aws-cdk-lib.aws_ec2.BastionHostLinux

class BastionHostLinux (construct)

LanguageType name
.NETAmazon.CDK.AWS.EC2.BastionHostLinux
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsec2#BastionHostLinux
Javasoftware.amazon.awscdk.services.ec2.BastionHostLinux
Pythonaws_cdk.aws_ec2.BastionHostLinux
TypeScript (source)aws-cdk-lib » aws_ec2 » BastionHostLinux

Implements IConstruct, IDependable, IResource, IInstance, IConnectable, IGrantable

This creates a linux bastion host you can use to connect to other instances or services in your VPC.

The recommended way to connect to the bastion host is by using AWS Systems Manager Session Manager.

The operating system is Amazon Linux 2 with the latest SSM agent installed

You can also configure this bastion host to allow connections via SSH

Example

const host = new ec2.BastionHostLinux(this, 'BastionHost', {
  vpc,
  blockDevices: [{
    deviceName: 'EBSBastionHost',
    volume: ec2.BlockDeviceVolume.ebs(10, {
      encrypted: true,
    }),
  }],
});

Initializer

new BastionHostLinux(scope: Construct, id: string, props: BastionHostLinuxProps)

Parameters

  • scope Construct
  • id string
  • props BastionHostLinuxProps

Construct Props

NameTypeDescription
vpcIVpcVPC to launch the instance in.
availabilityZone?stringIn which AZ to place the instance within the VPC.
blockDevices?BlockDevice[]Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes.
init?CloudFormationInitApply the given CloudFormation Init configuration to the instance at startup.
initOptions?ApplyCloudFormationInitOptionsUse the given options for applying CloudFormation Init.
instanceName?stringThe name of the instance.
instanceType?InstanceTypeType of instance to launch.
machineImage?IMachineImageThe machine image to use, assumed to have SSM Agent preinstalled.
requireImdsv2?booleanWhether IMDSv2 should be required on this instance.
securityGroup?ISecurityGroupSecurity Group to assign to this instance.
subnetSelection?SubnetSelectionSelect the subnets to run the bastion host in.

vpc

Type: IVpc

VPC to launch the instance in.


availabilityZone?

Type: string (optional, default: Random zone.)

In which AZ to place the instance within the VPC.


blockDevices?

Type: BlockDevice[] (optional, default: Uses the block device mapping of the AMI)

Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes.

Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mappings to specify additional EBS volumes or instance store volumes to attach to an instance when it is launched.

See also: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html


init?

Type: CloudFormationInit (optional, default: no CloudFormation init)

Apply the given CloudFormation Init configuration to the instance at startup.


initOptions?

Type: ApplyCloudFormationInitOptions (optional, default: default options)

Use the given options for applying CloudFormation Init.

Describes the configsets to use and the timeout to wait


instanceName?

Type: string (optional, default: 'BastionHost')

The name of the instance.


instanceType?

Type: InstanceType (optional, default: 't3.nano')

Type of instance to launch.


machineImage?

Type: IMachineImage (optional, default: An Amazon Linux 2 image which is kept up-to-date automatically (the instance may be replaced on every deployment) and already has SSM Agent installed.)

The machine image to use, assumed to have SSM Agent preinstalled.


requireImdsv2?

Type: boolean (optional, default: false)

Whether IMDSv2 should be required on this instance.


securityGroup?

Type: ISecurityGroup (optional, default: create new security group with no inbound and all outbound traffic allowed)

Security Group to assign to this instance.


subnetSelection?

Type: SubnetSelection (optional, default: private subnets of the supplied VPC)

Select the subnets to run the bastion host in.

Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM. You have to allow port 22 manually by using the connections field

Properties

NameTypeDescription
connectionsConnectionsAllows specify security group connections for the instance.
envResourceEnvironmentThe environment this resource belongs to.
grantPrincipalIPrincipalThe principal to grant permissions to.
instanceInstanceThe underlying instance resource.
instanceAvailabilityZonestringThe availability zone the instance was launched in.
instanceIdstringThe instance's ID.
instancePrivateDnsNamestringPrivate DNS name for this instance.
instancePrivateIpstringPrivate IP for this instance.
instancePublicDnsNamestringPublicly-routable DNS name for this instance.
instancePublicIpstringPublicly-routable IP address for this instance.
nodeNodeThe tree node.
roleIRoleThe IAM role assumed by the instance.
stackStackThe stack in which this resource is defined.

connections

Type: Connections

Allows specify security group connections for the instance.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


instance

Type: Instance

The underlying instance resource.


instanceAvailabilityZone

Type: string

The availability zone the instance was launched in.


instanceId

Type: string

The instance's ID.


instancePrivateDnsName

Type: string

Private DNS name for this instance.


instancePrivateIp

Type: string

Private IP for this instance.


instancePublicDnsName

Type: string

Publicly-routable DNS name for this instance.

(May be an empty string if the instance does not have a public name).


instancePublicIp

Type: string

Publicly-routable IP address for this instance.

(May be an empty string if the instance does not have a public IP).


node

Type: Node

The tree node.


role

Type: IRole

The IAM role assumed by the instance.


stack

Type: Stack

The stack in which this resource is defined.

Methods

NameDescription
allowSshAccessFrom(...peer)Allow SSH access from the given peer or peers.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
toString()Returns a string representation of this construct.

allowSshAccessFrom(...peer)

public allowSshAccessFrom(...peer: IPeer[]): void

Parameters

  • peer IPeer

Allow SSH access from the given peer or peers.

Necessary if you want to connect to the instance using ssh. If not called, you should use SSM Session Manager to connect to the instance.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.