Bastion Host:

  • A Bastion Host is an EC2 instance that lives in a public subnet, and is used as a "gateway" for traffic that is destined for instances that lives in private subnets.
  • This means that we can use a Bastion Host as a "portal" to access EC2 instances that are located in a private subnet.
  • A Bastion Host is considered as the "critical strong point" of the network - as all traffic must pass through it first.
  • A Bastion Host should have increased and extremely tight security (usually with extra 3rd party security and monitoring software installed).
  • A Bastion Host can be used as an access point to "ssh" into an internal network (to access private resources) without a VPN (Virtual Private Network).
  • With Bastion Host alone, EC2 instance in the private subnet can NOT send traffic to the outside of the AWS.

"A system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion host will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software" - Marcus J. Ranum

NAT Gateway:

  • A NAT Gateway is designed to provide EC2 instances that live in a private subnet with a route to the internet (so they can download softwares packages and updates).

  • A NAT Gateway will prevent any hosts located outside of the VPC from initiating a connection with instances that are associated with it.

  • A NAT Gateway will only allow incoming traffic through if a request for it originated from an instance in a private subnet.

  • A NAT Gateway is needed because instances launched into private subnets can NOT communicate with the open internet.

  • Placing instances in a private subnet creates a higher level of security, but also creates the limitation of the instances not being able to download software and software updates.

A NAT Gateway Must:

  • Be created in a public subnet.
  • Be part of the private subnets route table.

NAT Instance:

  • A NAT instance is identical to a NAT gateway in its purpose.

  • However, it is executed differently by configuring an actual EC2 instance to do the same job.

  • A NAT instance is starting to become more of a legacy feature in AWS.

  • However, questions about them may still appear on the exam.

results matching ""

    No results matching ""