AWS VPC - Access webapp running in private subnet through bastion host

0
votes

I have this VPC architecture setup in AWS using Terraform:

  1. 1 VPC for all environments with 1 Internet Gateway
  2. VPC in one region
  3. 3 Availability Zones with 1 private subnet and 1 public (utility) subnet for each (total of 6 subnets)
  4. 3 NAT Gateways - one for each utility subnet with 3 Elastic IPs assigned to their network interfaces
  5. 3 EIPs - each associated to network interface of public subnets
  6. 1 Bastion Host (with Public IP associated) to allow SSH access to private EC2 instances
  7. EC2 Instances (1 master and 1 node in each private subnet)
  8. 1 Elastic Load Balancer across the 3 AZs with the instances within ELB referencing the 3 masters.

I can reach the EC2 instances by SSHing through the bastion host without any issues. I have a simple webapp deployed (let's say a webapp running in a docker container in port 5000) in one of these EC2 instances. Now how do I access this webapp running at port 5000 from my browser? Is it through the public IP of the bastion host? If yes, how does the port forwarding happen to the correct EC2 instance where the webapp is running?

Thanks for your help.

Abdul.

2
amazon-web-servicesamazon-ec2web-applicationscloudamazon-vpc

2 Answers

3
votes

To access it from your browser, you will have to do one of the following:

  • Add the specific instance you would like to direct traffic to to your ELB. That is, remove the instances you do not want to access from the load balancer. This is not a secure option.
  • Use SSH port forwarding over your bastion to the instance, assuming the bastion can access the port on the web server. See the "Local tunnels" section. Your command will look something like this: ssh -L 8080:your-webserver-ip:5000 ip-of-your-bastion -N; then, in your browser, navigate to http://localhost:8080/
  • Install an OpenVPN appliance to connect to your instances directly via VPN
  • Make the instance public (move it into a public subnet) and assign it an EIP
0
votes

I'll assume the utility subnet is a public subnet? If it is then you will need to deploy something there to direct the web traffic. Usually this is will be an elastic load balancer but you can deploy and EC2 instance running Nginx or Apache.

This will pass the traffic from the internet to the EC2 instance in the private subnet so you can browse the webapp.