Configuring Private Bastion

Configuring Private Bastion

Configuring Private Bastion

Private Bastion configures a tunnel to connect resources to a private or secure subnet in the environment.

Enabling Private Bastion at NX1

Sign in to NX1, navigate to the environment to setup Private Bastion and select “Network Access”.


Click the toggle next to AWS Client VPN to enable it.


Then click “Save” to enable the VPN.

Setting up an RDS connection through a Private Bastion

After enabling the Private Bastion on the NX1, you need to follow these steps to connect to the RDS database through Private Bastion.

Before proceeding, make sure you have a RDS instance is up and running, in the same VPC of the private bastion and deployed in one of the Private or Secure Subnets created by NX1.

RDS Security Group Setup

In your RDS database, edit the security group and add an inbound rule to the bastion host security group:


Make sure to select the security group with “private-bastion” in the name and under Type, the service matching your DB (usually PostgreSQL or MySQL/Aurora).

Creating the Connection

If you use AWS SSO (Identity Center), start a session by getting the credentials from the SSO for the environment to which you want to connect.

  1. Go to your AWS SSO page.
  2. Select the environment you want to connect
  3. Select the option Command line or programmatic access
  4. Copy the keys in the “option 1 - Set AWS environment variables (Short-term credentials)”

See more details at the AWS Documentation on this topic.

Example for connecting to RDS Postgres by Private Bastion using client AWS.

For Mac, open a Terminal. For Windows, open a Command Prompt window.

Paste the AWS credentials into the terminal and run:

aws ssm start-session --target <private-bastion-id> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"portNumber":["5432"],"localPortNumber":["5433"],"host":["<rds-endpoint>"]}'
  • Private-bastion-id
    • Go to the AWS console, select the service EC2
    • Select the instance `citadel-PrivateBastion`
    • Find the Instance ID. Copy and paste it to the command.
    • image
  • Rds-endpoint
    • Go to the AWS console, select the service RDS
    • Select the RDS you want to connect
    • Find the parameter Endpoint
    • Copy and paste it to the command above
    • image


In your local machine, open a database client compatible with your RDS DB flavour (usually postgres or mysql) and connect to:

  • Hostname: localhost
  • Port: 5433 (or another port defined in localPortNumber parameter of the start-session command above)
  • Credentials: Same credentials as your RDS database