Multi hop SSH tunnel

There is a private API endpoint listening to port 9999 accessible from EC2 in a private subnet on AWS. Private subnet is accessible from a bastion host which is in a Public subnet and has a Public IP. Both hosts have different keipairs.

The task is to enable developers call API endpoint from their workstations.

Open local port forwarding:

ssh -vtA -i ec2.pem  -L9999:apiendpointIP:9999 ubuntu@ec2IP \
 -o 'ProxyCommand = ssh -vtA -i bastionhost.pem -L9999:localhost:9999 \
 ubuntu@bastionhostIP -W ec2IP:22'

Now developers can access the API endpoint:


The next step is to create a limited user and chroot it to jail.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: