Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

AWS Session Manager (aws specific) or Tailscale (anything) has solved this problem for me


Jump hosts seem like an anti-pattern in the era of AWS SSM and Tailscale.

It is far too easy to misconfigure network policies and grant them access to infrastructure that they shouldn't.

And with Tailscale you can run the agent within SaaS products like Github Actions or Terraform Cloud to securely manage their access into your systems.


I believe you still need a bastion host to query a database, for instance, unless you want to set up SSM on existing hosts - my current project is fully serverless, so I had to set up an EC2 instance to serve as the bastion. The beauty of SSM is that the host can be fully on a private subnet, not exposed to the wider internet as commonly suggested.


You can setup a Tailscale traffic relay node which allows you to access any services within the defined subnets.

https://tailscale.com/kb/1019/subnets/

So that way you can query that database directly and not using any SSH tunnels.


Yeah, if you’re using managed services within AWS you need a relay host. It doesn’t need to punch a hole to the outside world (like a bastion host) but it still needs some manner to allow tailscale (an ec2 box) to route to those services.

SSM is a cleaner choice on AWS.


> anti-pattern

Is wearing blue denim jacket and jeans an anti-pattern? Is vegemite an anti-pattern? Can't we just say "obsolete", or "bad idea"?


You should "reach out" to him/her and sort this out.

[I've always found "reach out" to be hilarious, (what, with my arms?) but it's so common now I'm the oddball]


Oh, the one that kills me now is "let's take that offline" used in a meeting to refer to "let's move this to a Slack conversation".

(Or, more cynically, "This problem is thorny and I wish to bury it rather than put in the time and work to fix it.")


> I've always found "reach out" to be hilarious, (what, with my arms?) ...

Using the expression "reach out" is such an anti-pattern.


> Is wearing blue denim jacket and jeans an anti-pattern?

The Canadian tuxedo is clearly a best practice.


"anti-pattern" suggests more than just a singleton bad idea, but one that is very common and sometimes even suggested.


Agreed. Tailscale is absolutely fantastic and unbelievably easy to use while being significantly more secure than a jump host.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: