security-group-ingress \
    --group-id <bastion security group ID> \
    --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='------ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/0,Description="HTTP"}]'

Example:

# aws ec2 authorize-security-group-ingress \
--group-id sg-00b5fcc4294d234f6 \
--ip-permissions
  1. Remove the default wide-open outbound rule by running the following command:
    aws ec2 revoke-security-group-egress \
    --group-id <security group ID> \
    --protocol all \
    --port -1 \
    --cidr 0.0.0.0/0

While working from the bastion you will need to connect to various resources on the internet. Protocols and description for ports are shown in the following table:

Port Protocol Allowed CIDR Description
80 TCP 0.0.0.0/0 HTTP
443 TCP 0.0.0.0/0 HTTPS
  1. Add HTTP and HTTPS outbound rules by running the following command:
    aws ec2 authorize-security-group-egress \
    --group-id sg-00b5fcc4294d234f6 \
    --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/0,Description="HTTP"}]'

For <port>, <protocol>, and <description>: Use values from the table above.

Example:

aws ec2 authorize-security-group-egress \
--group-id sg-00b5fcc4294d234f6 \
--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp=0.0.0.0/0,Description="SSH access; unlimited."}]'

Next Step: Creating the Security Group for Intra-VPC Communication