Deploy single vanilla jumpbox machine. Works well with BOSH CLI SOCKS5 proxying.
IMPORTANT: Make sure to configure security group to allow only necessary traffic! Better yet drop all incoming traffic when jumpbox is not being used.
- Apply iptables rule to block all incoming traffic
- in addition to relying on IaaS security groups configuration
- Stop all software aside from SSH after deploy is finished
- Add
--vars-store /dev/nullCLI support?
Requires new BOSH CLI v0.0.146+.
$ git clone https://github.com/cloudfoundry/jumpbox-deployment ~/jumpbox-deployment
$ mkdir -p ~/deployments/jumpbox-1
$ cd ~/deployments/jumpbox-1
# Deploy a jumpbox -- ./creds.yml is generated automatically
$ bosh create-env ~/jumpbox-deployment/jumpbox.yml \
--state ./state.json \
-o ~/jumpbox-deployment/aws/cpi.yml \
--vars-store ./creds.yml \
-v access_key_id=... \
-v secret_access_key=... \
-v region=us-east-1 \
-v az=us-east-1b \
-v default_key_name=jumpbox \
-v default_security_groups=[jumpbox] \
-v subnet_id=subnet-... \
-v internal_cidr=10.0.0.0/24 \
-v internal_gw=10.0.0.1 \
-v internal_ip=10.0.0.5 \
-v external_ip=... \
--var-file private_key=...
# Currently, none of the generated credentials are necessary to persist
# (possibly except for generated SSH private key)
$ rm ./creds.yml
Above command requires only two ports open:
Type Protocol Port Range Source Purpose
SSH TCP 22 <BOSH CLI's IP> SSH for bootstrapping & final access
Custom TCP Rule TCP 6868 <BOSH CLI's IP> Agent for bootstrapping
By default jumpbox user is added via user_add job. Unique SSH private key is generated.
$ bosh int ./creds.yml --path /jumpbox_ssh/private_key > jumpbox.key && chmod 600 jumpbox.key
$ ssh jumpbox@... -i jumpbox.key
Instead of running CLI from the jumpbox VM, you can use it as a proxy.
# Start SOCKS5 proxy on your machine
$ ssh -N -D 9999 jumpbox@... -i jumpbox.key -f
# Let CLI know about it
$ export BOSH_ALL_PROXY=socks5://localhost:9999
# Access Director *thru* jumpbox (instead of being on the jumpbox)
$ bosh -e bosh-1 env