100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is a Bastion Host and Why Do You Need One?

Learn what a bastion host is, how it hardens SSH access, and why it shrinks a private network's attack surface — with an interview-ready answer.

mediumQ181 of 224 in DevOps Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

A bastion host is a purpose-built, hardened server placed at the edge of a private network that acts as the single, monitored entry point administrators must pass through via SSH or RDP before reaching any internal server, so that private instances never need a direct public IP or open inbound port.

Instead of exposing every database or application server directly to the internet, only the bastion host has a public IP and an open SSH port, typically restricted to a known IP range or corporate VPN. Administrators SSH into the bastion first, then hop from there into private subnet instances that have no route to the public internet inbound. Because all administrative access funnels through one hardened, heavily logged host, security teams get a single choke point for auditing, multi-factor authentication, and session recording, and can shrink the attack surface dramatically compared to exposing dozens of internal hosts. Managed alternatives like AWS Systems Manager Session Manager or a cloud provider's bastion service remove even the need for an open SSH port on the bastion itself, brokering the connection over an outbound-only agent instead.

  • Drastically reduces the internet-facing attack surface
  • Centralizes access logging and session auditing to one point
  • Keeps private/internal servers with no public IP at all
  • Enables enforcing MFA and IP allowlisting at a single choke point

AI Mentor Explanation

A bastion host is like the single players' entrance gate at a stadium that every player, coach, and staff member must pass through before reaching the dressing rooms, rather than each dressing room having its own door onto the street. Security only needs to guard and log that one gate heavily, instead of watching a dozen separate doors around the stadium. Once through the gate, staff move freely to their specific rooms, but nobody reaches those rooms without first being checked at the gate. A single well-guarded entrance is far easier to secure than many scattered ones.

Step-by-Step Explanation

  1. Step 1

    Place the bastion in a public subnet

    The bastion is the only host with a public IP and an open SSH port, restricted by security group/IP allowlist.

  2. Step 2

    Keep private instances unreachable from the internet

    Database and application servers sit in private subnets with no inbound route from outside.

  3. Step 3

    SSH into the bastion, then hop inward

    Administrators authenticate to the bastion first, then use SSH agent forwarding or a second hop to reach private hosts.

  4. Step 4

    Log and audit every session

    Centralize logging, MFA, and session recording on the bastion since it is the single choke point for all admin access.

What Interviewer Expects

  • Clear explanation of why private servers should not have public IPs
  • Understanding of the single-hop-then-jump access pattern
  • Awareness of managed alternatives like AWS Session Manager
  • Knowledge of hardening/logging requirements specific to the bastion

Common Mistakes

  • Giving every internal server its own public IP "for convenience"
  • Leaving SSH open to 0.0.0.0/0 on the bastion instead of an IP allowlist/VPN
  • Not enabling session logging or MFA on the bastion
  • Treating the bastion as just another regular server instead of hardening it specially

Best Answer (HR Friendly)

A bastion host is a single, carefully locked-down server that acts as the front door to our private network — engineers SSH into it first, and only from there can they reach internal servers, which themselves have no public IP at all. That means we only have to secure and monitor one entry point instead of exposing every internal machine to the internet, which massively reduces our attack surface.

Code Example

SSH through a bastion host with ProxyJump
# ~/.ssh/config
Host bastion
  HostName bastion.example.com
  User ec2-user
  IdentityFile ~/.ssh/id_ed25519

Host internal-db
  HostName 10.0.2.15
  User ec2-user
  ProxyJump bastion
  IdentityFile ~/.ssh/id_ed25519

# One command hops through the bastion transparently
ssh internal-db

Follow-up Questions

  • How does AWS Systems Manager Session Manager remove the need for an open SSH port?
  • What logging and MFA controls belong on a bastion specifically?
  • How would you set up SSH agent forwarding safely through a bastion?
  • What is the risk if the bastion host itself gets compromised?

MCQ Practice

1. What is the primary purpose of a bastion host?

A bastion host concentrates administrative access at one hardened, heavily logged host so internal servers never need public exposure.

2. Why should internal servers avoid having public IP addresses when a bastion is in use?

Keeping internal servers on private subnets with no public IP means the only host attackers can even attempt to reach is the bastion.

3. What is a managed alternative to a traditional SSH bastion host?

Session Manager uses an outbound-only agent, avoiding the need to open any inbound SSH port even on the bastion.

Flash Cards

What is a bastion host?A hardened, single entry-point server administrators pass through to reach private network hosts.

Why do private servers avoid public IPs when using a bastion?To eliminate direct internet reachability and shrink the attack surface.

What access pattern does a bastion enable?SSH into the bastion first, then hop to internal hosts from there.

Name a managed bastion alternative.AWS Systems Manager Session Manager, which needs no open inbound port.

1 / 4

Continue Learning