Secure AWS VPC Setup with Bastion Host (Step-by-Step Guide for Beginners) | 2026

-

Learn how to build a secure AWS VPC with Bastion Host step-by-step. Beginner-friendly AWS networking project with real-world architecture and security best practices.

Tags: Learn how to build a secure AWS VPC with Bastion Host step-by-step. Hands-on guide with real-world architecture, security best practices, and AWS tips.

Introduction

In modern cloud environments, security and controlled access are non-negotiable. One of the most widely used patterns in production AWS architectures is the bastion host (jump server) setup — a secure gateway that enables access to private resources without exposing them to the internet.

A secure AWS VPC with a Bastion Host allows controlled SSH access to private instances without exposing them to the internet. In this hands-on guide, you will build a production-style AWS network architecture used by real companies to secure cloud environments.

If you're preparing for AWS Cloud roles, this project demonstrates strong skills in networking, security, and architecture design.

In this project, I designed and implemented a secure AWS VPC architecture with a bastion host, focusing on network isolation, least-privilege access, and real-world troubleshooting scenarios.

This blog walks through the architecture, implementation, and key learnings.

Problem Statement

A common mistake in beginner AWS setups is:

  • Launching EC2 instances with public IPs
  • Allowing SSH access from anywhere (0.0.0.0/0)
  • Ignoring network segmentation

This creates a massive attack surface.

The goal:

  • Keep application servers private
  • Allow access only through a controlled entry point
  • Enforce secure networking best practices

What is Bastion Host?

A Bastion Host is a secure EC2 instance placed in a public subnet that acts as a gateway to access private instances.

 Instead of exposing all servers to the internet:

  • Only ONE server (Bastion) is exposed
  • Everything else stays private

Architecture Overview

The solution is a custom VPC with public and private subnets:

  • Public Subnet → Bastion Host (accessible from internet)
  • Private Subnet → Application Server (no public access)

Traffic Flow

Client → Bastion Host → Private EC2 Instance

This ensures:

  • No direct internet exposure of private resources
  • All access is auditable and controlled

Key AWS Services Used

  • Amazon EC2
  • Amazon VPC
  • Security Groups
  • Internet Gateway
  • Route Tables
  • SSH (ProxyJump, Agent Forwarding)

Step-by-Step Implementation

1. Create Custom VPC

  • CIDR: 10.0.0.0/16
  • Enables full control over networking

2. Create Subnets

  • Public Subnet: 10.0.1.0/24
  • Private Subnet: 10.0.2.0/24

Public subnet connects to the internet, private subnet remains isolated.

3. Configure Internet Gateway

  • Attach IGW to VPC
  • Route public subnet traffic to internet

4. Launch Bastion Host (Public EC2)

  • Public IP enabled
  • Security group:
    • SSH (22) → Your IP only

Acts as the only entry point

5. Launch Private EC2 Instance

  • No public IP
  • Security group:
    • SSH allowed only from bastion

Completely hidden from internet

6. Configure Secure SSH Access

Traditional Method:

ssh -i key.pem ec2-user@bastion-ip
ssh -i key.pem ec2-user@private-ip

Advanced (Recommended):

ssh private-app

Using:

  • SSH config
  • ProxyJump

Cleaner, faster, production-style access

Security Design Principles

1. Network Isolation

Private resources are not publicly reachable.

2. Least Privilege Access

  • Bastion: Accessible only from your IP
  • Private server: Accessible only from bastion

3. Controlled Entry Point

All access flows through a single hardened host.

4. Defense in Depth

  • Subnets
  • Route tables
  • Security groups

Multiple layers of protection.

Real-World Failure Scenarios (What I Tested)

To simulate production environments, I intentionally broke the system and fixed it.

🔴 Scenario 1: Cannot SSH into Bastion

  • Cause: Incorrect security group
  • Fix: Allow SSH from my IP

🔴 Scenario 2: Cannot Access Private Instance

  • Cause: Missing security group rule
  • Fix: Allow SSH from bastion security group

🔴 Scenario 3: Permission Denied

  • Cause: Incorrect key permissions
  • Fix:
chmod 400 key.pem

🔴 Scenario 4: Private Instance Exposed

  • Cause: Public IP assigned accidentally
  • Fix: Remove public IP + restrict access

Cost Optimization

This project is designed to be budget-friendly:

  • EC2 (t2.micro × 2): ~$12–16/month
  • VPC + Networking: Free

Cost-saving tips:

  • Stop instances when not in use
  • Avoid NAT Gateway
  • Delete resources after testing

Key Learnings

  • How to design a secure AWS VPC architecture
  • Importance of network segmentation
  • Practical implementation of bastion host pattern
  • Debugging real-world SSH and networking issues
  • Writing clean, production-style SSH workflows

Why This Project Matters

Most beginner projects:

  • Use default VPC
  • Expose everything publicly

This project demonstrates:

  • Real cloud security thinking
  • Understanding of production architectures
  • Ability to debug failures

These are exactly the skills recruiters look for in Cloud and DevOps roles.

GitHub Repository

Full implementation, scripts, and documentation:

https://github.com/anupddas/aws-secure-vpc-bastion-architecture.git

Conclusion

Building a secure AWS environment is not just about launching instances — it’s about controlling access, minimizing exposure, and designing for real-world scenarios.

The bastion host architecture is a foundational concept in cloud security, and mastering it puts you ahead of most entry-level candidates.

Anup Das
As, India
Location: Guwahati, Assam 781021, India

Comments

Post a Comment

Popular posts from this blog

How AWS VPC Works: A Deep-Dive Guide to Virtual Private Cloud (Architecture, Security & Best Practices)

-
Image
A complete, in-depth guide to AWS VPC covering architecture, subnets, routing, security, and real-world design patterns. Learn how to build secure, scalable cloud networks. Introduction Amazon Virtual Private Cloud (VPC) is the foundation of networking in Amazon Web Services. It allows you to design a logically isolated network in the cloud where you control IP addressing, routing, and security. If you are aiming for cloud engineering roles, understanding VPC deeply is non-negotiable. This guide goes beyond basics and explains how VPC actually works in real-world architectures. What is a VPC? A Virtual Private Cloud (VPC) is a private, isolated section of the AWS cloud where you can launch resources like EC2 instances, databases, and load balancers. Think of it as: Your own data center network But fully virtual And controlled via software Key characteristics: Fully customizable IP range (CIDR) Logical isolation from other networks Integrated security layers High scalability Core Compon...
Read more