What is a Bastion Host?
- A Bastion Host is a special purpose computer on a host designed and configured to withstand attacks.
- The computer hosts a single application, for example, a proxy server and all the other services are removed to reduce the threat to the computer.
- A Bastion host is hardened due to its location and purpose, which is either on the outside of a firewall or demilitarized zone, i.e., public subnet and it usually accesses from untrusted networks or computers.
Architecture of Bastion Host
In the above architecture, we have public and private subnet. NAT instance exists behind the security group, and NAT Gateway exists after the security group as NAT instance is configured with the security group while NAT Gateway does not require any security group and it is also redundant. When an instance in a private subnet wants to access the internet, they do so either by NAT instance or NAT Gateway. Now, if we want to administer an environment, what typically happens?. We have got SSH or RDP where SSH is for Linux and RDP is for windows. It is going through internet gateway, router, route table, network ACL, security group, and finally to the Bastion server. Bastion server creates a connection to a private EC2 instance through SSH or RDP. We need to harden the Basten host and harden the Basten host as strong as possible, then we do not have to worry about hardening our instances as long as Bastion host is hardened. Hardening a Bastion host reduces the surface area that we want to harden.
Some Key Points related to Bastion Host
- Bastion Host is launched in Public subnets and acts as a proxy to the instances in a private subnet.
- It provides security by reducing the attacks on your infrastructure.
- A Bastion host is used to to administer EC2 instances using SSH or RDP securely. Bastion hosts are also known as jump boxes in Australia.
- You cannot use NAT Gateway as a Bastion host. If you SSH or RDP to an instance in a private subnet, you need to configure a Bastion host. You cannot use NAT Gateway.