Last active
November 11, 2017 22:29
-
-
Save cyc115/d5d886f19f3d0b90410ce357ad6f559d to your computer and use it in GitHub Desktop.
debugging AWS bastion connectivity issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # debugging AWS bastion connectivity issue | |
| Sat. Nov 11 2017 | |
| Today I was setting up a public subnet bastion server to access instances on my private subnet. I was able to ssh on to the bastion server but was unable to establish ssh connection from the bastion instance to the private instance. | |
| Any suggestions? And what could I do to improve or facilitate debugging similar problems in the future? | |
| Here's my setup in a concise form: | |
| VPC settings: | |
| | name | id | comment | | |
| |-------------+-----+---------| | |
| | network ACL | 2ec | | | |
| subnet settings: | |
| | name | id | vpc | route table | network ACL | | |
| |------------+-----+-----+-------------+-------------| | |
| | public SN | d4a | 2ec | f40 | f13 | | |
| | private SN | 534 | 2ec | b2c | 8c0 | | |
| route tables : | |
| | comment | id | destination | target | | |
| |-------------------+-----+-------------+----------| | |
| | public subnet rt | f40 | 0.0.0.0/0 | igw-c02 | | |
| | | | 10.0.0.0/16 | local | | |
| | private subnet rt | b2c | 0.0.0.0/0 | nat-0a3 | | |
| | | | 10.0.0.0/16 | local | | |
| network ACLs: | |
| first NACL id is f13 | |
| | i/o | rule | type | protocol | source | Allow/Deny | | |
| |----------+------+------+----------+-----------+------------| | |
| | inbound | 100 | ALL | ALL | 0.0.0.0/0 | Allow | | |
| | inbound | * | ALL | ALL | 0.0.0.0/0 | Deny | | |
| | outbound | 100 | ALL | ALL | 0.0.0.0/0 | Allow | | |
| | outbound | * | ALL | ALL | 0.0.0.0/0 | Deny | | |
| second NACL id is 8c0 | |
| | i/o | rule | type | protocol/port | source | Allow/Deny | | |
| |----------+------+------+---------------+-------------+------------| | |
| | inbound | 100 | SSH | TCP/22 | 10.0.1.0/24 | Allow | | |
| | inbound | * | ALL | ALL | 0.0.0.0/0 | Deny | | |
| | outbound | 100 | SSH | TCP/22 | 10.0.1.0/24 | Allow | | |
| | outbound | 0 | ALL | ALL | 0.0.0.0/0 | Deny | | |
| * Public Bastion (private) IP: 10.0.1.13 | |
| * Private instance IP: 10.0.0.144 | |
| * security gorup allow port 22 (SSH) from source 0.0.0.0,::/0, and is set to private accessible | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment