In this article, we'll explore how to securely connect to an instance in a private subnet using a Bastion Host with PuTTY and Pageant. This method is widely used to access instances that are isolated from direct internet access for security purposes.

Introduction

When working with cloud environments like AWS, it's common to encounter scenarios where direct access to EC2 instances in private subnets is restricted for security reasons. A Bastion Host serves as a gateway for secure SSH connections, and using tools like PuTTY and Pageant can streamline this process, making it both secure and convenient.

Key Terminologies

PuTTY: A popular SSH client used to connect to remote servers on Windows.

Pageant: An SSH authentication agent that comes with PuTTY. It stores your private keys and makes them available for SSH connections, eliminating the need to repeatedly enter your private key for different sessions.

Virtual Private Cloud (VPC): A logically isolated network within AWS where you can launch AWS resources. You can define subnets, route tables, and gateways within a VPC to control the networking environment. Private subnets within a VPC are isolated from the internet, requiring special access methods like a Bastion Host.

Elastic Compute Cloud (EC2): A web service that provides resizable compute capacity in the cloud. In this context, you have two EC2 instances: one in a private subnet (without direct internet access) and another in a public subnet acting as the Bastion Host.

Bastion Host: An EC2 instance within a public subnet of your VPC exposed to the internet. It serves as a secure gateway to instances located in private subnets. It allows you to SSH into instances in a private subnet indirectly, minimizing the exposure of those instances to the internet.

Why Use PuTTY and Pageant for Bastion Host Connections?

Security: This method provides an extra layer of security by ensuring that your private instance is not directly exposed to the internet. Access is funneled through a Bastion Host.

Efficiency: By using Pageant, you can manage multiple SSH keys securely without having to manually enter them each time you connect to different instances.

Prerequisites

Before you begin, ensure you have the following:

• An AWS Account: You'll need an active AWS account to create and manage your VPC, EC2 instances, and other resources.

• PuTTY: Download and install PuTTY on your local machine. PuTTYgen and Pageant come bundled with PuTTY, so they will be installed simultaneously.

Context

Let's break down what we'll be doing in this project:

1. VPC Creation: We'll create a VPC named "Victor-Robin-VPC."

2. Subnet Division: We'll divide the VPC into public and private subnets. The public subnet will be connected to an internet gateway, while the private subnet will either remain isolated or, if necessary, be connected to the internet through a NAT gateway. This setup allows the private subnet to access resources on the internet without being directly accessible from it.

3. EC2 Instances: We'll launch two EC2 instances—one in the public subnet (Bastion Host) with a public IP and one in the private subnet without a public IP. The private instance will have a security group policy that allows inbound SSH traffic from the public subnet.

4. Connecting via PuTTY and Pageant: Finally, we'll connect to the Bastion Host using PuTTY, upload our private keys to Pageant, set up agent forwarding, and then SSH into the private subnet to access the private EC2 instance.

Step-by-Step Guide

1. Login to Your AWS Console:

• Start by logging into your AWS console. The image below shows what my AWS console dashboard looks like after login.

2. Create a VPC:

• Search for "VPC" in the search bar at the top of the console, then click on "VPC" in the results.

On the next page, click "Create VPC".

• On the next screen, choose the "VPC only" option.

I named my VPC "Victor-Robin-VPC". You can name yours as you wish, but there are naming conventions to follow. For the network address block, I used "192.168.0.0/16". Leave the Tenancy as "Default" (switching to "Dedicated" may incur additional charges). Confirm that everything looks like the screenshot provided, then click "Create VPC".

Voila! Your VPC is now created. Click on "Your VPCs" to view it. You should see two VPCs: the default one created by AWS and the new "Victor-Robin-VPC".

3. Create Subnets:

• On the left panel of the screen, click "Subnets" to create the subnets for your VPC.

• Click "Create Subnet" on the next page.
• In the dropdown menu, select the VPC you just created ("Victor-Robin-VPC" or whatever name you chose) and click on "Create Subnet". The other VPC shown is the default one.

• I named my first subnet "OVR-Private" and chose N. Virginia as the availability zone (location where I want the subnet to be created). I subnetted my VPC network from "192.168.0.0/16" to "192.168.1.0/24" for my private subnet, as indicated by the name.

• To create the second subnet simultaneously, click "Add new subnet" at the bottom of the screen.

• Do the same setting as the first but with these new credentials; I named my second subnet "OVR-Public" with an IP range of "192.168.2.0/24". Once both subnets are set up, click "Create Subnet".

Viola! Both subnets are created. We’ve now built a network in the cloud and subnetted it. I’ll take a glass of water as a reward, but there’s still more networking to be done.

4. Create and Attach an Internet Gateway:

• Click on the "Internet gateways" tab from the left panel and click "Create internet gateway"

• On the next screen, give it a name(I named mine "OVR-IGW"), and click "Create internet gateway".

• Once created, click "Attach to a VPC" in the top left corner to attach the internet gateway to your VPC.

• On the next screen, select the VPC you created earlier from the dropdown menu, then click "Attach internet gateway".

5. Create a NAT Gateway:

• Click on "NAT gateways" from the left panel, then click "Create NAT gateway".

• Name the NAT gateway (I named mine "OVR-NAT"), select the private subnet you want to connect to the internet via NAT and click "Allocate Elastic IP" to generate a static public IP for the private network to use.

• Click "Create NAT gateway". The default connection type is "Public", but it can also be private if you want to NAT between private networks.

• Give it some time to finalize, and the result should look like the screenshot provided.

6. Configure Routing for the Public Subnet:

• Now, we need to configure the routing to allow traffic from the public subnet to reach the internet. Click on "Route tables" from the left panel, then click "Create route table" in the top right corner.

• Name the route table (I named mine "OVR-Public-RT"), select the VPC, and click "Create route table".

• After creating the route table, we need to associate it with the public subnet. Click on "Subnet associations", then "Edit subnet associations", select the public subnet, and click "Save".

• Next, configure the routing. Click on "Route tables" again, select the "OVR-Public-RT", then under "Routes", click "Edit routes".

• Add a new route with the destination "0.0.0.0/0" (which means anywhere), and under the target, select "Internet Gateway". Choose the internet gateway you created earlier. Save the changes.

7. Configure Routing for the Private Subnet:

• Repeat the process for the private subnet. Click on "Route tables" from the left panel, then click "Create route table" and name it (I named mine "OVR-Private-RT").

• Select the VPC and create the route table.

• Just as we did for the public subnet, associate this new route table with the private subnet. Select the route table, click on the "Subnet associations" option, and then edit the associations. Choose only the private subnet and save the changes. You can refer back to the steps for creating and associating the public route table with its corresponding public subnet as a guide.

• Finally, configure routing for the private subnet. Navigate to Route tables, select the route table associated with the private subnet, and click on Routes. Edit the route, following the same steps as you did for the public route, but this time, select the NAT gateway as the target instead of the Internet gateway.

We’re done with the networking setup! Take another glass of water for the great work done. Now, let's move on to creating the servers: one for the Bastion Host (in the public subnet) and one in the private subnet, which can't be accessed directly from the internet.

8. launching EC2 Instance For Public Subnet

Search for EC2 from the search bar and click on it.

From the EC2 dashboard, click on "Launch Instance".

• Name the Instance. I name my instance "OVR-Bastion" and leave everything else as default for this tutorial. However, we need to edit the network settings and create a key pair, which we’ll upload to Pageant later.

• Create a Key Pair. Click the button that says "Create a new key pair" , give it a name, select RSA, choose the .ppk extension, and then click "Create key pair"

• Edit Network Settings. Click on "Edit" in the Network settings section. Please ignore the No.1 labelling from the image below, the next image explains better

• I Change the VPC from default to the "Victor-Robin-VPC" I created.
• Select the Public subnet and enable auto-assign public IP.
• For ease when configuring the private instance, I rename the default security group of my public instance from "Launch-wizard-4" to "Bastion-Policy".
• Leave everything else as is, and click "Launch Instance" Give it time to save.

Now, I’ll repeat almost the same process for the private instance.

9. Launch the Private Instance:

• Click on "Instances" and then "Launch Instance" or search for EC2 from the dashboard and click on "Launch Instance" from the top right corner of the EC2 dashboard.

• Name the instance "OVR-Private" and generate a key pair. This time, I named it "OVR-Private-key" and the same .ppk extension for the key.
• Leave other settings as default, then move to the network settings and edit as follows:

• Select the "Victor-Robin-VPC"
• Select the private subnet.
• Disable auto-assign public IP.
• Rename the security group policy to "Private-Policy."
• In the inbound security group rules, select SSH, change the source target from "anywhere" to "custom", and then under source, choose the "Bastion-Policy" security group. Alternatively, you can input the subnet for the bastion, which in this case would be "192.168.2.0/24" This allows traffic only from the bastion subnet. I’m using the former option, which is choosing the group policy instead of inputting the IP address range.
• Click "Launch Instance" and give it time to initialize.

Now that we’ve set up both instances, let’s proceed to connect using PuTTY and Pageant.

10. Add Keys to Pageant:

• On your Windows desktop, search for "Pageant" and open it.
• Click on the "Add Key" button, locate where the downloaded keys are (likely in your Downloads folder), and upload the keys for the private and public instances one after the other, then close Pageant.

11. Connect Using PuTTY:

• Search for PuTTY in your Windows search bar and open the application.

• Get the public IP address for your Bastion Host and input it as the Host Name in PuTTY.

• In the "Host Name (or IP address)" field, enter the public IP address or DNS name of the Bastion Host.

• Under "Connection > SSH > Auth," check "Allow agent forwarding". This allows the Bastion Host to use the private instance's key loaded in Pageant.

• Click "Open" to start the SSH session.

• When prompted, enter the username for the Bastion Host (e.g., ec2-user, ubuntu, etc.). In this case, "ec2-user" works.

12. Verify Connection to Bastion Host:

• I click "Connect Once" since I only want to log in once and don’t want PuTTY saving my credentials for future logins.

• From the login prompt, I input "ec2-user" and successfully log in to the Bastion Host. You can verify this with the private subnet IP range I created for the Bastion subnet, "192.168.2.0/24".

13. Create and Verify Files:

• Now, let's create a file named "Victor-robin" before logging in to the private subnet.
• Recall that the Bastion Subnet is "192.168.2.0/24" and the Private Subnet is "192.168.1.0/24". From the screenshot, you can see that I was able to create a file in the Bastion Subnet, read the content of the file on the screen, then SSH into the private subnet and create another file, displaying the output on the screen.

14. SSH to the Private Subnet:

• To SSH from the Bastion Host, you need the private IP address of the private subnet. You can get this by clicking on the private subnet ID, which will display all the info of the private subnet.

• From the public subnet, use ssh ec2-user@ip-address-of-the-private-subnet, in this case, 192.168.1.242, so ssh ec2-user@192.168.1.242.

Conclusion:

If you followed these steps, you’ve successfully connected to a private subnet via a Bastion Host using PuTTY and Pageant. This method not only enhances security by keeping your private instances isolated from the internet but also makes managing SSH keys convenient. Now, I’m rewarding myself with a plate of yam porridge. I hope this guide was helpful—feel free to share your feedback in the comments below!