crosfabulous.blogg.se

#BASTION EC2 HOW TO#
#BASTION EC2 INSTALL#
#BASTION EC2 UPDATE#
#BASTION EC2 WINDOWS#

Figure 1 below shows the AWS EC2 Console GUI for creating a WinRDGateway security group using an example IP address of 192.168.0.0/24. In order to allow access for initial configuration of the RD Gateway, you must create a temporary Amazon VPC or EC2 security group rule for this instance to accept RDP (TCP/3389) connections from your current IP address. Make a note of the elastic IP address of this instance, as you’ll need it later.

#BASTION EC2 WINDOWS#

To set up RD Gateway, first use the EC2 Quick Launch Wizard in the AWS Management Console to launch a Windows Server 2008 R2 instance into a public subnet of your VPC or EC2-Classic environment. RD Gateway is a component of the Microsoft Remote Desktop Services server role that can be added to any Windows Server instance. Create a Windows EC2 instance and configure its security group rule

#BASTION EC2 UPDATE#

Update () To help you quickly deploy an environment that leverages the Microsoft Remote Desktop Gateway, we’ve released a Quick Start that includes a Reference Deployment guide and an AWS CloudFormation template that will create a fully functioning Remote Desktop Gateway deployment in your account. Verify you can connect to your Windows instances through RD Gateway.Reconfigure security groups on the RD Gateway instance and all other Windows server instances to control which connections are allowed.

#BASTION EC2 INSTALL#

Install and configure RD Gateway on that instance.

Create a Windows EC2 instance and configure a security group rule to allow RDP access.

The basic steps for configuring RD Gateway are: Only users who authenticate to your RD Gateway instance are allowed to proceed on to the protected Windows instances behind the proxy. RD Gateway can be configured to accept connections via HTTPS (TCP/443) from every IP on the Internet, then proxy them to your other Windows instances using RDP port (TCP/3389). One solution to this problem is to protect your Windows instances at the network layer using Microsoft Remote Desktop (RD) Gateway server set up as a bastion. As a result, we often see customers setting security groups for RDP access to allow every IP (0.0.0.0/0), thereby failing to enforce least privilege at the network layer. However, in cases where an administrator could be connecting from anywhere on the Internet, however, trying to determine which IPs to allow can be difficult. When configuring your security groups, it’s a best practice to apply the principle of least privilege, allowing only connections to the RDP port from IP addresses your administrators will be connecting from and denying all others. To define the source IPs that are allowed to connect to your EC2 instances’ RDP port (TCP/3389), you configure the instance’s security group rules. If you run Microsoft Windows instances in EC2, then you most likely use the Remote Desktop Protocol (RDP) for remote administration.

#BASTION EC2 HOW TO#

Future posts from Ryan will describe how to configure a bastion in front of your Linux EC2 instances. This week’s guest blogger, Ryan Holland, AWS Solutions Architect, describes how to configure a bastion in front of your Windows EC2 instances to proxy administrative requests to your instances. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances. A best practice in this area is to use a bastion.

Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances.