DEV Community

Amin Haiqal
Amin Haiqal

Posted on

Understanding Bastion Hosts: The Quite Gatekeepers of Modern Infrastructure

#showdev #devops #security #opensource

There is a moment every developer reaches, usually late at night, when something breaks and you realize you no longer understand your own setup.

At first, it feels manageable. One VPS, one IP address, one SSH command. You memorize it. You trust it. You build on top of it.

Then comes the second server. And the third. Suddenly you are juggling keys, IPs, environments, and access rules. You forget which key belongs to which machine. You paste commands from old terminal history hoping they still work. You log into the wrong server and restart the wrong service.

You tell yourself it is fine.

Then one day you notice something you should not ignore. Failed login attempts in your logs. Unknown IPs hitting port 22. Maybe nothing happens. Maybe something does and you do not notice until later.

And without realizing it, you have exposed multiple machines directly to the internet, each one listening on port 22, each one waiting.

This is where the idea of a bastion host enters. Not as a luxury, but as something you wish you had set up earlier.

The Bastion Host: A Single Door in a Wall of Servers

A bastion host is not complicated in concept, but it is powerful in consequence.

It is a single, hardened server that acts as the only entry point into your infrastructure.

Instead of connecting directly to every VPS you own, you connect to one machine, the bastion, and from there, you move inward.

In essence, you replace chaos with structure. Many doors become one.

Without a bastion host, your access pattern looks like this:

Your device → SSH → VPS A  
Your device → SSH → VPS B  
Your device → SSH → VPS C
Enter fullscreen mode Exit fullscreen mode

Every server is exposed. Every server is a target.

With a bastion host, the pattern changes:

Your device → SSH → Bastion Host → SSH → Internal VPS
Enter fullscreen mode Exit fullscreen mode

Now, only one machine is visible to the outside world. The rest exist behind it, quiet and unreachable unless you pass through the gate.

Why This Matters More Than It Seems

At first glance, this may feel like an unnecessary layer. After all, connecting directly works.

But infrastructure rarely fails loudly. It fails slowly, through small mistakes that stack up until something finally breaks.

A bastion host reduces those risks in ways that compound over time.

A Smaller Attack Surface

Instead of exposing every server, you expose only one. This drastically reduces the number of entry points an attacker can probe.

Centralized Control

Authentication, access policies, and SSH keys can be managed in one place. You no longer need to remember which key is on which machine or update them one by one.

Observability

A bastion host becomes a natural checkpoint. Every connection passes through it. Logging and auditing become practical instead of something you keep postponing.

Network Isolation

Your internal servers no longer need public IP addresses. They can live in private networks, invisible to the outside world.

The Mistakes That Lead Here

Most developers do not start with a bastion host. They arrive at it after something goes wrong.

Along the way, they make choices that feel harmless in isolation:

  • Opening port 22 on every VPS
  • Using password-based authentication because it is faster
  • Reusing SSH keys across multiple machines
  • Running everything as root because it is convenient
  • Skipping monitoring because nothing has broken yet

None of these decisions feel catastrophic on their own. But together, they create a system that is hard to reason about and easy to break.

A bastion host is not just a tool. It is a way to regain control.

Building a Bastion: The Practical Shape

At its simplest, setting up a bastion host involves:

  1. Provisioning a dedicated VPS
  2. Hardening SSH access (key-based authentication, disabling passwords)
  3. Restricting inbound traffic via firewall rules
  4. Allowing the bastion to connect to internal servers

From there, your workflow changes. You no longer connect directly to your target machines. You pass through the bastion on purpose.

It adds a step. But it also removes guesswork.

A Modern Shift: The Bastion in Your Browser

Traditionally, bastion hosts are accessed through terminal clients like PuTTY or Termius.

But the way we interact with systems is changing.

You are not always at your laptop. Sometimes you are on your phone, trying to fix something quickly. Maybe a service is down. Maybe a deployment failed. You open your terminal app and realize it is not set up, or the key is missing, or the connection fails.

You lose time when you do not have it.

This raises a practical question:

What if the bastion host itself exposed a web-based terminal?

Not a replacement for SSH, but a layer above it.

In this model, the flow evolves:

Phone browser  
   ↓  
Web application (hosted on bastion)  
   ↓ (WebSocket)  
Backend service  
   ↓ (SSH)  
Target VPS
Enter fullscreen mode Exit fullscreen mode

Instead of opening a terminal app, you open a browser. The bastion becomes not just a gateway, but an interface you can reach from anywhere.

It is still SSH underneath. Still secure. Still structured. But now it is accessible when you actually need it.

The Trade-offs of This Approach

This modern approach introduces new capabilities, but also new responsibilities.

What You Gain

  • Access from any device, including mobile
  • A centralized interface for multiple servers
  • The ability to extend with features like session management or logging

What You Risk

  • Increased complexity in your system
  • A larger surface area at the application layer
  • The need for strong authentication and HTTPS enforcement

You are trading simplicity in infrastructure for flexibility in access.

Security: The Non-Negotiable Layer

A bastion host is only as strong as its configuration.

Whether traditional or web-based, certain principles remain constant:

  • Use SSH keys instead of passwords
  • Enforce HTTPS for any web interface
  • Implement authentication (sessions, tokens, or similar)
  • Apply rate limiting to prevent abuse
  • Isolate user sessions where possible

The bastion is your front line. If it is weak, everything behind it is exposed.

Where Bastion Hosts Quietly Power the World

This pattern is not niche. It is foundational.

Bastion hosts are used in:

  • Cloud environments to access private instances
  • Enterprise infrastructure for controlled internal access
  • DevOps workflows where environments must remain isolated

They are rarely visible in diagrams shown to end users, but they are almost always there.

Closing: From Convenience to Intentional Design

At the beginning, direct access feels faster. Simpler. Easier.

But as systems grow, that convenience turns into confusion. You forget what is exposed, what is protected, and what is safe.

A bastion host introduces a boundary. A place where access is deliberate instead of accidental.

It does not remove complexity. It gives you a way to manage it.

And over time, that difference matters more than anything else.

A Note on Practice

This exploration is not purely theoretical.

It is the foundation for an open-source project I am building, Axelyn Bastion, a lightweight, web-based bastion host designed for practical, mobile-friendly access to VPS environments.

If you're interested in following the project, exploring updates, or seeing how this idea evolves in practice, you can visit:

https://axelyn.com/

The goal is not to reinvent SSH, but to make it reachable when you actually need it.

Because the real problem is not connecting to your servers.

It is being able to do it when things are already going wrong.

Top comments (0)