I am deploying my AWS resources with Terraform, one of the resources happen to be of type aws_instance (EC2) this is acting as my Bastion Host. It is on the public subnet, I created a security group which allows SSH from my home IP. This security group works, as i am able to SSH into the Bastion Host.
resource "aws_security_group" "allow_home_to_bastion_ssh" {
name = "Home to bastion"
description = "Allow SSH - Home to Bastion"
vpc_id = var.vpc_id
ingress {
description = "SSH from Bastion"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["<My-Home-IP>/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "Home to bastion"
}
}
I also created other security groups i'm adding to the node group configuration under the remote_access section as shown below
resource "aws_eks_node_group" "node_group" {
cluster_name = var.cluster_name
node_group_name = var.node_group_name
node_role_arn = var.node_pool_role_arn
subnet_ids = [var.subnet_1_id, var.subnet_2_id]
instance_types = ["t2.medium"]
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
update_config {
max_unavailable = 1
}
remote_access {
ec2_ssh_key = "<My-Key-Pair.pem>"
source_security_group_ids = [
var.allow_http_id,
var.allow_ssh_id,
var.allow_tls_id,
var.allow_bastion_to_eks_node_id
]
}
}
The allow_ssh_id is shown below, as shown above this is added to the source_security_group_ids. I expect this to allow me to SSH from my Bastion Host to the EKS Node created by the node group since theyre all on the same CIDR range and VPC
resource "aws_security_group" "allow_ssh" {
name = var.sg_allow_ssh_name
description = "Allow SSH from CIDR"
vpc_id = var.vpc_id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [var.vpc_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.vpc_cidr_block]
ipv6_cidr_blocks = ["::/0"]
}
the allow_bastion_to_eks_node_id is an additional security group i created which is also added to the node group, this is to specifically allow SSH the External IP of the Bastion Host onto the EKS Node. See code below
resource "aws_security_group" "bastion_allow_ssh" {
name = var.sg_allow_bastion_ssh_name
description = "Allow SSH - Bastion to EKS"
vpc_id = var.vpc_id
ingress {
description = "SSH from Bastion"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${var.sg_allow_bastion_elastic_ssh}/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = var.sg_allow_bastion_ssh_name
}
}
as shown above, i am using the bastion elastic ip. Yet i cannot SSH to my EKS node from the Bastion Host. Not sure what is going on.
Not the bastion host is in a public subnet but using the same VPC as the EKS Node which is in the private subnet
SSH ERROR
ssh: connect to host port 22: Operation timed out