To create a Bastion server the use of AWS CloudFormation, you wish to have to outline the important sources in a CloudFormation template. Right hereâs an instance of the way you’ll create a Bastion server the use of CloudFormation:
AWSTemplateFormatVersion: "2010-09-09" Assets: BastionSecurityGroup: Kind: AWS::EC2::SecurityGroup Homes: GroupDescription: Bastion Safety Crew SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 VpcId: "your-vpc-id" BastionInstance: Kind: AWS::EC2::Example Homes: ImageId: "your-ami-id" InstanceType: "t2.micro" # Replace with the required example kind SecurityGroupIds: - !Ref BastionSecurityGroup KeyName: "your-key-pair-name" UserData: Fn::Base64: !Sub | #!/bin/bash echo "AllowTcpForwarding sure" >> /and many others/ssh/sshd_config provider sshd restart iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222 iptables-save > /and many others/sysconfig/iptables systemctl permit iptables systemctl restart iptables BastionEIP: Kind: AWS::EC2::EIP Homes: InstanceId: !Ref BastionInstance
Within the CloudFormation template:
BastionSecurityGroupuseful resource creates a safety team permitting SSH get admission to on port 22 from any IP cope with (
0.0.0.0/0). Be sure you substitute
"your-vpc-id"with the ID of your VPC.
BastionInstanceuseful resource creates an EC2 example the use of the required Amazon Gadget Symbol (AMI) and example kind. Replace
"your-ami-id"with the ID of the required AMI, and
"your-key-pair-name"with the call of your EC2 key pair.
UserDataassets runs a chain of instructions at the Bastion example to permit SSH forwarding, redirect SSH visitors from port 22 to 2222 (helpful when you’ve got different products and services already the use of port 22), and restart the important products and services.
BastionEIPuseful resource pals an Elastic IP (EIP) with the Bastion example, offering it with a static public IP cope with.
Remember to have the important permissions to create EC2 circumstances, safety teams, and EIPs to your AWS account ahead of deploying this CloudFormation template. Regulate the template in line with your particular necessities.