I would like a bit more clarification about the issue you're experiencing, however for an EC2 instance in public subnet (Bation Host) to communicate with another EC2 instance that is in a private subnet, you must have a managed network address translation (NAT) gateway to allow outbound internet access for resources in the private subnets.
Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. You create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation. You route traffic from the NAT gateway to the internet gateway for the VPC
The NAT gateway replaces the source IP address of the instances with the IP address of the NAT gateway.
Further more, security groups play a vital role in maintaining the security and making sure the Bastion host doesn’t fail. The security groups of the private instances have to be changed to make sure that inbound RDP can be accessed through the Bastion Host’s IP address only.
The rules of this security group should be applied to all the private instances, which need tighter security, and which need to be able to connect to the internet via a Bastion Host.
Make sure to avoid access to IP addresses like 0.0.0.0/0. SSH and RDP connections can be authenticated with the help of private and public keys. Logging in to the private instances via the bastion host will require the bastion host to have the private keys. But storing private keys on a remote instance isn’t considered a safe security method.
More inforamtion about NAT Gateways can be found here.
I hope this helps.
Thank you for replying! To explain the issue in detail, i have 1vpc, 3 public subnets, 3 private subnets, 3 Nat gateway, in each public subnets, 3 ec2 one in each private subnet, i have to install my software in each ec2 and communicate them with each other, which i am not able to using their private ip, i tried to ping , but its gave me time out. even though i have open ICMP port still cant ping in each other ec2s
Hello, thanks for reaching out. I am going to replicate the issue on my side and come back with feedback.