Bastion

What is a bastion host?

Also called bastion servers, a bastion host is a network server specially designed and configured to withstand cybersecurity attacks. The point of a bastion host is to give users access to a private network from external networks. As an externally positioned, security-dedicated server, a bastion host provides authorized users with access to the private network and acts as the only access path to those internal network resources.

How does a bastion host work?

A bastion host is usually established as a connection (or bridge) between a public network, such as the internet, and a private subnet. The bastion server is hardened by stripping away all unnecessary applications, ports, processes, and user accounts to allow it to focus on its primary purpose of secure access. Typically, a bastion host resides on its own subnet with a publicly accessible IP address.

When a user requires or requests access to an asset stored on the private subnet, they must establish a connection via the bastion host and go through an authentication process to ensure their authorization.

How is a bastion host important?

A bastion host allows an organization to use applications or services that don’t require direct internet access. Admin and user activity can be funneled through the bastion server without requiring a floating IP address, which reduces the network attack surface. Internal services and apps can be kept blocked off from public access and will not act as vulnerable attack vectors, increasing security layers.

Benefits of bastion host

Common use cases for a bastion host

A bastion can be used for database access, internal web application access, or processing any internal endpoints that should not receive direct network access. Bastion hosts can provide secure access to Linux instances located in the private and public subnets of a virtual private cloud or give developers access to a single virtual machine without giving them access to additional services.

Recommended for You