What is a Bastion Server?

Table of Contents

    Cybersecurity 101 Categories

    Access Control

    48 Posts

    Application Security

    17 Posts

    Authentication

    73 Posts

    Compliance

    9 Posts

    Cyber Threats

    59 Posts

    Endpoint Security

    11 Posts

    General Security

    28 Posts

    IoT Security

    17 Posts

    Network Security

    49 Posts

    Networking

    25 Posts

    Zero Trust

    27 Posts
    Back to Cybersecurity Center

    What is a Bastion Server and Why is it Used?

    A bastion server (or bastion host) is a special-purpose computer designed and configured to withstand attacks. It acts as a secure gateway between a public network (like the internet) and a private network, enabling administrators to access internal systems without exposing those systems directly to external threats.

    Primary Purpose of a Bastion Host

    The main role of a bastion server is to act as the only point of entry into a protected network. Rather than allowing direct SSH or RDP access to critical systems, administrators connect to the bastion server first. Once authenticated and verified, they can then use the bastion host as a springboard—or “jump point”—to reach other servers within the internal network.

    This layered access model significantly improves network security. Even if an attacker gains access to the bastion server, they’d still need to bypass additional authentication and controls to reach the actual target systems.

    Typical Use Cases

    • Cloud environments (e.g., AWS, Azure, GCP) where internal subnets are intentionally isolated.

    • Regulated industries requiring auditable, controlled administrative access.

    • Remote administration of systems in private networks, such as production environments or sensitive databases.

    Key Characteristics

    • Hardened configuration: Minimal installed software and services to reduce the attack surface.

    • Limited access: Usually only allows SSH (Linux) or RDP (Windows) access and restricts incoming IP addresses.

    • Monitoring and logging: All access through the bastion should be logged and monitored for suspicious activity.

    • Multi-factor authentication (MFA): Often required to ensure that even stolen credentials are not enough to gain entry.

    Why Not Just Use a VPN?

    While VPNs can also provide secure access, they often extend network access more broadly than necessary. Bastion servers enforce least-privilege access by giving users control over specific resources rather than the entire network, making them a more precise and auditable access mechanism.

    How Does a Bastion Server Work in a Cloud Environment (Like AWS, Azure, or GCP)?

    In cloud environments such as AWS, Microsoft Azure, and Google Cloud Platform (GCP), a bastion server serves as a controlled entry point to access virtual machines (VMs) or resources in private subnets—those not directly reachable from the internet.

    Cloud Bastion Host Architecture

    A typical setup involves:

    • A public subnet with the bastion server exposed via a public IP.

    • One or more private subnets housing sensitive VMs or workloads.

    • Network security groups (NSGs) or firewall rules tightly controlling traffic.

    • Optional session logging or integration with cloud-native auditing tools.

    Platform-Specific Features

    • AWS: Use EC2 instances as bastion hosts. Combine with AWS Systems Manager Session Manager for secure, auditable shell access without exposing SSH ports.

    • Azure: Offers Azure Bastion, a fully managed PaaS solution that provides secure RDP and SSH access through the Azure Portal without public IPs on target VMs.

    • GCP: Often deploy Compute Engine instances as bastions, secured via Identity-Aware Proxy (IAP) or OS Login.

    Access Flow Example

    1. Admin connects to the bastion server using SSH (Linux) or RDP (Windows).

    2. Bastion verifies the user (often via MFA).

    3. Admin then initiates a session to a private VM.

    4. Bastion logs or audits the session (especially in enterprise setups).

    Benefits of Using Bastion Hosts in the Cloud

    • No public IPs on internal resources.

    • Centralized access point makes monitoring and logging straightforward.

    • Enables fine-grained access control—e.g., by IAM role, user, or group.

    Best Practice Tip

    Use ephemeral bastions—hosts that spin up on-demand and shut down after use—to further reduce your attack surface.

    What Are the Best Practices for Securing a Bastion Server?

    Despite their importance, bastion servers can become security liabilities if not properly managed. Here are best practices to keep your bastion server locked down:

    1. Restrict Access by IP

    Use firewall rules or security groups to whitelist only trusted IP ranges, such as static corporate office IPs or a VPN range. Never leave SSH or RDP open to the whole internet (0.0.0.0/0).

    2. Enforce Multi-Factor Authentication (MFA)

    Add a second authentication factor to reduce the risk of compromised credentials. For Linux, tools like Google Authenticator PAM, Duo, or SSH certificates are useful.

    3. Harden the Server

    • Disable unused services and ports.

    • Keep OS and software up to date with security patches.

    • Disable root login and use key-based authentication (not passwords).

    4. Enable Full Session Logging

    Log all commands and sessions via auditd, rsyslog, or tools like tlog and OSQuery. Forward logs to a central SIEM or log management platform for auditing.

    5. Monitor and Rotate Access Credentials

    • Regularly rotate SSH keys or access credentials.

    • Use centralized identity providers (IdPs) and avoid local users where possible.

    • Revoke access promptly when roles change or employees leave.

    6. Use One-Time Bastion Sessions (if possible)

    In environments like AWS, use Session Manager to avoid persistent SSH access altogether, making access ephemeral and easier to audit.

    7. Network Isolation

    Ensure the bastion server can only access designated internal resources and not the entire internal network.

    8. Auto-Termination

    For temporary maintenance, configure the bastion to shut down automatically after a fixed time period to minimize exposure.

    What’s the Difference Between a Bastion Host and a Jump Server?

    The terms bastion host and jump server are often used interchangeably, but there are subtle differences in usage and context—especially in enterprise IT.

    Bastion Host

    • Primary Use: Secure gateway between a public and private network.

    • Exposure: Usually has a public IP or is otherwise reachable from the internet.

    • Security Focus: Highly hardened and tightly controlled; designed to withstand direct exposure to threats.

    • Example: An SSH-accessible server in AWS that allows access to VMs in a private subnet.

    Jump Server (or Jump Box)

    • Primary Use: Internal hop point to connect between two private zones or between trusted environments.

    • Exposure: Typically not directly exposed to the internet. Often sits within the private network.

    • Security Focus: May be less hardened than a bastion; used more for convenience and internal segmentation.

    • Example: A Windows Server inside a corporate VPN that admins use to RDP into other internal servers.

    Key Differences

    Feature Bastion Host Jump Server
    Public Access Yes (usually) No (usually)
    Primary Function Public-to-private network gateway Private network hop-point
    Security Hardening High (must resist external threats) Moderate (internal threat model)
    Use in Cloud AWS/Azure bastion setups Often internal to VPC or VPN

    Overlap and Modern Usage

    In practice, many teams refer to either as a “bastion” or “jump box.” The distinction often depends on the context—cloud vs. on-prem, public-facing vs. internal, hardened vs. utility.

    Pro tip: In secure environments, both may be used in tandem—e.g., public bastion to access a private jump server that leads to sensitive production systems.