In cloud environments like AWS, it's a best practice to place your application servers in private subnets to prevent direct access from the internet. But then, how do you connect to those private instances for troubleshooting or configuration?

This is where a Bastion Host comes in, a secure jump server that provides SSH access to private instances.

In this post, you’ll learn step-by-step how to:

• Configure your VPC, security groups and route tables

• Set up a bastion host

• SSH into a private EC2 instance via the bastion host

Prerequisites

Before we start, ensure the following:

• You have an AWS account

• You’re familiar with basic VPC, EC2, and SSH concepts (optional, but helpful)

Architecture Overview

You’ll create a simple VPC setup like this:

STEP 1: Create Your VPC and Subnets

1. Create a VPC

   • Enter a CIDR block (e.g., 10.0.0.0/16 the range of IP addresses your VPC will have)

   • Give your VPC a name (always ensure you tag your resources)

2. Create 2 Subnets:

   • Public Subnet (e.g., 10.0.1.0/24)

   • Private Subnet (e.g., 10.0.2.0/24)

3. Create an Internet Gateway (IGW):

   • This will give internet access to the public subnets within the VPC and then in the action’s menu.

   • Once the Internet Gateway is created, click on the “Actions” button on the top-right, and attach to VPC. Ensure you select your created VPC, your tags should make this easier to find.

4. Update route table

   Create a route to destination (0.0.0.0./0) and the target should be the Internet Gateway you Attached to the VPC.

5. Create the Private Route table

   What makes a route table private is the absence of a route to outside traffic through an Internet Gateway. This is what’d needed for the private subnet.

6. Create a route table association for the Private Subnet.

   NOTE: By default, both subnets are implicitly associated to the VPC’s main route table, and this would give them internet access, but only one requires it, so another route table will be made for the private subnet.

By the time you’re done with the above steps, you have the following in your VPC resource map.

Step 2: Launch the Bastion Host (Public Instance)

1. Launch an EC2 instance (Amazon Linux/Ubuntu) in the public subnet.

2. Assign it a public IP

3. Associate it with a security group that:

   • Allows SSH (port 22) from your IP

4. Use a key pair for SSH access, it will automatically download. Ensure you take note of its location.

Step 3: Launch the Private Instance (Private Subnet)

1. Launch an EC2 instance in the private subnet

2. Do not assign a public IP

3. Configure your security group to:

   • Allows SSH (port 22) from the bastion host’s security group

4. Select a key-pair, just as in the previous instance.

Step 4: SSH Into the Private Instance via Bastion

Now let’s connect:

1. SSH into the Bastion Host.

   • Go the Instances dashboard and select the instance your created

   • Go to the Connect option on the top-right and click on SSH client. Now copy the command and paste it in your terminal as such.

ssh -i "test.pem" ec2-user@54.165.42.99

NOTE: test.pem was what I saved my key-pair as.

If you’re on a Linux distro such as ubuntu you have to manage the permissions of your key-pair using the following command.

chmod 400 "test.pem"

Once you’ve SHH’d into the into the instance, you should get something like below

Security concerns: The key-pair and instances used were strictly created for this project and have since been deleted.

• SSH into the Private EC2 Instance.

  NOTE: The key-pair for your private instance was download unto your local PC, so your instance does not have it. In order to SSH into your private subnet, we’d need to copy the content of the key pair to your Bastion Host.

  • Open your key-pair file for your private instance saved to your local PC and copy all of its contents using CTRL + a and CTRL + c

  • Now go to your Bastion Host, presumably still SHH’d into and perform the following:

  •       vim test.pem
    

    2. A screen like such below will come up

3. Press i on your keyboard to edit, and then paste your key-pair copied in previous steps.

4. Now to save the file press ESC on your keyboard and type :wq! to save and exit the vim editor.

5. To confirm if your keypair saved, use the following to view its contents

6.    cat test.pem
   

7. Now modify the permissions for the key pair

8.    chmod 400 "test.pem"
   

• Now, just like your bastion host, go to the EC2 dashboard, and click on “connect” on the top-right corner, click ln the “SSH Client” and then copy the command. Paste it into your Bastion Hosts terminal.

•       ssh -i "test.pem" ec2-user@10.0.0.11
  

This should display the above, indicating you’ve SSH’d into your private subnet

CONGRATULATIONS!!🥂

You have successfully and securely accessed your private instance using a bastion host, now you can configure your instance how you want

NOTE: This method does not give your private instance internet access to download resources.

NOTE: Using Session Manager (SSM) is better for enhanced, will be discussed in a future post

COMMONLY FACED ERRORS

1. Timeout When SSHing to Private EC2

   • Cause: Private security group doesn't allow SSH from Bastion hosts security group

   • Fix: Allow port 22 from Bastion's Security group in Private EC2's security group

2. Permission Denied (publickey)

   • Cause: Wrong key or wrong permissions

   • Fix: Use correct .pem file and/or run chmod 400 my-key.pem

3. Can’t Reach Bastion Host

   • Cause: No public IP, IGW, or incorrect route table

   • Fix: Ensure the bastion host has a public IP, IGW attached to the VPC, and route to 0.0.0.0/0 on the route table.

BEST PRACTICES

• Use key rotation and minimal SSH access

• Set up CloudWatch for monitoring the bastion

• Consider using Session Manager (SSM) for enhanced security (no SSH needed)

• Restrict bastion access with security groups and NACLs

CONCLUSION

Using a bastion host is a secure and controlled way to access EC2 instances in a private network. This setup is essential for production-grade cloud environments.

Stay tuned for a future post where we’ll automate this entire setup using Terraform or CloudFormation!

As part of my HNG DevOps Internship, I was tasked with deploying a FastAPI application with a Continuous Integration (CI) and Continuous Deployment (CD) pipeline while ensuring the application is served using Nginx as a reverse proxy. This blog post will guide you step by step on how to complete this project.

Project Overview

In this task, we:

1. Implement a missing API endpoint.

2. Set up a CI pipeline to run tests using pytest.

3. Configure a CD pipeline to deploy on merging into main.

4. Dockerize the FastAPI application.

5. Serve the application using Nginx.

Step 1: Fork the Template Repository

1. Navigate to the given template repository on GitHub.

2. Click on Fork to create a copy under your GitHub account.

3. Clone your forked repository to your local machine:

    git clone https://github.com/your-username/fastapi-project.git
    cd fastapi-project
   

NOTE: THIS REPO IS NO LONGER UP.

Step 2: Implement the Missing Endpoint

We need to add an endpoint to retrieve a book by its ID.

Modify routes.py

1. Open the routes.py file.

2. Add the following function:

    from fastapi import FastAPI, HTTPException
    from models import books  # Assuming books is a predefined list or database object
   
    app = FastAPI()
   
    @app.get("/api/v1/books/{book_id}")
    async def get_book(book_id: int):
        book = next((book for book in books if book["id"] == book_id), None)
        if not book:
            raise HTTPException(status_code=404, detail="Book not found")
        return book
   

3. Save the file and test it locally using uvicorn:

    uvicorn main:app --reload
   

4. Open http://127.0.0.1:8000/docs to test the new endpoint.

Step 3: Set Up the CI Pipeline

A CI pipeline will run tests automatically.

Create .github/workflows/ci.yml

1. Create a .github/workflows/ci.yml file with:

    name: CI
   
    on:
      pull_request:
        branches:
          - main
   
    jobs:
      test:
        runs-on: ubuntu-latest
        steps:
          - name: Checkout repository
            uses: actions/checkout@v3
          - name: Set up Python
            uses: actions/setup-python@v3
            with:
              python-version: "3.9"
          - name: Install dependencies
            run: |
              pip install -r requirements.txt
          - name: Run tests
            run: pytest
   

2. Commit and push this file.

3. Open a Pull Request and verify the test job runs successfully.

Step 4: Set Up the Deployment Pipeline

Create .github/workflows/deploy.yml

1. Add a new file .github/workflows/deploy.yml:

    name: Deploy
   
    on:
      push:
        branches:
          - main
   
    jobs:
      deploy:
        runs-on: ubuntu-latest
        steps:
          - name: Checkout repository
            uses: actions/checkout@v3
          - name: Build and Push Docker Image
            run: |
              docker build -t my-fastapi-app .
              docker run -d -p 8000:8000 my-fastapi-app
   

2. Push changes and merge a PR to test deployment.

Step 5: Dockerize the FastAPI App

Create Dockerfile

FROM python:3.9-slim
WORKDIR /app
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

1. Build and test locally:

    docker build -t fastapi-app .
    docker run -p 8000:8000 fastapi-app
   

Step 6: Set Up Nginx as a Reverse Proxy

Modify nginx.conf

1. Create nginx.conf:

    server {
        listen 80;
        server_name localhost;
   
        location / {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
   

2. Run Nginx with Docker:

    docker run --name nginx -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro -p 80:80 nginx
   

Step 7: Deploy the Application

1. Push the Docker image to a registry (e.g., Docker Hub, AWS ECR, GitHub Container Registry).

    docker tag fastapi-app your-username/fastapi-app:latest
    docker push your-username/fastapi-app:latest
   

2. Deploy to a cloud provider or a self-hosted server with Docker and Nginx configured.

Conclusion

This project strengthened my CI/CD automation, Dockerization, and Nginx deployment skills.

I successfully:

1. Implemented a missing API endpoint

2. Set up a deployment pipeline.

3. Configured Nginx as a reverse proxy.

With each project I complete at HNG I learn a lot and I look forward to the next ones

#DevOps #FastAPI #Docker #GitHubActions #CI/CD #Nginx #CloudComputing

As part of my HNG internship, I built a Number Classification API that takes an integer and returns its mathematical properties along with a fun fact. This project tested my API development, deployment, and troubleshooting skills.

In this post, I'll walk you through the entire process, from setting up the Flask API to deploying it on Render.

1️⃣ Setting Up the Project

Step 1: Install Python and Flask

First, ensure you have Python installed. If not, download it from python.org.

Then, create a project directory and set up a virtual environment:

mkdir number-classification-api && cd number-classification-api
python -m venv venv
source venv/bin/activate  # On Windows, use venv\Scripts\activate

Now, install Flask:

pip install flask requests

2️⃣ Developing the API

Step 2: Create the Flask Application

Inside your project directory, create a file called app.py and add the following code:

import os
import requests
from flask import Flask, request, jsonify

def is_prime(n):
    if n < 2:
        return False
    for i in range(2, int(n ** 0.5) + 1):
        if n % i == 0:
            return False
    return True

def is_armstrong(n):
    digits = [int(d) for d in str(n)]
    return sum(d ** len(digits) for d in digits) == n

def classify_number(n):
    properties = []
    if is_armstrong(n):
        properties.append("armstrong")
    properties.append("even" if n % 2 == 0 else "odd")
    return properties

def get_fun_fact(n):
    response = requests.get(f"http://numbersapi.com/{n}/math")
    return response.text if response.status_code == 200 else "No fact available."

app = Flask(__name__)

@app.route("/api/classify-number")
def classify():
    number = request.args.get("number")
    if not number or not number.isdigit():
        return jsonify({"number": number, "error": True}), 400

    number = int(number)
    return jsonify({
        "number": number,
        "is_prime": is_prime(number),
        "is_perfect": False,  # Placeholder for perfection check
        "properties": classify_number(number),
        "digit_sum": sum(int(d) for d in str(number)),
        "fun_fact": get_fun_fact(number)
    })

if __name__ == "__main__":
    port = int(os.environ.get("PORT", 5000))
    app.run(host="0.0.0.0", port=port)

3️⃣ Testing the API Locally

Step 3: Run the Flask Server

Start the server by running:

python app.py

Visit the following URL in your browser:

http://127.0.0.1:5000/api/classify-number?number=371

Expected response:

{
    "number": 371,
    "is_prime": false,
    "is_perfect": false,
    "properties": ["armstrong", "odd"],
    "digit_sum": 11,
    "fun_fact": "371 is an Armstrong number because 3^3 + 7^3 + 1^3 = 371"
}

4️⃣ Deploying to Render

Step 4: Prepare for Deployment

Create a requirements.txt file:

pip freeze > requirements.txt

Also, create a Procfile (without any file extension) and add the following line:

web: python app.py

Step 5: Push Code to GitHub

Initialize a Git repository and push the project:

git init
git add .
git commit -m "Initial commit"
git branch -M main
git remote add origin <your-github-repo-url>
git push -u origin main

Step 6: Deploy on Render

1. Log in to Render and create a new Web Service.

2. Connect your GitHub repository.

3. Set the start command as:

python app.py

4. Click Deploy.

Step 7: Access the Deployed API

Once deployment is successful, Render provides a public URL, e.g.,

https://your-app-name.onrender.com/api/classify-number?number=371

Now, you can access your API from anywhere! 🎉

5️⃣ Conclusion

This project helped me:

✅ Build and structure a Flask API.
✅ Implement mathematical logic in Python.
✅ Deploy an API on Render and troubleshoot issues.

Got questions? Drop them in the comments! 🚀

#DevOps #Python #Flask #APIDevelopment #CloudComputing #Render #Internship #LearningByDoing

Starting my HNG Internship, one of the first tasks assigned to DevOps interns was to set up NGINX on Ubuntu and configure it to serve a custom web page. This task aimed to evaluate our ability to install, configure, and troubleshoot a web server from scratch. In this blog post, I’ll walk you through how I approached and completed this task, including any challenges I faced and the key lessons I learned.

Task Overview

The task required me to:

1. Install the NGINX web server and ensure it is running.

2. Configure NGINX to serve a custom HTML page as the default page with the message:

Welcome to DevOps Stage 0 - Victor Iliya/Non-Existent

3. Write a blog post that documents your experience with this task.

Step-by-Step Guide

Install NGINX

1. Created the Web Server:

   The first thing I did was to create an EC2 instance on AWS to be my web server. I used an ubuntu AMI.

2. Connect to the instance

   There are many ways to connect to an EC2 instance, I used the EC2 instance connect.

3. Update Ubuntu

   Once connected to the EC2 instance, the first thing t do it to update the Linux server by running the code below.

sudo apt update

4. Install NGINX

   The next step is to install the NGINX service

sudo apt install nginx -y

5. Enable and start NGINX

   After installation, I enabled and started the NGINX service:

sudo systemctl enable nginx
sudo systemctl start nginx

6. Confirm if NGINX is running

systemctl status nginx

If everything worked correctly, you should have the following:

Configure the Default Web Page

1. Modify the default index.html page:

   For the server to display the page, you need to modify the default index.html page located at /vat/www/html/index.html.

   Use the vim command for this as such:

vim /var/www/html/index.html

Now, to modify text files with vim, press the “ i “ key on the keyboard which is for insert, and now you’d be able to enter the text you want, in my case it would be “Welcome to DevOps Stage 0 - Victor Iliya/ Non-Existent“

Now to save the file, perform the following:

• press the “ esc “ key to exit the insert mode.

• type :wq! and press the enter key to save the file and close the vim editor.

Note: If the permission is denied, use sudo as such:

sudo vim /var/www/html/index.html

2. Restart the NGINX server

   Restart the NGINX server to apply the changes

    sudo systemctl restart nginx
   

Open your web page

Go back to your instance and find your public ip address, use this to access the site you’ve just made.

Note: Ensure the security groups for your instance allows HTTP traffic on port 80

1. Hands-on experience installing and configuring NGINX

2. Debugging and troubleshooting web server issues

3. Improved Linux server management skills

References

I explored different engineering roles at HNG for future career growth:

• DevOps Engineers

• cloud Engineers

This was a great learning experience, and I’m excited for what’s next!

This project is an Intrusion Detection System (IDS) that allows users to upload network data files for Machine Learning (ML) inference. The system pre-processes the uploaded file, runs it through an ML model trained on the NSL-KDD dataset, and returns the classification results to the frontend. Processed results are stored in S3, and job status is tracked in DynamoDB.

The architecture is built using a Microservices architecture hosted on AWS Fargate (ECS) with an internal and external load balancer setup, ensuring secure and scalable operations.

Objectives

The primary goals of the IDS project are:

• Data Pre-processing: Transform raw network traffic data (based on the NSL-KDD dataset) into a structured format for machine learning.

• Model Training: Compare multiple machine learning models to identify the most accurate and efficient one for intrusion detection.

• User Interaction: Build a user-friendly web interface using Flask for users to upload network data for classification.

• File Classification: Build the application that will classify the uploaded file based on the machine learning model.

• Cloud Deployment: Deploy the entire system using AWS ECS Fargate, Terraform, and a robust CI/CD pipeline for automation.

• Scalability: Ensure the system can handle increased traffic and adapt to evolving threats.

• CI/CD Pipeline: Create a CI/CD pipeline that’ll ensure seamless deployment of code changes.

🛠️ Tech Stack

1. Machine Learning: Pre-processing with Pandas and NumpPy, and training models with SciKit-learn.

2. Frontend: NextJS frontend

3. Backend: Flask-based web application for user interaction.

4. Infrastructure as Code (IaC): Terraform for provisioning AWS resources.

5. CI/CD: Automated deployment pipeline (To Be Determined).

6. Cloud Deployment: Containerized application.

7. Visualization: Generate real-time classification insights with Matplotlib.

🚦 Key Features

• Efficient Data Processing: Leverages advanced preprocessing techniques to prepare data for model training.

• Multi-Model Comparison: Tested models such as Random Forest, Decision Tree, Naive Bayes, and Logistic Regression to ensure the best performance.

• Interactive User Interface: Upload network traffic data and receive immediate threat classification.

• Cloud-Native Architecture: Deployed using AWS services for high availability and scalability.

🔍 Project Workflow

1. Data Preprocessing: Cleaned and transformed the NSL-KDD dataset into machine-readable formats.

2. Model Training: Trained multiple models to classify threats, comparing metrics like accuracy, precision, recall, and F1 score to select the best model.

3. Model Deployment: Packaged the trained model as a Docker container and pushed it to Amazon ECR.

4. Web App Development: Created a Flask-based app for user interactions.

5. Cloud Deployment: Deployed the app on AWS ECS Fargate, ensuring security and scalability.

🏆 What’s Next?

This is just the beginning! In future posts, I’ll dive deeper into:

• Enhancing the dataset by incorporating real-world scenarios.

• Improving the Flask app with user authentication and a database for result tracking.

• Scaling the system with Kubernetes for even greater flexibility.

• Exploring real-time anomaly detection using advanced ML techniques.

🔗 Stay Tuned!

This post is part of my Projects series. For all updates and technical details on this Intrusion Detection System, check out my Intrusion Detection System series, where I'll break down each component and share insights along the way.

Thank you for following my journey! Feel free to share your thoughts or ask questions in the comments. 😊

Overview

The Intrusion Detection System (IDS) project aims to provide an efficient and scalable solution for detecting malicious network traffic patterns. It utilizes machine learning models trained on the NSL-KDD dataset and provides a user-friendly interface for visualization and analysis. The system includes a backend for processing data, generating predictions, and creating visual summaries, along with a frontend for user interaction.

Functional Requirements

1. Data Processing

• Input:

  • Accept uploaded CSV files containing network traffic data in the NSL-KDD dataset format.

• Preprocessing:

  • Handle missing or incorrect data gracefully.

  • Encode categorical features using one-hot encoding.

  • Scale numerical features using a pre-trained StandardScaler.

2. Machine Learning Model

• Model Details:

  • Load a pre-trained Random Forest model (Random_Forest.joblib) for classification.

• Predictions:

  • Classify network traffic into the following categories: Normal, DoS, Probe, R2L, U2R.

3. Visualization

• Graphical Representation:

  • Display results in a bar graph with:

    • X-axis labeled with traffic categories.

    • Y-axis representing the count of instances.

  • Labels for aggregated categories: “Normal Traffic” and “Malicious Traffic.”

• Summary Report:

  • Provide a numerical summary:

    • Count of normal traffic.

    • Count of all malicious traffic (aggregated).

4. Backend

• APIs:

  • /upload: Accepts file uploads and triggers processing.

  • /process: Processes uploaded data, generates predictions, and creates visual output.

• Error Handling:

  • Return appropriate error messages for:

    • Missing files.

    • Model loading issues.

    • Invalid data format.

5. Frontend

• User Interface:

  • Provide buttons to:

    • Upload files.

    • Trigger data processing.

  • Display the generated graph and summary report.

• Interactivity:

  • Ensure responsive and dynamic updates without reloading the page.

Non-Functional Requirements

1. Performance

• Processing Time:

  • Ensure data processing and prediction are completed within 5 seconds for datasets up to 10,000 rows.

2. Scalability

• File Size:

  • Handle CSV files up to 50 MB.

• Concurrent Users:

  • Support up to 100 simultaneous users.

3. Security

• Data Validation:

  • Validate uploaded files to prevent malicious data injections.

• Model Security:

  • Protect model files from unauthorized access.

4. Maintainability

• Code Modularity:

  • Separate concerns into distinct modules for preprocessing, model loading, and visualization.

Technical Requirements

1. Backend

• Programming Language: Python 3.9+

• Frameworks: Flask

• Dependencies:

  • pandas

  • numpy

  • matplotlib

  • scikit-learn

  • joblib

2. Frontend

• Framework: Next.js

• Language: TypeScript

• CSS: Tailwind CSS

3. Deployment

• Containerization: Docker

• Orchestration: Kubernetes

• Cloud: AWS (ECS Fargate, S3 for storage)

4. Infrastructure

• Tools: Terraform for IaC

• Storage: Amazon S3 for temporary file storage

Deliverables

1. Fully functional IDS application.

2. Dockerized backend and frontend services.

3. Kubernetes deployment manifests.

4. Documentation:

   • User guide.

   • Deployment guide.

   • Developer guide.

Future Enhancements

1. Add real-time traffic monitoring.

2. Support additional data formats beyond NSL-KDD.

3. Integrate advanced visualization tools (e.g., D3.js).

4. Extend model to support additional attack categories.

5. Allow users to be able to sign up and save charts and results.

6. Allow users to use common type of network data