Running ray cluster on AWS private subnet

Hi all, i am trying to figure out how to provision my Ray cluster in an AWS private subnet. For other admin purposes (e.g., db admin) i gain access to instances in my private subnet via a bastion host in a public subnet using an ssh tunnel. My question is how do i run ray up -y config.yaml when i have specified private subnets under ray.head.default and ray.worker.default?

Do i just need to copy over my AWS credentials and config.yaml to the bastion host and just run ray up there? Same applies for submitting jobs to the cluster? execute commands with the port forward option?

@Alex / @Dmitri can you please help?

That sounds like a valid solution. Please let us know if you have trouble with that.