Begin writing exercise 3.

data/workshop/exercise2.mdx

@@ -161,7 +161,7 @@ rm -f openshift-installer.tar.gz
 ```
 
 <Zoom>
-|![workshop](/workshops/static/images/disconnected/downloading-tools.gif)       | 
+|![workshop](/workshops/static/images/disconnected/download-tools.gif)       | 
 |:-----------------------------------------------------------------------------:|
 | *Downloading required tools with curl*                                        |
 </Zoom>
@@ -179,7 +179,7 @@ Let's get started by generating an `ImageSetConfiguration` that describes the pa
 oc mirror init > imageset-config.yaml
 ```
 
-> You can take a look at the default file by running `cat imageset-config.yaml` in your web terminal. Feel free to pause the workshop tasks for a few minutes and read through the [OpenShift documentation](https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.html#oc-mirror-creating-image-set-config_mirroring-ocp-image-repository) for the different options available within the image set configuration.
+> Note: You can take a look at the default file by running `cat imageset-config.yaml` in your web terminal. Feel free to pause the workshop tasks for a few minutes and read through the [OpenShift documentation](https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.html#oc-mirror-creating-image-set-config_mirroring-ocp-image-repository) for the different options available within the image set configuration.
 
 To save time and storage, we're going to remove the operator catalogs and mirror only the release images for this workshop. We'll still get a fully functional cluster, but OperatorHub will be empty.
 
@@ -203,8 +203,10 @@ mirror:
 EOF
 ```
 
-Now we're ready to kick off the mirror! This will take a few minutes, you can keep an eye on the progress in your web terminal:
+Now we're ready to kick off the mirror! This can take 5-15 minutes so this is a good time to go grab a coffee or take a short break:
 
 ```bash
 oc mirror --config imageset-config.yaml file:///mnt/high-side
 ```
+
+Once your content has finished mirroring to disk you've finished exercise 2! 🎉

data/workshop/exercise3.mdx

@@ -0,0 +1,56 @@
+---
+title: Preparing our high side
+exercise: 3
+date: '2023-12-19'
+tags: ['openshift','containers','kubernetes','disconnected']
+draft: false
+authors: ['default']
+summary: "Setting up a bastion server and transferring content"
+---
+
+In this exercise, we'll prepare the **High side**. This involves creating a bastion server on the **High side** that will host our mirror registry. 
+
+> Note: We have an interesting dilemma for this excercise: the Amazon Machine Image we used for the prep system earlier does not have `podman` installed. We need `podman`, since it is a key dependency for `mirror-registry`.
+> 
+> We could rectify this by running `sudo dnf install -y podman` on the bastion system, but the bastion server won't have Internet access, so we need another option for this lab. To solve this problem, we need to build our own RHEL image with podman pre-installed. Real customer environments will likely already have a solution for this, but one approach is to use the [Image Builder](https://console.redhat.com/insights/image-builder) in the Hybrid Cloud Console, and that's exactly what has been done for this lab.
+>
+> [workshop](/workshops/static/images/disconnected/image-builder.png)
+> 
+> In the home directory of your web terminal you will find an `ami.txt` file containng our custom image AMI which will be used by the command that creates our bastion ec2 instance.
+
+
+## 3.1 - Creating a bastion server
+
+First up for this exercise we'll grab the ID of one of our **High side** private subnets as well as our ec2 security group.
+
+Copy the commands below into your web terminal:
+
+```bash
+PRIVATE_SUBNET=$(aws ec2 describe-subnets | jq '.Subnets[] | select(.Tags[].Value=="Private Subnet - disco").SubnetId' -r)
+echo $PRIVATE_SUBNET
+
+SG_ID=$(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=disco-sg" | jq -r '.SecurityGroups[0].GroupId')
+echo $SG_ID
+```
+
+Once we know our subnet and security group ID's we can spin up our **High side** bastion server. Copy the commands below into your web terminal to complete this:
+
+```bash
+aws ec2 run-instances --image-id $BASTION_AMI_ID \
+  --count 1 \
+  --instance-type t3.large \
+  --key-name disco-key \
+  --security-group-ids $SG_ID \
+  --subnet-id $PRIVATE_SUBNET \
+  --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=$BASTION_NAME}]" \
+  --block-device-mappings "DeviceName=/dev/sdh,Ebs={VolumeSize=50}"
+```
+
+
+<Zoom>
+|![workshop](/workshops/static/images/disconnected/security-group.gif)          | 
+|:-----------------------------------------------------------------------------:|
+| *Creating aws ec2 security group*                                             |
+</Zoom>
+
+