Bastion Host
Definition
A secure computer that acts as a gateway for accessing private servers that aren't exposed to the internet, ensuring safe remote access.
Use Cases
- Netflix: Reduce direct SSH exposure to production instances while keeping operational access for engineers — Netflix has publicly discussed using hardened jump hosts (bastion hosts) as part of its AWS security architecture to centralize and control administrative access to internal systems, typically combined with strong authentication, logging, and tightly scoped network rules. (Smaller attack surface (fewer public entry points), more consistent access controls, and improved auditing of administrative access.)
- Airbnb: Controlled engineer access to internal services and instances in AWS without broadly opening inbound SSH — Airbnb has publicly shared security practices that include using bastion/jump hosts to broker access into private networks, with access gated by authentication/authorization and supported by centralized logging. (Improved security posture by limiting inbound access paths and better traceability of who accessed what and when.)
- Shopify: Secure operational access to private infrastructure while minimizing public exposure — Shopify has publicly described using layered network security patterns that commonly include controlled ingress points (jump/bastion-style access) for administrative connectivity, paired with strict access management and monitoring. (Reduced risk from exposed management ports and stronger operational governance through centralized access points and logging.)
Provider Equivalents
- AWS: AWS Systems Manager Session Manager
- Azure: Azure Bastion
- GCP: Identity-Aware Proxy (IAP) TCP forwarding
- OCI: OCI Bastion
Frequently Asked Questions
- What's the difference between a Bastion Host and a VPN?
- A VPN connects your device to a private network, often giving broad network-level access (like being “on the network”). A bastion host is a single, tightly controlled entry point you connect to first, then you access specific private servers from there. Bastions typically limit what you can reach and make it easier to log and control administrative sessions, while VPNs can be more general-purpose network access.
- When should I use a Bastion Host?
- Use a bastion host when you need occasional or administrative access (SSH/RDP) to private VMs or servers but don’t want to give them public IPs or open inbound ports to the internet. It’s especially useful for production environments, regulated workloads that require strong auditing, and teams that want centralized access control (IAM/MFA), session logging, and time-bound access.
- How much does a Bastion Host cost?
- Cost depends on the approach. A self-managed bastion (a small VM) costs the VM instance, storage, and outbound data transfer, plus operational overhead (patching, hardening, monitoring). Managed services charge differently: Azure Bastion is billed per deployed bastion (hourly) plus data processed; AWS Session Manager has no additional charge for Session Manager itself but you pay for underlying resources (EC2, SSM features you enable, CloudWatch/S3 logs, and any related networking); GCP IAP itself is typically not billed as a separate line item for IAP TCP forwarding, but you pay for the VM, logging/monitoring, and network egress; OCI Bastion is a managed service where you pay for associated resources (and should verify current OCI pricing for any bastion-specific charges), plus logging and network costs. Always estimate based on expected session hours, data volume, and logging retention.
Category: security
Difficulty: intermediate
Related Terms
See Also