Unlocking Secure Access: A Complete Guide to Bastion Hosts on AWS

Tanseer KhanTanseer Khan
3 min read

When working with cloud infrastructure, one of the biggest concerns is how to securely access private servers without exposing them directly to the internet. This is where a Bastion Host (also known as a Jump Server) comes in. In this blog, we’ll explore what a Bastion Host is, why it’s used, how to set it up on AWS, and wrap up with some best practices.

What is a Bastion Host?

A Bastion Host is a special-purpose server used as a secure entry point to access resources inside a private network.

  • It sits between the public internet and your private servers.

  • You connect to the Bastion Host first, and from there, you can securely connect to other instances within the private subnet of your Virtual Private Cloud (VPC).

  • Think of it as a checkpoint — allowing controlled access instead of opening up your entire network to the internet.

Why is a Bastion Host Used?

A Bastion Host is a key component of a defense-in-depth security strategy. Here’s why it’s important:

  1. Enhanced Security

    • Private servers don’t need public IPs.

    • Only the Bastion Host is exposed to the internet, reducing the attack surface.

  2. Controlled Access

    • Acts as a gateway for administrators or developers to access internal servers.

    • All connections can be monitored and logged for auditing.

  3. Cost-Effective Alternative

    • Instead of adding expensive VPN solutions, a Bastion Host provides a simple, secure access method.

  4. Compliance & Governance

    • Helps organizations meet compliance requirements by limiting external exposure and centralizing access.

How to Set Up a Bastion Host on AWS

Here’s a step-by-step guide to setting up a Bastion Host in AWS:

1. Create a VPC with Public and Private Subnets

  • Public Subnet → Bastion Host lives here (accessible from the internet).

  • Private Subnet → Your application/database servers (accessible only via the Bastion Host).

2. Launch the Bastion Host (EC2 Instance)

  • Launch an EC2 instance in the public subnet.

  • Assign a public IP to this instance.

  • Use a lightweight OS like Amazon Linux 2 or Ubuntu for efficiency.

3. Configure Security Groups

  • Bastion Host Security Group:

    • Allow SSH (port 22) only from your trusted IP addresses.

  • Private Instance Security Group:

    • Allow SSH access only from the Bastion Host’s private IP.

4. Connect to the Bastion Host

ssh -i my-key.pem ec2-user@<Bastion-Public-IP>

5. Connect to Private Instances via Bastion

From the Bastion Host, you can now connect to private instances:

ssh -i my-key.pem ec2-user@<Private-Instance-IP>

6. (Optional) Use SSH Agent Forwarding

To avoid uploading your private key to the Bastion Host:

ssh -A ec2-user@<Bastion-Public-IP>
ssh ec2-user@<Private-Instance-IP>

Conclusion

A Bastion Host is a powerful yet simple way to secure your private resources on AWS. By acting as a controlled entry point, it minimizes risk, centralizes access, and strengthens your security posture.

While AWS also offers services like AWS Systems Manager Session Manager (which removes the need for a Bastion Host in some cases), the Bastion Host remains a tried-and-true solution for many organizations that want secure, auditable, and cost-effective access to private instances.

In short: If you care about security and want to protect your cloud infrastructure, a Bastion Host should be part of your architecture.

0
Subscribe to my newsletter

Read articles from Tanseer Khan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSec2serverlessBastion HostsCloud Computing

Written by

Tanseer Khan
Tanseer Khan