When should I use a Bastion Host?
-
It is common practice to use bastion hosts to access "internal" cloud infrastructure. I thought it might be good to have a discussion of when you should use a bastion.
Whe have two types of instances that we may support. Instances that support internal networking like EC2, and we have instances that don't support internal networking.
You can use a bastion host with either type of instance, although we usually think of a bastion host as a way to connect to internal network.
Bastions also make centralized logging easy and command history is stored in a single place.
Are you using or bastion or simply whitelisting ssh/rdp traffic to your cloud instance?
Also are any of you using bastion hosts for on prem access?
-
The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.
-
@stacksofplates said in When should I use a Bastion Host?:
The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.
Is this with Okta Advanced Server Access?
-
@wrx7m said in When should I use a Bastion Host?:
@stacksofplates said in When should I use a Bastion Host?:
The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.
Is this with Okta Advanced Server Access?
I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.
-
@stacksofplates said in When should I use a Bastion Host?:
@wrx7m said in When should I use a Bastion Host?:
@stacksofplates said in When should I use a Bastion Host?:
The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.
Is this with Okta Advanced Server Access?
I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.
I am not looking for a solution with this post, I just wanted to discuss in what situations do you use a bastion? Do you use if a different bastion for different environments or do you just do a single bastion and more granular control permissions with group permissions.
-
@IRJ said in When should I use a Bastion Host?:
@stacksofplates said in When should I use a Bastion Host?:
@wrx7m said in When should I use a Bastion Host?:
@stacksofplates said in When should I use a Bastion Host?:
The whitelisting is probably a lot easier with Okta. But if you set up your SSH config for your profile you can use the bastion host automatically so it's probably 6 and half dozen.
Is this with Okta Advanced Server Access?
I'm not sure exactly what @IRJ is using. I just know he uses Okta. But with any zero trust whitelisting is easier because it isn't necessarily IP based.
I am not looking for a solution with this post, I just wanted to discuss in what situations do you use a bastion? Do you use if a different bastion for different environments or do you just do a single bastion and more granular control permissions with group permissions.
We use a different bastion host(s) for each use case. We often need special access to customer systems. So we isolate that to a single host per task.
-
We usually do a Bastion Server when we need to connect to other servers that are only allowed from one IP address, or we just VPN and then connect to the server.
