This message was deleted.
# generals
sparse-intern-71089
09/08/2020, 12:05 PMThis message was deleted.
q
quiet-leather-94755
09/08/2020, 1:56 PMgenerally speaking, you should be able to make do with one bastion in a VPC (or even an account).. just make sure your network ACLs & security groups allow traffic from the bastion, as appropriate.
quiet-leather-94755
09/08/2020, 1:57 PMif you've got multiple VPCs in your account, you can either deploy a bastion in each, or set up VPC peering so that you can access everything from one place.
quiet-leather-94755
09/08/2020, 1:59 PMi've been playing around with Tailscale, which allows for setting up a bastion without any open ports in your security group; you just create a bastion host (still in a public subnet due to some traffic routing reasons), initially allow SSH access, and close down access when it's all up and running.. then set up clients on your machines where you need access to it:
https://tailscale.com/kb/1021/install-aws
quiet-leather-94755
09/08/2020, 2:01 PMit seems interesting, though i'm not deep enough into the security issues to tell exactly what the advantages, risks and tradeoffs are compared to a "regular" bastion host with SSH up and running
b
bitter-application-91815
09/08/2020, 2:41 PMcool, thanks John
bitter-application-91815
09/08/2020, 3:01 PMone thing, how can I add one bastion to multiple subnets when the creation args only allow for one subnet id -?
SubnetId pulumi.StringPtrInputq
quiet-leather-94755
09/08/2020, 3:33 PMI mean, you'd either add the 1 bastion (from which your routing should be set up so you can access all subnets), or you add separate bastions for each subnet (which really shouldn't be needed unless you require complete subnet isolation).
b
bitter-application-91815
09/08/2020, 4:22 PMok makes sense, appreciate you pointing me in the right direction
7 Views