This message was deleted.
# general
s
This message was deleted.
q
generally speaking, you should be able to make do with one bastion in a VPC (or even an account).. just make sure your network ACLs & security groups allow traffic from the bastion, as appropriate.
if you've got multiple VPCs in your account, you can either deploy a bastion in each, or set up VPC peering so that you can access everything from one place.
i've been playing around with Tailscale, which allows for setting up a bastion without any open ports in your security group; you just create a bastion host (still in a public subnet due to some traffic routing reasons), initially allow SSH access, and close down access when it's all up and running.. then set up clients on your machines where you need access to it: https://tailscale.com/kb/1021/install-aws
it seems interesting, though i'm not deep enough into the security issues to tell exactly what the advantages, risks and tradeoffs are compared to a "regular" bastion host with SSH up and running
b
cool, thanks John
one thing, how can I add one bastion to multiple subnets when the creation args only allow for one subnet id -?
SubnetId pulumi.StringPtrInput
as part of `InstanceArgs`in https://github.com/pulumi/pulumi-aws/blob/master/sdk/go/aws/ec2/instance.go
q
I mean, you'd either add the 1 bastion (from which your routing should be set up so you can access all subnets), or you add separate bastions for each subnet (which really shouldn't be needed unless you require complete subnet isolation).
b
ok makes sense, appreciate you pointing me in the right direction