High availability Bastion host - Best practices, ELB, EIP?

amazon-web-services amazon-ec2 high-availability amazon-elb amazon-elastic-ip

It looks like the requirement is to provide bastion functionality at lowest reasonable cost with an RTO of say 5 minutes. No RPO is applicable as it's effectively a stateless proxy that can be rebuilt easily.

I'd have a bastion host, defined either as an AMI or CloudFormation script (AMI is faster), inside an autoscaling group with min/max/target set to 1. I wouldn't have a load balancer as there's no need for that as far as I can see. This instance would be registered with Route53 with a public domain name so even if the instance changes you will be able to access it, and that should eliminate SSH warnings. I might start with one instance in each subnet, but I'd probably turn one off if they're reliable enough - they should be.

A CloudFormation deployment of bastion hosts is described by Amazon here. Amazon have a best practice guide here. You shouldn't address internal resources using their Elastic IP as they're public IPs and traffic to them is charged, whereas private IP traffic isn't charged. Domain names are cheaper. This might involve some CloudFormation script tweaking.

Related

Using extra CPU time in ESXI for scientific computing
Kill inactive user sessions on a Windows Server 2012 R2 Terminal server
Is it possible for CloudFlare to get content from 8080 and serve it on 80?
Hot to change 'Preemptibilty' setting on VM instance in Google Cloud
Nagios OK notification at the beginning of the availability period
Redirect all urls to the root except /wp-admin and wp-json
Why my Amazon EC2 instance limit is zero by default?
AWS: Subnets vs Security groups for setting up a VPC
In Docker 17, how is disk space allocated for containers?
Sum of product of binomial coefficients: $\sum_{k=0}^{n}(-1)^k\binom{n}{k}\binom{n + k}{k} = (-1)^n$
Integral $\int_0^1 \frac{\ln(1-x)\ln(1+x^2)}{x}dx$
Find the properties of an ellipse from 5 points in 3D space