Bastion Server Set Up (AWS)

Setting up a bastion server for access to a AWS hosted database as a source

Context


Configured correctly, a bastion (sometimes called a Jump-box) is a secure way to create a way for controlled access to your VPC for an external service. In this guide we will run through the steps needed to ensure that the kleene.ai application can securely and reliably connect to your AWS hosted database.

You will need a working knowledge of deploying and configuring AWS EC2 instances running linux and basic AWS networking.

Steps


Setting up an EC2 box

To set up a bastion we require a basic EC2 box to be deployed inside the same VPC as the source database. The hardware requirements are t2.micro or equivalent. This guide requires a Linux operating system on the instance but the flavour of Linux does not matter.

Port forwarding

TCP forwarding is required to be enabled.

Checking the bastion can access the Database

Telnet to the source database from your bastion EC2 box and ensure you can see the database from the EC2 box. The kleene.ai application will be using local port forwarding on the bastion, running the following command on the server:

ssh -L 8080:example.net:1433 ssh-server

External access to the bastion

Ensuring the bastion can be accessed by the kleene.ai application requires whitelisting the kleene.ai production IP in your relevant security group - please get in touch with your customer success manager so they can share with your the correct details for whitelisting.

Setting up authentication

The app uses key based authentication with SSH, so you will have to create a private .pem file which can be dropped into the connection setup screen in the kleene.ai app.

Confirming the connection

Add bastion and database credentials to kleene.ai application source screen and create a new database source.

To test whether this connection works, set up a new extract from this source and ensure that you can bring data back from the database server.

Once bastion access has been set up client side, the kleene interface will request the following details:

  • Bastion Hostname
  • Bastion User
  • Bastion Pem Key

FAQs


  • Is there a need to configure routing tables?

No. As long as the database is in the same VPC and you have confirmed you can access the database from the bastion box (via telnet or similar) then  no further routing config is required.

  • Is there a cloud formation template we can use?

The requirements are an empty linux EC2 box. Reach out to your customer success manager if you need help setting this up.

  • Do we need to configure an auto-scaling group (ASG)?

No. If you would like to create extra resilience this is a good route but is not required.