In today’s cloud-centric world, ensuring the security of your AWS resources is paramount. I was recently working on a cloud project and wanted a secure way to access the VPC remotely without using EC2 Instance Connect. This is when I came up with the idea to try using Tailscale VPN. I had already been tinkering with Tailscale on my home network and noticed how powerful it was. In this post, I will share how you can enhance your AWS VPC security by setting up a private jumpbox using Tailscale. We’ll be using the free plan, which is sufficient for our needs. I suggest visiting Tailscale’swebsite to explore all their features and use cases.
The Solution
Understanding the Basics
For those new to AWS, a Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. A jumpbox, or bastion host, acts as a secure gateway to your VPC, typically accessed via SSH, and it helps in reducing the exposure of your instances. Tailscale is a user-friendly VPN that simplifies secure network connections using WireGuard’s encryption technology. It’s particularly great for creating secure, peer-to-peer networks.
Why Use a Private Jumpbox and Tailscale?
Using a private jumpbox, also known as a bastion host, provides a secure gateway to your AWS VPC. Unlike a public jumpbox, a private jumpbox is not accessible directly from the internet, which significantly reduces the attack surface and enhances the overall security of your network. This setup ensures that only authorized users can access your VPC resources.
Tailscale is a peer-to-peer VPN solution built on WireGuard, which simplifies secure network connections. Tailscale’s ease of use, combined with its robust security features, makes it an excellent choice for setting up a private jumpbox. With Tailscale, you can create a secure mesh network that includes your local devices and your AWS resources, allowing seamless and secure access.
One of the key advantages of using Tailscale with a private jumpbox is its cost-effectiveness. Here are some points to consider:
Free Plan: Tailscale offers a free plan that is sufficient for many use cases, especially for small projects or individual developers. This plan includes all the core features needed to set up a secure private jumpbox.
Reduced AWS Costs: By using a private jumpbox, you can minimize the number of publicly accessible instances, which can lower your AWS costs. Public instances often require additional security measures and monitoring, increasing overall expenses.
No Need for Expensive Hardware: Tailscale operates on your existing infrastructure, meaning you don’t need to invest in additional hardware or complex network setups.
Setting Up the Environment
Before we begin, ensure that you have a AWS account with necessary permissions, and the remote system set up with the Tailscale VPN.
Create the VPC
Navigate to the VPC dashboard and click Create VPC.
In the VPC Settings box we will use the VPC and More option for simplicity. Match your settings to the following and click Create VPC:
Name tag auto-generation: TailscaleJumpBox
IPv4 CIDR block: 10.0.0.0/16
IPv6 CIDR block(Important): Amazon-provided IPv6 CIDR block
Tenancy: Default
Number of Availability Zones: 1
Number of public subnets: 1
Number of private subnets: 1
Nat gateways: None
VPC endpoints: None
DNS Options: Both options should be checked.
Example output:
Using the VPC and more option when creating the VPC saves times by auto generating your subnets, route tables, and internet gateway.
Turn on IPv6 Auto-assign
In the VPC Dashboard menu click Subnets.
Enable Auto-assign IPv6
This will auto assign IPv6 addresses to resources deployed into the TailscaleJumpBox-VPC. This is useful because by default AWS IPv6 addresses are publicly available by default unlike IPv4 addresses.
Create Security Group
In the VPC Dashboard menu click Security groups.
Click Create Security Group.
Enter in the following details:
Security group name: Tailscale-JumpBox-SG
Description: Allow remote connection from Tailscale
VPC: tailscalejumpbox-vpc
Inbound rules: None (default)
Outbound rules: Leave as default (all traffic)
Example Output:
Launch Instance
Navigate to the EC2 Dashboard.
Click Launch Instance.
Enter in the following details:
Name: Tailscale-JumpBox-USE-1a
Application and OS Images: Amazon Linux – Amazon Linux 2023
Instance Type: t2.micro (free tier)
Key pair: Create new key pair –> RSA –> .PEM –> Download Key
Network Settings: Click edit to change all options
VPC: tailscalejumpbox-vpc
Subnet: tailscalejumpbox-subnet-public1-us-east-1a
Auto-assign public IP: Disable
Auto-assign IPv6 IP: Enable
Security goups: Select existing security group
Common security groups: Tailscale-JumpBox-SG
Configure storage: Leave as default
Advance details: Expand this section and scroll to the bottom to enter User data (Shell Script)
User data:
hostnamectl set-hostname ts-jumpbox-use-1a
yum update -y
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up –auth-key <tskey-auth> –ssh
Shell script breakdown:
#! bin/bash: This shebang line indicates that the script should be run in the bash shell.
hostnamectl set-hostname ts-jumpbox-use-1a: Sets a readable hostname for the instance. (Optional)
yum update -y: Updates all installed packages.
curl -fsSL https://tailscale.com/install.sh | sh: Downloads and installs Tailscale’s quick install script.
tailscale up –auth-key <tskey-auth> –ssh: Starts Tailscale and authenticates the instance using the provided auth key, with SSH access enabled.
Launch Instance
Note: Replace <tskey-auth> with your actual Tailscale authentication key. You can generate an auth key from the Tailscale admin console under the Keys section in the settings.
Using the –ssh Flag
By using the –ssh flag in the tailscale up command, you enable Tailscale SSH, which allows you to SSH into the machine using Tailscale’s secure network. After running the script, you will see an SSH tag on the machine in the Tailscale admin console.
Connecting to the JumpBox
To SSH into the server using Tailnet SSH, use the following command:
You will be prompted to log in with a browser to authorize access to the server.
Alternatively, you can use the -i flag with the RSA key generated when launching the instance:
By following these steps, you can securely connect to your jumpbox and access your AWS VPC using Tailscale, taking advantage of its seamless and secure networking capabilities.
Conclusion
In this blog post, we explored how to enhance the security of your AWS VPC by setting up a private jumpbox using Tailscale. By utilizing a private jumpbox, you significantly reduce the attack surface of your infrastructure, making your network more secure and resilient against unauthorized access.
We walked through a step-by-step process to install and configure Tailscale on your jumpbox, leveraging its powerful yet user-friendly VPN capabilities. By enabling Tailscale SSH, we made accessing your jumpbox and other AWS resources secure and straightforward, providing you with a seamless and cost-effective solution for remote network access.
One of the standout advantages of this setup is its cost-effectiveness. Using Tailscale’s free plan and minimizing the number of publicly accessible instances can save costs while still providing robust security features.
By following the steps outlined, you now have a secure method to access your AWS VPC, ensuring your resources are protected without sacrificing convenience. I encourage you to implement this setup in your projects and experience the benefits firsthand.
If you have any questions, comments, or additional tips to share, please leave them below. I’d love to hear about your experiences and any further enhancements you make to this setup.
Call to Action
Try setting up your own private jumpbox with Tailscale today, and ensure your AWS VPC remains secure and accessible. Don’t forget to share your feedback and any custom configurations you come up with!
For more information and to explore additional features, visit Tailscale’s documentation.
Thank you for reading, and happy securing!
