Login
May 23, 2025|
Voiced by Amazon Polly |
Overview
Managing your cloud infrastructure can be complex, especially when securely accessing and managing instances. AWS Fleet Manager simplifies this by providing a unified user interface for managing instances across your fleet. In this guide, we will walk you through how to use AWS Fleet Manager to connect to a Windows Bastion Host, which serves as a secure entry point to your network.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
AWS Fleet Manager
With the help of the AWS Fleet Manager feature in the AWS Systems Manager, you can quickly manage and run your fleet of instances across several AWS regions without having to log in using SSH or RDP directly. It provides a visual interface for performing common administrative tasks, such as file system exploration, log file viewing, and Windows Registry editing.
Why Use a Windows Bastion Host?
A Bastion Host is a special-purpose instance that securely accesses your instances within a private subnet. A bastion host can help you lower the attack surface by restricting direct access to your instances. A Windows Bastion Host allows you to use Remote Desktop Protocol (RDP) to manage your instances securely.
Step 1: Setting Up the Windows Bastion Host
Before connecting via AWS Fleet Manager, you must set up a Windows Bastion Host. Here’s how to do that:
- Launch a Windows EC2 Instance:
- Open the AWS Management Console and navigate to the EC2 dashboard.
- Click “Launch Instance” and select a Windows AMI (Amazon Machine Image).
- Choose an instance type that suits your requirements (e.g., t2.micro for testing).
- The instance will be placed in a public subnet of your Amazon VPC with a public IP address.
- Configure Security Group:
- Create a Security Group that allows RDP (port 3389) from your IP address.
- Ensure that the Security Group also allows traffic to and from the private instances that you will be managing via the Bastion Host.
- Launch the Instance:
- Complete the configuration, add any necessary tags, and launch the instance.
- Download the key pair (.pem file) to access the instance.
- Connect to the Instance:
- Use the RDP client on your local machine to connect to the Bastion Host using the public IP and the credentials generated by AWS.
Step 2: Enable AWS Systems Manager on the Bastion Host
For AWS Fleet Manager to manage your Windows Bastion Host, you must ensure that the instance is connected to AWS Systems Manager.
- Install the Systems Manager Agent (SSM Agent):
- Most Windows AMIs come with the SSM Agent pre-installed. If not, you can use the PowerShell scripts listed below to install it manually:
|
1 2 3 4 5 6 |
Set-ExecutionPolicy Unrestricted -Scope Process -Force [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = "https://s3.amazonaws.com/aws-ssm-us-east-1/latest/windows_amd64/AmazonSSMAgentSetup.exe" $output = "$env:TEMP\AmazonSSMAgentSetup.exe" Invoke-WebRequest -Uri $url -OutFile $output Start-Process -Wait -FilePath $output |
2. Attach the AWS IAM Role:
-
- Make that the AmazonSSMManagedInstanceCore policy is tied to an AWS IAM role on the EC2 instance. This enables communication between the instance and the Systems Manager.
3. Verify Connectivity:
-
- In the AWS Management Console, navigate to the AWS Systems Manager > AWS Fleet Manager.
- You should see the Bastion Host instance listed. If not, ensure the SSM Agent is running and the instance is correctly configured.
Step 3: Connecting to Instances via Fleet Manager
Once your Bastion Host is set up and connected to AWS Systems Manager, you can securely use AWS Fleet Manager to access other instances in your Amazon VPC.
- Access Fleet Manager:
- In the AWS Management Console, go to AWS Systems Manager > AWS Fleet Manager.
- Select the Windows Bastion Host from the list of managed instances.
- Connect to the Bastion Host:
- From the AWS Fleet Manager interface, you can perform tasks like accessing the file system, running scripts, or accessing the Windows Registry.
- To connect to other instances in the private subnet, use the Bastion Host as your entry point.
- Managing Remote Instances:
- Once connected to the Bastion Host, use the RDP client or other management tools to connect to instances within the private subnet.
- AWS Fleet Manager allows you to interact with these instances without directly managing SSH or RDP connections.
Benefits of Using AWS Fleet Manager with a Windows Bastion Host
- Centralized Management: Manage all instances across regions and accounts from a single interface.
- Security: Limit direct access to instances, reducing the attack surface while providing a secure way to manage your infrastructure.
- No Need for SSH/RDP: Perform administrative tasks without opening SSH or RDP ports on your instances.
Conclusion
Following this step-by-step guide, you can set up and connect to a Windows Bastion Host using AWS Fleet Manager, streamlining your instance management and enhancing security across your AWS environment.
Drop a query if you have any questions regarding AWS Fleet Manager and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. Do I need to open RDP ports using a Windows Bastion Host with Fleet Manager on every instance?
ANS: – No, one of the key benefits of using a Windows Bastion Host with AWS Fleet Manager is that you do not need to open RDP ports on each instance. The Bastion Host acts as a secure gateway, and AWS Fleet Manager allows you to manage instances without direct RDP or SSH access, reducing your attack surface.
2. What permissions are required for the IAM role attached to the Bastion Host?
ANS: – The AWS IAM role attached to the Bastion Host must include the AmazonSSMManagedInstanceCore managed policy. This policy allows the instance to communicate with AWS Systems Manager services, enabling AWS Fleet Manager to manage the instance securely.
WRITTEN BY Rohit Kumar
Rohit Kumar works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is focused on gaining knowledge of the Cloud environment. He has a keen interest in learning and researching emerging technologies.
PREV
Comments