How to define a bastion host

  1. Connect all compute nodes to the admin network (step 1).
  2. Drop the SSHBastionHost component on one compute node (step 2). The given compute node is now the bastion host.
  3. Also connect the bastion host to the public network.

Fig. Define a compute node as a bastion host

note

In step 1, if you forgot to connect a compute node to the admin network, the designer will automatically connect it to the admin network for you.

Expected result

  1. During the deployment, the orchestration engine creates a security group on the bastion host that allows it to access the bastion host (i.e., allow tcp protocol on port 22 from the remote IP of the orchestration engine). It also enables TCP forwarding on the bastion host. As a result, the orchestration can connect to the bastion host over the public network (step 1).
  2. The orchestration engine uses the bastion host as a jump host to SSH to the other compute nodes in the admin network and deploy the software components (e.g., HelloWorld) on the private compute nodes (step 2).
  3. After the deployment completes, the orchestration engine deletes the security group rule on the bastion host to prevent any further access to the bastion host.

Fig. The deployment flows

note

Auto-select Bastion Host: If users do not define a bastion host explicitly, the designer will auto-select a compute node connecting to the public network as a bastion host. It also warns the users, which compute node is chosen as the bastion host before the deployment:

Fig. A warning message that a bastion host is auto selected before the deployment