Welcome to Basti discussions!

[BohdanPetryshyn]

👋 Welcome!

Introducing Basti discussions, a place for asking questions, providing answers (and gaining GH achievements 🥇).

If you're already here, drop a comment. Share your Basti use case, or just say "I ❤️ Basti"

[dejan-mladenovski]

Hey, I stumbled upon this tool, referenced in this podcast: https://awsbites.com/126-bastion-containers/#description

I have a use-case where the RDS is in a private subnet (multi-az) and need to connect to it. I installed basti very quickly (homebrew), and went through the init process easily. it detected the database, configured the EC2 bastion instance.. but when I do connect, I always get this error:

Error starting port forwarding session. Bastion instance is not connected to SSM. The instance might have been created in a private VPC subnet during basti init

Triple checked everything, it is in public subnet, and the NLB provisioned in that subnet has access.

Am I missing something? I read somewhere that I also need to have VPC endpoints for SSM, SSMMessages and EC2Messages.. Should those be in the private or public subnets? What are the SG rules for that?

The documentation does not mention anything about VPC endpoints for SSM, so I did not provision them.

Cheers

[dejan-mladenovski]

It worked. Did nothing to it, but somehow it worked :)
@BohdanPetryshyn I must say, it is a cool lightweight tool that you guys created. I love it.

[BohdanPetryshyn]

Hi @dejan-mladenovski! I'm happy to hear that you found the tool helpful and that it worked for you. I'm having a vacation right now. Next week, I'll be able to take a closer look to identify a possible pitfall with private NAT-enabled subnets.

[BohdanPetryshyn]

VPC endpoints are only required when the SSM target (an EC2 instance) is in a private subnet. Your use case very closely resembles the most common Basti use case so the error is probably connected to some temporary lag or this stability issue that is expected to be resolved soon.

Again, I'm glad that Basti worked for you ❤️

[dejan-mladenovski]

Hey no worries. I think some times it is not working, but most of the time works. I suspect because it uses t2.micro, it takes some time to initialize the agent. Hey something I noticed (maybe need to open an issue for it): If I initialize the tool, then close the device/end terminal session after a while/try again next day, on the retry it says Basti is not initialized, please run basti init. But I login to AWS and see that the instance is there, but stopped.

I will try to recreate the scenario again, maybe I am wrong.. I am still working on a non production account so I can play around a bit.

But hey, thanks a lot for the tool, really helpful. 🚀