DEV Community

Wakeup Flower
Wakeup Flower

Posted on

What is bastion host

#aws

A bastion host is a special-purpose server that acts as a secure entry point into a private network. Think of it as a "jump box" you connect to first, before reaching other resources (like EC2 instances or databases) that are not directly accessible from the internet.

πŸ”‘ Key Points:

  • Purpose: Provide controlled, secure access to resources in private subnets.
  • Placement: Usually deployed in a public subnet of a VPC, with a public IP.

  • Access:

    • Admins first connect to the bastion host via SSH (Linux) or RDP (Windows).
    • From there, they can connect to internal/private servers.

  • Security:

    • Strongly locked down with firewalls/security groups.
    • Often combined with MFA, IAM policies, and logging.
    • Minimizes exposure β€” instead of exposing every internal server to the internet, you expose only the bastion.

βœ… Example (AWS context):

  • You have a private EC2 instance in a subnet with no public IP.
  • You cannot SSH into it directly from the internet.
  • Instead, you:
  1. SSH into the bastion host (public subnet).
  2. From the bastion, SSH into the private EC2.

πŸ“Œ Best Practices:

  • Use AWS Systems Manager Session Manager as a more secure alternative (no need for bastion hosts or public IPs).

  • If using bastion hosts:

    • Restrict access to known IP addresses only.
    • Regularly rotate SSH keys.
    • Enable monitoring and logging.

Ah got it β€” you meant an architecture-style diagram in ASCII for the bastion host setup, not a Sith warrior πŸ˜….
Here’s a simple AWS-style flow using ASCII:

                Internet
                    |
             +-------------+
             | Bastion Host|
             | (Public Sub)|
             +-------------+
                    |
        -------------------------
        |                       |
+----------------+       +----------------+
|  Private EC2   |       |  Private DB    |
| (No Public IP) |       | (No Public IP) |
+----------------+       +----------------+
Enter fullscreen mode Exit fullscreen mode

πŸ”Ž How to read this:

  • Internet β†’ Bastion Host: Admins connect via SSH/RDP.
  • Bastion Host β†’ Private Instances: Once inside the bastion, you can securely connect to EC2 or databases in the private subnet.
  • Private resources are never exposed to the internet directly.

Would you like me to expand this into a full VPC view (with public and private subnets, NAT gateway, etc.)?

Top comments (0)