Time
3 hours 27 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello
00:01
and welcome back to
00:03
part three of our custom VPC creation lap.
00:07
In our last video, we launched too easy. Two instances
00:11
when our public sub net
00:13
and one in our private submit
00:15
in this video we will connect to both instances
00:18
by first connecting to our public instance
00:21
and then using it as a jump box to connect to our private instance.
00:26
So let's love back into the AWS console.
00:30
Let's type easy to To get back into the East Sea to dashboard.
00:41
We have to E. C. Two instances currently running
00:44
when in our public sub net and one in our private sub net.
00:48
So now let's go to the VPC dashboard.
01:00
We will filter on our custom vpc
01:06
Next. Let's click sub nets
01:10
again. I will filter on the sub disassociated with our custom. VPC.
01:15
If you recall, we placed our private sub net in the default VPC.
01:21
We will need to edit the default VPC security group to pret communication with our public sub net security group.
01:29
So click security group
01:33
filter on just our custom vpc security group
01:41
selected the False Security Group and then click inbound rules,
01:49
then edit rules,
01:53
so we will add a rule that says that the Custom VPC security group is permitted to access
01:59
our private easy to instance.
02:01
And for the purpose of this demo, we will permit all traffic from the custom VPC security group.
02:24
Now let's go back to the easy to dashboard and grab the I p address of our public. Easy to instance,
02:45
Copy it to the clipboard.
02:47
Now we will log into the easy to instance from my linens. Veum,
02:53
I'm already in the directory that contains my private key.
03:00
In previous lessons
03:01
I showed you how to log in tow are easy to instance by SS H and using the identity file flag.
03:12
Well, that works okay to a point.
03:15
For instance,
03:15
what happens when we have to log into multiple servers
03:19
or like, an hour design where we have placed our second server in the private subnet
03:25
how we log into it?
03:28
If the private key
03:29
in this case, the cyber Harry underscore d m z dot pin foul is actually stored
03:35
on my linens. VM
03:38
It's extremely insecure to store the private key on the jump box
03:43
or our internal private server.
03:46
Visualize the public key as a bank vault
03:51
the private key is the combination to the bank vault.
03:53
So is probably a really bad idea
03:57
to store those
03:59
both in the same place from a security standpoint.
04:02
So how do we solve this problem?
04:04
Well, there are a few ways that we could accomplish this, but the easiest way would be for us to use.
04:12
Sssh. Agent forwarding.
04:15
Sssh. Agent in Lenox distributions will permit us to place our private key and memory
04:20
and then forward it to the instance that we wish to access without having to attach the identity file.
04:29
So from a command line, we just type s s h dash, add
04:32
and
04:33
then paste in our private key.
04:36
This place is the key and memory
04:47
to see which key is in memory. Just type
04:50
as this h dash add
04:53
space
04:55
and then dash l
04:57
This will list the key that is in memory.
05:05
Then we could just type sshh
05:09
dash capital a
05:11
and then the user name and I p address of our public in distance.
05:15
The
05:16
dash capital, a parameter
05:18
archives, the key and memory,
05:20
and we'll pass it on to our instance for authentication.
05:27
How cool is the head?
05:29
So
05:30
now we have successfully authenticated to our public instance.
05:33
Next, let's attempt to log in to our private instance,
05:39
we log into our private servers from our public servers.
05:43
This concept is referred to as using a bastion hosts,
05:46
and it's a security best practice since we're only permitting access to our private instance from our bashing, host or jump box.
05:58
So I'll connect back to the AWS Council to get the I. P. Address of our private server.
06:09
Now back to our Lennox Veum.
06:11
Let's attempt to log into our private instance using the SS age dash agent again.
06:27
And presto,
06:28
we have successfully connected to our private server from our Bastian hosts.
06:36
I will type P W d to show our president working directory,
06:42
then try Yum update.
06:51
Well, first, I would need to make myself route.
07:00
Okay, so we're now route.
07:02
Let's try that yem update again
07:13
and we see that nothing happens.
07:15
Why do you think that is?
07:17
Well, if you recall
07:19
our private instance resides in sub net be
07:24
which does not have a public i p address. So therefore it's not rideable across the Internet.
07:30
How do you think we can overcome this obstacle?
07:33
You guessed it. We need to create a gnat gateway to translate our private I p to a public I p
07:41
We will create our net gateway in the next lesson. See you there.

Up Next

Intro to AWS

This Introduction to Amazon Web Services (AWS) course will teach you about Amazon's secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Instructed By

Instructor Profile Image
Shaun Balkum
Sr. Network Engineer at Presidio
Instructor