A Bastion Host is a special EC2 instance placed in a public subnet that you use to SSH into EC2 instances in a private subnet. Private instances have no public IP, so you cannot reach them directly from the internet. The Bastion acts as the middle step.
Your Laptop → SSH → Bastion Host (Public Subnet) → SSH → Private EC2 (Private Subnet)
Private subnet EC2 instances are isolated — no public IP, no direct internet access. This is good for security, but it means you cannot SSH into them directly from your laptop.
The solution is to place one EC2 instance (the Bastion) in a public subnet. You SSH into the Bastion first, then SSH from the Bastion into the private instances.
Internet
|
| SSH
|
Bastion Host ← Public Subnet, has public IP
|
| SSH
|
Private EC2 Instances ← Private Subnet, private IP only
| Rule | Value |
|---|---|
| Type | SSH |
| Port | 22 |
| Source | Your IP only (e.g. 203.0.113.5/32) |
Only your specific IP can SSH into the Bastion. Everyone else is blocked.
| Rule | Value |
|---|---|
| Type | SSH |
| Port | 22 |
| Source | Bastion Host's Security Group |
You point to the Bastion's Security Group, not its IP address. This is because the Bastion's IP can change after a reboot, but its Security Group stays the same permanently.
Setup: