How to SSH to Private Instance via Jumphost/Bastion

There is frequent cases where we want to provision instance in a private network for security reason (e.g: database instance), but when we don't have Corporate VPN to connect to that private network, how we can configure this?

The answer is via a jumphost or some people call it bastion host. Basically it's a intermediary instance provisioned in the public network, that only open ssh port to the internet (and secured via private-public ssh key).

Let say we have 2 instances jumphost and db (the private instance), we can ssh to the private instance by using this config :

Host jumphost
  HostName <jumphost-public-ip>
  User ubuntu
  AddKeysToAgent yes

  IdentityFile <private-key-file-location>

Host db
  Hostname <db-private-ip>
  User ubuntu
  Port 22
  IdentityFile <private-key-file-location>
  ProxyCommand ssh -q -W %h:%p jumphost

Then to connect into db, we can just ssh db.