Getting started

Prerequisites

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built Documentation

Alliance Mode

Environments

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Domains

Service Roles

Compliance

Compliance standards

Compliance status

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing NX1 Access from AWS Accounts

Reduce permission access for NX1

What’s deployed in my account

Troubleshooting

Troubleshooting

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Configuring Private Bastion

Private Bastion configures a tunnel to connect resources to a private or secure subnet in the environment.

Enabling Private Bastion at NX1

Sign in to NX1, navigate to the environment to setup Private Bastion and select “Network Access”.

Click the toggle next to AWS Client VPN to enable it.

Then click “Save” to enable the VPN.

Setting up an RDS connection through a Private Bastion

After enabling the Private Bastion on the NX1, you need to follow these steps to connect to the RDS database through Private Bastion.

RDS Security Group Setup

In your RDS database, edit the security group and add an inbound rule to the bastion host security group:

Make sure to select the security group with “private-bastion” in the name and under Type, the service matching your DB (usually PostgreSQL or MySQL/Aurora).

Creating the Connection

If you use AWS SSO (Identity Center), start a session by getting the credentials from the SSO for the environment to which you want to connect.

1. Go to your AWS SSO page.
2. Select the environment you want to connect
3. Select the option Command line or programmatic access
4. Copy the keys in the “option 1 - Set AWS environment variables (Short-term credentials)”

See more details at the AWS Documentation on this topic.

Example for connecting to RDS Postgres by Private Bastion using client AWS.

For Mac, open a Terminal. For Windows, open a Command Prompt window.

Paste the AWS credentials into the terminal and run:

aws ssm start-session --target <private-bastion-id> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"portNumber":["5432"],"localPortNumber":["5433"],"host":["<rds-endpoint>"]}'

• Private-bastion-id
• Go to the AWS console, select the service EC2
• Select the instance `citadel-PrivateBastion`
• Find the Instance ID. Copy and paste it to the command.

• Rds-endpoint
• Go to the AWS console, select the service RDS
• Select the RDS you want to connect
• Find the parameter Endpoint
• Copy and paste it to the command above

Connecting

In your local machine, open a database client compatible with your RDS DB flavour (usually postgres or mysql) and connect to:

• Hostname: localhost
• Port: 5433 (or another port defined in localPortNumber parameter of the start-session command above)
• Credentials: Same credentials as your RDS database

← Previous

Configuring AWS Client VPN