What is bastion?

A bastion (often called a bastion host) is a specially hardened computer that sits between an external network (like the internet) and a private internal network. It acts as a single, controlled entry point for administrators to access servers inside the protected zone, usually via secure protocols such as SSH or RDP.

Let's break it down

  • External network - the public internet where anyone can try to connect.
  • Firewall - blocks most traffic but allows limited access to the bastion.
  • Bastion host - a locked‑down server with only the necessary services running; it logs every connection.
  • Internal network - the private servers and resources that you want to keep hidden from the outside.
  • Secure protocol - administrators first log into the bastion (e.g., via SSH) and then hop to the internal machines.

Why does it matter?

A bastion host reduces the attack surface by exposing only one machine to the internet instead of many internal servers. It provides a clear audit trail of who accessed what, makes it easier to apply strict security rules, and helps prevent unauthorized users from reaching sensitive systems.

Where is it used?

  • Cloud platforms (AWS, Azure, Google Cloud) to protect virtual private clouds.
  • Corporate data centers that need remote admin access.
  • Any environment with a DMZ (demilitarized zone) separating public services from internal resources.
  • Small businesses that want a simple way to secure remote connections.

Good things about it

  • Centralizes and simplifies remote access management.
  • Can be heavily hardened and monitored, making it a strong security checkpoint.
  • Provides detailed logs for compliance and forensic analysis.
  • Limits exposure: only the bastion is reachable from the internet, not the whole network.

Not-so-good things

  • Becomes a single point of failure; if the bastion is compromised, the whole internal network is at risk.
  • Requires regular patching, hardening, and monitoring-adds operational overhead.
  • Misconfiguration (e.g., opening extra ports) can defeat its purpose.
  • May introduce latency for administrators who have to hop through an extra server.