I'm trying to create a bastion host:EC2 instance with two subnets - one public and one private. My public subnet is:

export const infra_public = new awsn.ec2.Subnet('infra_public', {
    tags: nativeTags({ ...tags, Name: `infra_pub` }),
    cidrBlock: '10.0.0.16/28',
    vpcId,
    availabilityZone,
    mapPublicIpOnLaunch: true,
});

But when I launch an instance:

const nic0 = new aws.ec2.NetworkInterface('nic0', {
    subnetId: infra_public.id,
    tags,
    securityGroups: [sg_ssh.id],
});

const nic1 = new aws.ec2.NetworkInterface('nic1', {
    subnetId: infra_private.id,
    tags,
    securityGroups: [sg_priv.id],
});


const bastion_node = new aws.ec2.Instance('bastion', {
    keyName,
    tags: { ...tags, Name: `${pulumi.getStack()}-bastion` },
    instanceType: aws.ec2.InstanceType.T4g_Nano,
    ami: ami.id,
    networkInterfaces: [
        {
            deviceIndex: 0,
            networkInterfaceId: nic0.id,
        }, {
            deviceIndex: 1,
            networkInterfaceId: nic1.id,
        }
    ],
    creditSpecification: { cpuCredits: 'standard' },
    monitoring: true,
    availabilityZone,
});

the AWS console reports NO public IPv4 address. Am I missing something?

Yes. The property you're looking at is on the EC2 instance. It's not derived from ENIs or similar. Just set the

associatePublicIpAddress

property and EC2 will look after it for you. https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#associatepublicipaddress_nodejs

Thanks for your answer. The idea is that my other nodes have ssh port open only in that private subnet. the use case is that I connect to bastion over ssh and then, using the private subnet, I connect to other hosts I couldn't use

associatePublicIpAddress

in this scenario, with two NICs attached. How do I route traffic between subnets?