Amazon.com, Inc.
Establishing secure connections to instances in private subnets of a cloud provider network

Abstract:

Techniques are described for enabling users to establish Secure Shell (SSH) connections with compute instances running in private subnets of virtual private networks of a cloud provider network. A "bastion" compute instance, including an SSH server and specialized SSH client software, is used to enable connections to compute instances in a private subnet of a virtual private network. A bastion instance is a server designed to be a primary point of access from the internet (e.g., by its inclusion in a public subnet of a virtual private network) and acts as a proxy for compute instances running in a private subnet of a virtual private network. The ability for a bastion instance to establish connections to instances in a private subnet is based on a role attached to the bastion instance, where the role may be defined using an identity and access management service of the cloud provider network.