Controlling Network Access to EC2 Instances Using a Bastion Server

As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. A best practice in this area is to use a bastion. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances. This week’s guest blogger, Ryan Holland, AWS Solutions Architect, describes how to configure a bastion in front of your Windows EC2 instances to proxy administrative requests to your instances. Future posts from Ryan will describe how to configure a bastion in front of your Linux EC2 instances.

If you run Microsoft Windows instances in EC2, then you most likely use the Remote Desktop Protocol (RDP) for remote administration. To define the source IPs that are allowed to connect to your EC2 instances’ RDP port (TCP/3389), you configure the instance’s security group rules.  When configuring your security groups, it’s a best practice to apply the principle of least privilege, allowing only connections to the RDP port from IP addresses your administrators will be connecting from and denying all others.  However, in cases where an administrator could be connecting from anywhere on the Internet, however, trying to determine which IPs to allow can be difficult. As a result, we often see customers setting security groups for RDP access to allow every IP (0.0.0.0/0), thereby failing to enforce least privilege at the network layer.

One solution to this problem is to protect your Windows instances at the network layer using Microsoft Remote Desktop (RD) Gateway server set up as a bastion. RD Gateway can be configured to accept connections via HTTPS (TCP/443) from every IP on the Internet, then proxy them to your other Windows instances using RDP port (TCP/3389). Only users who authenticate to your RD Gateway instance are allowed to proceed on to the protected Windows instances behind the proxy.

The basic steps for configuring RD Gateway are:

1. Create a Windows EC2 instance and configure a security group rule to allow RDP access.
2. Install and configure RD Gateway on that instance.
3. Reconfigure security groups on the RD Gateway instance and all other Windows server instances to control which connections are allowed.
4. Verify you can connect to your Windows instances through RD Gateway.

Update (28 May 2014)  To help you quickly deploy an environment that leverages the Microsoft Remote Desktop Gateway, we’ve released a Quick Start  that includes a Reference Deployment guide and an AWS CloudFormation template that will create a fully functioning Remote Desktop Gateway deployment in your account. You can find the Quick Start at http://aws.amazon.com/quickstart/.

Create a Windows EC2 instance and configure its security group rule

RD Gateway is a component of the Microsoft Remote Desktop Services server role that can be added to any Windows Server instance.  To set up RD Gateway, first use the EC2 Quick Launch Wizard in the AWS Management Console to launch a Windows Server 2008 R2 instance into a public subnet of your VPC or EC2-Classic environment. Make a note of the elastic IP address of this instance, as you’ll need it later.

In order to allow access for initial configuration of the RD Gateway, you must create a temporary Amazon VPC or EC2 security group rule for this instance to accept RDP (TCP/3389) connections from your current IP address. Figure 1 below shows the AWS EC2 Console GUI for creating a WinRDGateway security group using an example IP address of 192.168.0.0/24. If you don’t know the actual external IP address of the host you’re working from, you can use services such as http://www.whatsmyip.org/ to discover it.

Figure 1

Note: Once you complete configuration of the RD Gateway, you will remove this rule from the security group and add a new rule that will allow administrators to connect from anywhere on the Internet only over HTTPS (TCP/443).

Once the instance has launched, decrypt the default administrator password and use your RDP client to connect to the instance from your local host.

Install and configure RD Gateway

To install RD Gateway, we recommend following the detailed instructions at http://technet.microsoft.com/en-us/library/dd983941(v=ws.10).aspx. Some things to keep in mind as you’re configuring RD Gateway during installation include:

• Determine how you want to authenticate users who connect to your RD Gateway instance over the Internet. You may want to define groups in your domain for these administrators. This configuration is done in the install wizard section that refers to connection authorization policies (CAP).
• Determine which Windows EC2 instances behind your RD Gateway you want to give your users/groups access to. This configuration is done in the install wizard section that refers to resource authorization policies (RAP).

Reconfigure security groups

After RD Gateway is installed and configured on your bastion instance, you will need to re-configure both the security group for the RD Gateway instance and the security groups used by the Windows Server instances you want to protect. Figure 2 below shows the RDP port (TCP/3389) rule you previously created for the RD Gateway instance removed, and the port HTTPS (TCP/443) rule newly created.

Figure 2

All other security groups for your other Windows Server instances should be configured to only accept RDP (TCP/3389) connections from the named security group used by the RD Gateway.  Figure 3 below shows an example of restricting access to port 3389 to the source settings of the RD Gateway security group in your environment (named “sg-0043586c” in this example)

Figure 3

Verify you can connect

Under the Advanced tab in the Remote Desktop Connection utility, select the “Settings” button under the section labeled “Connect from anywhere,” as shown in Figure 4 below.

Figure 4

Enter the IP address of your RD Gateway instance in the “Server name” field and uncheck the “Bypass RD Gateway server for local addresses” checkbox, as shown in Figure 5 below. You should now be able to connect to your instance through the RD Gateway.

Figure 5

You’ve now created an RD Gateway that acts as a bastion between the Internet and your Windows Server instances. Administrators who connect to the RD Gateway will connect over HTTPS (TCP/443), then authenticate to the RD Gateway domain. From here, they will be granted access to any of the Windows Server instances configured in the RD Gateway.  This configuration provides a centralized network access control point to your Windows Server instances. For additional information on how to configure RD Gateway using Amazon VPC along with other useful Windows security best practices, please see the Securing the Microsoft Platform on AWS whitepaper.

– Ken

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.