I am trying to create a few bastion hosts in my VPC on aws to connect to my databases that are located in a private subnet. I am using this aws Quick start.
I understand the basics of CIDR blocks and what they mean. However, I don't understand what aws means by the "Allowed Bastion External Access CIDR" parameter. To quote the documentation, this parameter means the following:
"CIDR block that’s allowed SSH external access to the bastion hosts. We recommend that you set this value to a trusted CIDR block. For example, you might want to restrict access to your corporate network."
I don't understand what I should enter in this parameter. Do they want the IP range of my private subnet that will connect to the bastion hosts? Or do they mean by this the range of my private network at home? And does this mean that I can't ssh into my bastion hosts from anywhere else? Obviously I want to restrict access to my bastion hosts, but I don't think I want to only be able to access them from home, since I work from different places and we don't have a private network at the office.
Thanks
"CIDR block that’s allowed SSH external access to the bastion hosts. We recommend that you set this value to a trusted CIDR block. For example, you might want to restrict access to your corporate network."
At a high level, a more simplistic view of a CIDR block, is that it's an IP address range, expressed in CIDR format, and the guide is essentially telling you to set the IP address range that you want to allow to connect to your Bastion hosts. It's also cautioning you to only set it to a trusted CIDR block, this could be your corporate network, your own IP address, or it could also be the CIDR block range of your private subnet.
If your private subnet CIDR is 10.0.0.0/8 and you set the CIDR block that is allowed to connect to the Bastion to that then you would allow connections to the Bastion from any IP address in the subnet 10.0.0.0 - 10.255.255.255; this is about 16.7m IP's in the subnet that would be allowed to connect; assuming no other inbound rules, only services in the private subnet which have an IP address in that range would be able to connect to the Bastion. You can specify multiple inbound rules in your security groups which will allow you to connect from different locations, like home or your office, but if you have dynamic IP addresses in those locations you'll need to update your security groups if the IP address changes.
That being said, even though it is a private subnet, and there is no external access, best practice would be to be explicit with the IP addresses that are allowed to connect to your bastion. This increases security, reduces a potential attack surface, and reduces the possibilities of errors.