I'm trying to create a bastion host:EC2 instance w...
# aws
I'm trying to create a bastion host:EC2 instance with two subnets - one public and one private. My public subnet is:
Copy code
export const infra_public = new awsn.ec2.Subnet('infra_public', {
    tags: nativeTags({ ...tags, Name: `infra_pub` }),
    cidrBlock: '',
    mapPublicIpOnLaunch: true,
But when I launch an instance:
Copy code
const nic0 = new aws.ec2.NetworkInterface('nic0', {
    subnetId: infra_public.id,
    securityGroups: [sg_ssh.id],

const nic1 = new aws.ec2.NetworkInterface('nic1', {
    subnetId: infra_private.id,
    securityGroups: [sg_priv.id],

const bastion_node = new aws.ec2.Instance('bastion', {
    tags: { ...tags, Name: `${pulumi.getStack()}-bastion` },
    instanceType: aws.ec2.InstanceType.T4g_Nano,
    ami: ami.id,
    networkInterfaces: [
            deviceIndex: 0,
            networkInterfaceId: nic0.id,
        }, {
            deviceIndex: 1,
            networkInterfaceId: nic1.id,
    creditSpecification: { cpuCredits: 'standard' },
    monitoring: true,
the AWS console reports NO public IPv4 address. Am I missing something?
Yes. The property you're looking at is on the EC2 instance. It's not derived from ENIs or similar. Just set the
property and EC2 will look after it for you. https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#associatepublicipaddress_nodejs
Aside: are you sure you need two manually-configured ENIs like that? Normally, an EC2 instance doesn't need to specify any ENIs, and the one that EC2 creates automatically can be used for all traffic.
If I understand what you're trying to do, you should end up with simpler code if you leave out the ENI code, and add the appropriate routes in you public subnet to allow your instances talk to the private subnet.
will create a DHCP-style public IP address (that will change when you destroy/recreate the instance). If you want a fixed public IP address, you'll want to add an elastic IP on top of the instance.
Thanks for your answer. The idea is that my other nodes have ssh port open only in that private subnet. the use case is that I connect to bastion over ssh and then, using the private subnet, I connect to other hosts I couldn't use
in this scenario, with two NICs attached. How do I route traffic between subnets?
OK, I've figured it out. I only need one subnet and the
is just a default for the option in Instance. Thank you for your help @little-cartoon-10569
👍 1