Bastion Host

Definition

A secure computer that acts as a gateway for accessing private servers that aren't exposed to the internet, ensuring safe remote access.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between a Bastion Host and a VPN?
A VPN connects your device to a private network, often giving broad network-level access (like being “on the network”). A bastion host is a single, tightly controlled entry point you connect to first, then you access specific private servers from there. Bastions typically limit what you can reach and make it easier to log and control administrative sessions, while VPNs can be more general-purpose network access.
When should I use a Bastion Host?
Use a bastion host when you need occasional or administrative access (SSH/RDP) to private VMs or servers but don’t want to give them public IPs or open inbound ports to the internet. It’s especially useful for production environments, regulated workloads that require strong auditing, and teams that want centralized access control (IAM/MFA), session logging, and time-bound access.
How much does a Bastion Host cost?
Cost depends on the approach. A self-managed bastion (a small VM) costs the VM instance, storage, and outbound data transfer, plus operational overhead (patching, hardening, monitoring). Managed services charge differently: Azure Bastion is billed per deployed bastion (hourly) plus data processed; AWS Session Manager has no additional charge for Session Manager itself but you pay for underlying resources (EC2, SSM features you enable, CloudWatch/S3 logs, and any related networking); GCP IAP itself is typically not billed as a separate line item for IAP TCP forwarding, but you pay for the VM, logging/monitoring, and network egress; OCI Bastion is a managed service where you pay for associated resources (and should verify current OCI pricing for any bastion-specific charges), plus logging and network costs. Always estimate based on expected session hours, data volume, and logging retention.

Category: security

Difficulty: intermediate

Related Terms

See Also