What is Bastion Host ? Why we use it ? How to implement it?

Prasanna Nayak
3 min readJun 30, 2021

--

What is Bastion Host ?

A Bastion host is a special-purpose server or an instance that is used to configure to work against the attacks or threats. It is also known as the ‘jump box’ that acts like a proxy server and allows the client machines to connect to the remote server. It is basically a gateway between the private subnet and the internet. It allows the user to connect private network from an external network and act as proxy to other instances.

» Bastion Hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP.

» Once remote connectivity has been established with the Bastion Host, then it acts as a Jump Server within your VPC.

» It essentially acts as a bridge to your private instances via the internet.

Why we use it ?

The complete scenario can be explained as suppose there is as clusters of instances in your public network. The public cloud allows you to create some private or isolated section of the cloud which can be used by the user for launching other services which are known as VPC (Virtual Private Network). So the user wants to create a medium or a communication channel to your VPC insecure environment. So there are many methods through which you can do this. The first decision you might use is providing an external IP address. You can assign some services with an external IP address to access it over the internet. But some users might not want to use external IP addresses and want to use SSH tool for more security to connect to the VPC. So now if you are not providing it with the external IP address then the alternate remains is that create another instance on the network which becomes a gateway for the private network to the internet. It acts as a trusted relay for inbound connections. This instance is called Bastion service.

How to implement it ?

Connect to a instance on private subnet through Bastion Host

Let’s get started :

  1. Launch 2 instances. One is on public subnet and another one on private subnet.
Instance with public ip
Instance without public ip

Now you can login with the pub-sub instance but can’t login with pvt-sub instance on terminal.

2. Login with pub-sub and create a keypair to access data from pvt-sub. Copy the pem(Keypair) file of pvt-sub into sample.pem

3. Give permission to the file(sample.pem).

4. Now login to the pvt-sub instance through terminal and check the ip of both instances on terminal.

We logged in successfully on pvt-sub instance through Bastion Host.

--

--

Prasanna Nayak
Prasanna Nayak

Written by Prasanna Nayak

AWS Architect and DevOps Engineer

No responses yet