Why cant I SSH from my AWS Bastion Host to my EKS node

743 views Asked by At

I am deploying my AWS resources with Terraform, one of the resources happen to be of type aws_instance (EC2) this is acting as my Bastion Host. It is on the public subnet, I created a security group which allows SSH from my home IP. This security group works, as i am able to SSH into the Bastion Host.

resource "aws_security_group" "allow_home_to_bastion_ssh" {
  name        = "Home to bastion"
  description = "Allow SSH - Home to Bastion"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from Bastion"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["<My-Home-IP>/32"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "Home to bastion"
  }
}

I also created other security groups i'm adding to the node group configuration under the remote_access section as shown below

resource "aws_eks_node_group" "node_group" {
  cluster_name    = var.cluster_name
  node_group_name = var.node_group_name
  node_role_arn   = var.node_pool_role_arn
  subnet_ids      = [var.subnet_1_id, var.subnet_2_id]
  instance_types = ["t2.medium"]

  scaling_config {
    desired_size = 1
    max_size     = 1
    min_size     = 1
  }

  update_config {
    max_unavailable = 1
  }

  remote_access {
    ec2_ssh_key = "<My-Key-Pair.pem>"
    source_security_group_ids = [ 
      var.allow_http_id,
      var.allow_ssh_id,
      var.allow_tls_id,
      var.allow_bastion_to_eks_node_id
     ]
  }
}

The allow_ssh_id is shown below, as shown above this is added to the source_security_group_ids. I expect this to allow me to SSH from my Bastion Host to the EKS Node created by the node group since theyre all on the same CIDR range and VPC

resource "aws_security_group" "allow_ssh" {
  name        = var.sg_allow_ssh_name
  description = "Allow SSH from CIDR"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from VPC"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = [var.vpc_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = [var.vpc_cidr_block]
    ipv6_cidr_blocks = ["::/0"]
  }

the allow_bastion_to_eks_node_id is an additional security group i created which is also added to the node group, this is to specifically allow SSH the External IP of the Bastion Host onto the EKS Node. See code below

resource "aws_security_group" "bastion_allow_ssh" {
  name        = var.sg_allow_bastion_ssh_name
  description = "Allow SSH - Bastion to EKS"
  vpc_id      = var.vpc_id

  ingress {
    description      = "SSH from Bastion"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["${var.sg_allow_bastion_elastic_ssh}/32"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = var.sg_allow_bastion_ssh_name
  }
}

as shown above, i am using the bastion elastic ip. Yet i cannot SSH to my EKS node from the Bastion Host. Not sure what is going on.

Not the bastion host is in a public subnet but using the same VPC as the EKS Node which is in the private subnet

SSH ERROR

ssh: connect to host port 22: Operation timed out

0

There are 0 answers