Short definition
A bastion host is a hardened server that acts as the single secure entry point into a private network, eliminating the need to expose internal servers directly to the internet.
Extended definition
A bastion host sits at the boundary between a public network and a private infrastructure. All administrative access, typically SSH, routes through it before reaching any internal server. This means internal servers never need a public IP address, dramatically reducing their attack surface. The bastion itself is locked down aggressively: minimal software, strict firewall rules, key-based authentication only, and comprehensive access logging. In cloud environments, a bastion is often a small, dedicated instance in a public subnet while all other servers live in private subnets with no direct internet exposure.
Deep technical explanation
Single ingress point. By funneling all SSH traffic through one host, security teams can monitor, audit, and revoke access from a single location rather than managing firewall rules across every server in the fleet.
Hardening requirements: A bastion should run no services other than SSH. Root login must be disabled. Password authentication must be disabled. Idle session timeouts should be enforced. Fail2ban or equivalent brute-force protection should be active.
Key forwarding vs ProxyJump: Two patterns exist for using a bastion. Agent forwarding passes your local SSH key through the bastion to the target server, convenient but risky, as a compromised bastion could hijack your key. ProxyJump is the modern, safer alternative: it creates a direct tunnel through the bastion without exposing the key to the intermediate host.
Ephemeral bastions. In modern cloud architectures, bastions are sometimes spun up on demand and destroyed after the session ends, further limiting the window of exposure.
Logging and alerting. Every connection through a bastion should be logged with a timestamp, source IP, target host, and user. Anomalous patterns, off-hours access, unusual source IPs, and high connection volume should trigger alerts.
Practical examples
- An engineer SSHs into bastion.company.com, which then proxies the connection to an internal database server at 10.0.1.45
- A CI/CD pipeline uses a bastion to deploy to production servers that have no public IPs
- A security audit reviews bastion logs to reconstruct who accessed which servers during an incident window
Why it matters
Without a bastion host, every server in your fleet needs a public IP and an open SSH port, each one a potential attack target. A bastion collapses due to exposure to a single, tightly controlled surface. It is the foundation of any serious infrastructure access control strategy.