Bastion Server Set Up (AWS)
Setting up a bastion server for access to a AWS hosted database as a source
Context
Configured correctly, a bastion (sometimes called a Jump-box) is a secure way to create a way for controlled access to your VPC for an external service. In this guide we will run through the steps needed to ensure that the kleene.ai application can securely and reliably connect to your AWS hosted database.
You will need a working knowledge of deploying and configuring AWS EC2 instances running linux and basic AWS networking.
Steps
Setting up an EC2 box
To set up a bastion we require a basic EC2 box to be deployed inside the same VPC as the source database. The hardware requirements are t2.micro or equivalent. This guide requires a Linux operating system on the instance but the flavour of Linux does not matter.
Port forwarding
TCP forwarding is required to be enabled.
Checking the bastion can access the Database
Telnet to the source database from your bastion EC2 box and ensure you can see the database from the EC2 box. The kleene.ai application will be using local port forwarding on the bastion, running the following command on the server:
ssh -L 8080:example.net:1433 ssh-server
External access to the bastion
Ensuring the bastion can be accessed by the kleene.ai application requires whitelisting the kleene.ai production IP in your relevant security group - please get in touch with your customer success manager so they can share with your the correct details for whitelisting.
Setting up authentication
The app uses key based authentication with SSH, so you will have to create a private .pem file which can be dropped into the connection setup screen in the kleene.ai app.
Confirming the connection
Add bastion and database credentials to kleene.ai application source screen and create a new database source.
To test whether this connection works, set up a new extract from this source and ensure that you can bring data back from the database server.
Once bastion access has been set up client side, the kleene interface will request the following details:
- Bastion Hostname
- Bastion User
- Bastion Pem Key
FAQs
- Is there a need to configure routing tables?
No. As long as the database is in the same VPC and you have confirmed you can access the database from the bastion box (via telnet or similar) then no further routing config is required.
- Is there a cloud formation template we can use?
The requirements are an empty linux EC2 box. Reach out to your customer success manager if you need help setting this up.
- Do we need to configure an auto-scaling group (ASG)?
No. If you would like to create extra resilience this is a good route but is not required.
Updated about 1 year ago