Bastion host

A bastion host is a server used to manage access to an internal or private network from an external network or public network.

Once you setup a VPC with public subnet and private subnet, along with routes in route table for public subnet.
For public instances , You can use public IP and connect via SSH from your host and for private instances, There is no public IP associated with it then how can you communicate via SSH from your host ?
This is where bastion host helps. It acts an intermediary to private instance. By default, all instances in same VPC can communicate with each other. I think now you get the idea.From bastion host we can connect to private instances.

After creating VPC. Main route table was created by default. Where we can see all instances can communicate each other by using the route local.

After creating subnets, We have to add route for public subnet to communicate with external network. Create a new route table for public subnet and associate public subnet with it.
When you create an aws account, aws bootstrapped creating vpc, subnet(only public) and adding external network connectivity using Internet gateway. By default, if you do not choose your VPC, it will connect to the VPC AWS created.
Now back to the route for connecting external network, we have to add internet gateway to our public subnet. Internet gateway is associated with VPC , so that we cannot use AWS created internet gateway.
So create a new internet gateway and attach it to VPC you created. Add route to external network using the gateway.

After setting up route, Launch a bastion host in public subnet of your created VPC.
Most important part is giving access only to the public IP of the host to communicate with bastion host.
The security group of bastion host will look like below

Before SSH in to private instance, make sure you have copied the ssh private key in the bastion host to communicate with private instance.
Now, SSH in to the private instance through bastion host .

Prabhat_Yadav