Connect via Bastion
In the previous guide, Add Bastion User, we configured a user with access to the Bastion. In this guide, we are going to use the same SSH access to connect to resources on the private network using an SSH Tunnel.
TIP
An SSH Tunnel is a technique where your local machine forwards a local port to a remote resource through an SSH connection.
Open SSH Tunnel
To open an SSH Tunnel, we're going to use the -L flag to forward a port on a remote host to our local machine. Here is the format of the command we're going to use:
ssh -L <local-port>:<remote-host>:<remote-port> -i <private-key> <bastion-user>@<bastion-ip>ssh -L <local-port>:<remote-host>:<remote-port> -i <private-key> <bastion-user>@<bastion-ip>Let's use that format to connect to an AWS RDS Postgres database. In the following example, our configuration looks like this:
- Local Port:
4432 - Database Endpoint:
postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432 - Private Key:
~/.ssh/id_ed25519 - Bastion User:
ubuntu - Bastion IP:
1.2.3.4
ssh -L 4432:postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432 -i ~/.ssh/id_ed25519 ubuntu@1.2.3.4ssh -L 4432:postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432 -i ~/.ssh/id_ed25519 ubuntu@1.2.3.4TIP
Your database endpoint is viewable on the Datastore "Overview" tab listed in "Connect to Private Endpoint".
Store config for repeat use
It's common to connect to the database every day, so let's use ~/.ssh/config to make life easier when we want to connect. Add the following stanza to ~/.ssh/config.
Host dev-bastion
User ubuntu
Hostname 1.2.3.4
IdentityFile ~/.ssh/id_ed25519
LocalForward 0.0.0.0:4432 postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432Host dev-bastion
User ubuntu
Hostname 1.2.3.4
IdentityFile ~/.ssh/id_ed25519
LocalForward 0.0.0.0:4432 postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432Now, you are able to connect to the dev bastion with all the configuration and the SSH Tunnel.
ssh dev-bastionssh dev-bastion