Bastion Host
Securely control and monitor privileged access to critical systems through a hardened gateway server.
On this page
See Tech Prescient in Action
Automate access, reduce risk, and stay audit-ready
Last Updated date: June 2026
The Short Answer
A bastion host is a hardened, internet-facing server that acts as a single controlled entry point into a private network. Administrators connect to the bastion host first, typically via SSH or RDP, and from there reach internal systems that remain shielded from direct internet exposure.
Also called a jump box or jump server, a bastion host sits at the boundary between an untrusted external network and a secured internal environment.
Quick Reference
| Field | Detail |
|---|---|
| Category | Network access control / Privileged Access Management (PAM) |
| Also known as | Jump box, jump server |
| Related to | PAM, Zero Trust, IAM, DMZ, Least Privilege |
| Primary use | Secure remote admin access to private or cloud-hosted infrastructure |
| Key benefit | Eliminates direct internet exposure of internal servers |
Why It Matters for Access Security
Every server exposed to the internet is a potential target. A bastion host contains that exposure to a single, purpose-built machine, rather than leaving dozens of internal systems individually reachable.
For identity and access governance, this matters because the bastion host becomes the enforced chokepoint for privileged access. All remote sessions pass through it, which means authentication, logging, and access control can be applied consistently in one place, rather than managed separately across every internal resource.
Organizations running infrastructure in AWS, Azure, or GCP frequently use bastion hosts as the standard method for reaching private cloud subnets without opening those subnets to the public internet.
How a Bastion Host Works
The access flow follows a consistent pattern:
- External connection
An admin initiates a connection from the public internet to the bastion host's public IP or DNS address. - Authentication at the gateway
The bastion host verifies the user's identity, typically requiring SSH key-based login and/or multi-factor authentication (MFA). - Session established
Once authenticated, the user is inside a controlled session on the bastion host. - Pivot to internal systems
From the bastion, the admin can SSH, RDP, or otherwise connect to internal servers, databases, or VMs that are not directly reachable from outside. - Session logged
All activity is recorded on the bastion host for audit purposes.
Direct connections to internal systems from the internet are blocked at the firewall level; the bastion is the only permitted path in.
Core Security Characteristics
A bastion host is not a general-purpose server. It is deliberately stripped down and hardened:
- Minimal attack surface
Only the services needed for remote access (SSH, RDP) are enabled. Everything else is removed or disabled. - Hardened operating system
Unnecessary software, ports, user accounts, and network services are eliminated. - Strict firewall rules
Inbound access is restricted to known, approved IP ranges. Outbound rules are equally tight. - MFA enforcement
Strong authentication is standard. SSH key pairs are preferred over passwords. - Comprehensive session logging
Every connection attempt and active session is recorded, supporting compliance and forensic review. - No sensitive data stored locally
The bastion host is a transit point, not a data repository.
Key Benefits for Identity and Access Governance
- Centralized access control
One machine enforces the access policy for all privileged remote sessions - Reduced attack surface
Internal servers have no public-facing exposure - Audit-ready session logs
Centralized logging simplifies compliance for frameworks like SOC 2, HIPAA, and ISO 27001 - Least-privilege enforcement
Access through the bastion can be scoped to specific internal targets per user role - Faster incident response
All privileged sessions flow through a single point, making anomaly detection and session termination straightforward
Where Bastion Hosts Are Used
Cloud infrastructure access
In AWS, Azure, and GCP environments, bastion hosts (or managed equivalents like AWS Systems Manager Session Manager) provide the standard secure path to instances in private subnets. No public IP is needed on the internal VM.
Financial services
Banks and financial institutions use bastion hosts to gate admin access to core banking systems and trading infrastructure, satisfying regulatory requirements for access logging and segregation.
Healthcare
Hospitals and health systems rely on jump servers to isolate clinical and patient-data systems from direct internet exposure, supporting HIPAA audit trail requirements.
SaaS and tech companies
Engineering teams use bastion hosts to manage production databases and application servers without exposing those systems to the internet or to broad internal network access.
Bastion Host vs. VPN: What's the Difference?
Both a bastion host and a VPN provide remote access to private networks, but they work differently and serve different use cases.
| Bastion Host | VPN | |
|---|---|---|
| Access model | Session-by-session, proxied through a single server | Full tunnel, user joins the private network directly |
| Scope of access | Limited to what the bastion is permitted to reach | Broad network access once connected |
| Audit logging | Centralized at the bastion by default | Depends on additional tooling |
| Best for | Privileged admin access, cloud VM management | General employee remote work |
| Zero Trust alignment | Higher, explicit session control | Lower, network-level trust once connected |
For privileged access management, bastion hosts are generally preferred over VPNs because they enforce session-level controls rather than granting network-level trust.
Implementation Considerations
Deploying a bastion host effectively requires more than standing up a server:
- Place it correctly
The bastion host should sit in a DMZ or public subnet, with firewall rules ensuring it cannot reach any more of the internal network than it needs to. - Lock down inbound access
Restrict source IPs to known admin networks or VPN exit nodes where possible. Avoid allowing the entire internet to reach the bastion host port. - Use SSH key authentication
Disable password-based SSH login entirely. Enforce MFA as an additional layer. - Run nothing extra
Any service running on the bastion host is an additional attack vector. Strip the OS to the minimum required. - Patch aggressively
As a publicly exposed server, the bastion host must stay current on security updates. - Log to an external system
Store session logs off the bastion host itself, so they cannot be tampered with if the host is compromised.
Limitations and Risks
A bastion host concentrates access, and that creates its own risk profile:
- High-value target
Because all privileged access flows through it, the bastion host is an attractive target for attackers. A compromised bastion can expose everything behind it. - Single point of failure
If the bastion host goes down, remote admin access is blocked. High-availability configurations (multiple bastion hosts, auto-recovery) are common in production environments. - Credential exposure
Stolen SSH keys or credentials for the bastion host can give attackers deep network access. Key rotation and MFA are critical controls. - Operational overhead
Maintaining a hardened host requires ongoing patching, monitoring, and access reviews.
Modern Privileged Access Management (PAM) platforms address many of these limitations by layering session recording, just-in-time access provisioning, and identity-based policy enforcement on top of traditional bastion host architecture.
Frequently Asked Questions
A firewall filters network traffic based on rules, and it blocks or allows connections. A bastion host is a server that users actively log into to reach internal systems. They serve complementary roles: the firewall blocks direct access to internal servers, and the bastion host provides the authorized path through.
Yes, "jump box" and "jump server" are informal terms for the same concept. The term "bastion host" is more common in formal security architecture and cloud documentation, while "jump box" is widely used by engineers and operations teams.
For privileged admin access to specific servers, yes. A bastion host provides more granular session control than a VPN. However, a VPN grants broader network access for general remote work scenarios where employees need to reach many internal resources, not just specific admin targets.
Yes. AWS offers Systems Manager Session Manager as a VPN-free alternative; Azure provides Azure Bastion as a managed PaaS service; GCP offers Identity-Aware Proxy (IAP) for VM access. These services handle much of the hardening and operational overhead but follow the same architectural principle.
A bastion host aligns with some Zero Trust principles; it enforces explicit authentication and limits lateral movement. However, it does not implement full Zero Trust on its own. True Zero Trust access requires identity-based policy enforcement, continuous verification, and least-privilege access at the application layer, typically through a dedicated IAM or PAM platform.
Hardening involves: disabling all non-essential services and ports, removing unnecessary software and user accounts, enforcing SSH key authentication with MFA, applying strict inbound firewall rules (IP allowlisting), enabling full session logging to an external system, and maintaining a rigorous patching schedule.
Related Terms
Privileged Access Management (PAM)
Jump Server
Zero Trust Network Access (ZTNA)
Least Privilege
DMZ (Demilitarized Zone)
SSH Key Management
Multi-Factor Authentication (MFA)