When should I use a Bastion Host?



  • It is common practice to use bastion hosts to access "internal" cloud infrastructure. I thought it might be good to have a discussion of when you should use a bastion.

    Whe have two types of instances that we may support. Instances that support internal networking like EC2, and we have instances that don't support internal networking.

    You can use a bastion host with either type of instance, although we usually think of a bastion host as a way to connect to internal network.

    Bastions also make centralized logging easy and command history is stored in a single place.

    Are you using or bastion or simply whitelisting ssh/rdp traffic to your cloud instance?

    Also are any of you using bastion hosts for on prem access?



  • The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.



  • @stacksofplates said in When should I use a Bastion Host?:

    The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.

    Is this with Okta Advanced Server Access?



  • @wrx7m said in When should I use a Bastion Host?:

    @stacksofplates said in When should I use a Bastion Host?:

    The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.

    Is this with Okta Advanced Server Access?

    I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.



  • @stacksofplates said in When should I use a Bastion Host?:

    @wrx7m said in When should I use a Bastion Host?:

    @stacksofplates said in When should I use a Bastion Host?:

    The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.

    Is this with Okta Advanced Server Access?

    I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.

    I am not looking for a solution with this post, I just wanted to discuss in what situations do you use a bastion? Do you use if a different bastion for different environments or do you just do a single bastion and more granular control permissions with group permissions.



  • @IRJ said in When should I use a Bastion Host?:

    @stacksofplates said in When should I use a Bastion Host?:

    @wrx7m said in When should I use a Bastion Host?:

    @stacksofplates said in When should I use a Bastion Host?:

    The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.

    Is this with Okta Advanced Server Access?

    I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.

    I am not looking for a solution with this post, I just wanted to discuss in what situations do you use a bastion? Do you use if a different bastion for different environments or do you just do a single bastion and more granular control permissions with group permissions.

    We use a different bastion host(s) for each use case. We often need special access to customer systems. So we isolate that to a single host per task.



  • We usually do a Bastion Server when we need to connect to other servers that are only allowed from one IP address, or we just VPN and then connect to the server.


Log in to reply