Accessing a Private hosted application via Public/Bastion instance [AWS]

Let's say you have an application which you have deployed in your Private subnet in AWS and you want to access that application via your Bastion instance / Browser.

1. Assuming that you already have deployed the application on one of your Private Subnet EC2 instance.
2. If deployed correctly, that application should be accessible via http://PRIVATE_IP:PORT/ but since your private instance doesn't have internet access and you cannot directly connect to it. We will use an alternative to it.

So to achieve this we will set-up an SSH tunnel and then use it to connect to our application via any Browser.

$ ssh -N -R LOCAL_PORT:REMOTE_APP_HOST:REMOTE_APP_PORT USER@LOCAL_HOST -i KEY.PEM

Man entry for -R flag:
-R [bind_address:]port:host:hostport
-R [bind_address:]port:local_socket
-R remote_socket:host:hostport
-R remote_socket:local_socket

Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the given host and port, or Unix socket, on the local side. This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or local_socket, from the local machine.


Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.


By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).


If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.

Man entry for -N flag:
-N

 Do not execute a remote command. This is useful for just forwarding ports.

Man entry for -i flag:
-i identity_file

Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.


And our application is accessible now :)


Comments

Post a Comment

Popular posts from this blog

Installing Tomcat8 on RHEL6

Image
Apache-HTTP v/s Apache-Tomcat: The basic difference is Apache-Tomcat is written in Java but Apache-HTTP is written in C. Apart from this Apache-Tomcat is used as a webserver as well as to deploy Java Servlet's and JSP's [Java server pages] so basically Apache-Tomcat is used to serve Java Technologies whereas Apache-HTTP is used to serve HTTP. Prerequisites: Appropriate version of JRE [Java run-time environment] for instance jre1.7 is required to run tomcat-8[.X.X]. Tomcat binaries, for version 8 check this link . Sudo/Root access to the machine. Step1: Install JRE Download JRE from Java's official website. You can keep Java at any location but for my ease I have kept both Tomcat and Java in /opt. # cd /opt # cp jre-7u45-linux-x64.tar.gz . # tar -zxvf jre-7u45-linux-x64.tar.gz  The above command will create a folder with JRE binaries. In my case it was "jre1.7.0_45". Now set JRE_HOME [Required by Tomcat] and PATH. export JRE_HOME=/opt/jre1.7.
Read more

Manage existing resources via Helm

Manage existing resources via Helm Helm is really a very powerful tool for managing Kubernetes objects. With a single command, we can install or upgrade multiple related Kubernetes entities. Let's say we want to install any chart from the helm registry, we just need to type in the below command and helm will do the heavy lifting for us. $ helm install [RELEASE_NAME] [REPO]/[CHART] But below post is not about the basics of helm or how to install or upgrade a chart, etc. It's been a long time since I wrote anything, so I just thought to write something about what new I learned today :)  While installing one of my charts, I encountered below issue: Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: StorageClass "demo-sc" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by&qu
Read more

Configuration and setting-up of AIDE on RHEL6

AIDE is a powerful package for checking integrity of files on a machine/system. Prerequisites : Just aide package. [root@sunny ~]# yum install aide -y Loaded plugins: refresh-packagekit, rhnplugin This system is not registered with RHN.                                                                         RHN support will be disabled. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package aide.x86_64 0:0.14-3.el6 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================  Package         Arch              Version               Repository        Size ================================================================================ Installing:  aide            x86_64            0.14-3.el6            local            123 k Transaction Summary =============================================================
Read more