SSH to a node in private subnet. Any other way except having a bastion? (for windows especially)

Question

I created a VPC with private and public subnets on AWS. After trying quite a few times, the only way I could SSH onto the private machine was via a node on the public subnet (and using ssh -A). Now, my doubt is: is there no other way of ssh-ing onto the private node? Isn't it public to the creators of the node?

I am unable to wrap my head around why even the people who created that node in the private subnet cannot log into it (unless, I can and I don't know yet)?

And if it's true that the only way to ssh into it is via the bastion node, then, how do I RDP onto a Windows machine on the private subnet? Is the only way to do it is have a windows machine on the public subnet and use that to RDP onto the private one?

Thanks!

Answer 1

The purpose of a private subnet is to protect it from the outside world. But the cost of this protection is the restrictions required.

In order to access a node/instance on a private subnet, you must go through a node/instance on a public subnet. There's no way around that. Otherwise, it's not private, and hence, not protected.

To RDP to a Windows instance in a private subnet, you do not need a Windows instance in a public subnet. In fact, it may be easier to use a Linux instance in a public subnet:

1. Using the SSH client of your choice, establish an SSH connection with a Linux instance in a public subnet (your bastion).
2. Create a "tunnel" through your SSH connection to your private Windows instance.

For example, if your Windows instance has IP 10.0.0.4, then you can create an SSH tunnel that will tunnel localhost:13389 to 10.0.0.4:3389. Then, when you RDP to "localhost:13389", your SSH client will forward that connection to the bastion, which will in turn forward it to your Windows instance.