Difference between Bastion host and NAT instance (AWS)

This two are the most important things one has to have when you’re designing your infrastructure on AWS Cloud,

Bastion host and NAT instance both help secure your AWS infrastructure by disallowing/limiting access to your instances over Cloud.

 

First basics! ,What is a bastion host and why you need it?

Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP.

Once remote connectivity has been established with the bastion host, it then acts as a ‘jump’ server,  allowing you to use SSH or RDP to login to other instances (within private subnets) deeper within your network.


For those who are new to networking, There two types of subnets basically public and private.

A subnet a part of a large network. For eg: A slice of a big pizza ; They help you divide your network so that it can be easily managed and is secured.

What are public and private subnet!

A public subnet is a subnet which is open to world for access, Any instances\hosts in public subnet can be accessed given they that public subnet has a Internet Gateway (IGW)

Where a private subnet on other side is a subnet which is “private”, not accessible through internet.  The instances/hosts can communicate within a private subnet with each other only!

Note : If you attach a IGW to private subnet, it becomes a public subnet. A private subnet will not have IGW hence they use Bastion and NAT to connect to internet.

Coming back to AWS Bastion hosts..

aws-bastion-host

 

Here in above image it gives an idea, when designing the bastion host for your AWS infrastructure, you shouldn’t use it for any other purpose, as that could open unnecessary security holes. You need to keep it locked down as much as possible. I would suggest you look into hardening your chosen operating system for even tighter security. Security groups are essential for maintaining tight security and play a big part in making this solution work

 

What is a NAT instance in AWS infrastructure?

A NAT (Network Address Translation) instance is, like an bastion host, an instance that lives in your public subnet. A NAT instance, however, allows your private instances outgoing connectivity to the Internet, while at the same time blocking inbound traffic from the Internet.

nat_overview

 

Main reason to configure NAT instances is to allow private instances to access the Internet for important operating system updates, It is used for purposes like patching your OS etc.

 

I’ll be creating a seperate posts in How to do’s with steps for creating a bastion host and a NAT instance for your AWS infrastructure in coming days.