Bastion Hosts: A Practical Guide to Locking Down Access to Your Infrastructure
The problem every growing company hits
The moment you have servers, databases, or internal tools running in the cloud, you face a deceptively simple question: how do people connect to them safely?
The lazy answer is to give each server a public IP address and open SSH (port 22) or RDP (port 3389) to the world. It works on day one. It is also one of the most common ways companies get breached. Automated bots scan the entire internet for exposed SSH and RDP ports around the clock, hammering them with stolen and guessed credentials.
A bastion host is one of the oldest, simplest, and most battle-tested answers to that question.
What is a bastion host?
A bastion host (also called a jump server, jump box, or jump host) is a single, hardened server that sits at the edge of your network and acts as the only doorway into your private infrastructure.
Instead of exposing every machine to the internet, you expose exactly one — the bastion — and lock everything else away in a private network with no public access at all. To reach a database or an application server, an engineer first connects to the bastion, and then “jumps” from the bastion to the internal resource.
Think of it as the security desk in the lobby of a building. Nobody walks straight into the offices upstairs. Everyone checks in at one controlled, monitored entrance first.
How a bastion protects your infrastructure
A well-configured bastion gives you several concrete security wins:
- Drastically reduced attack surface. Your databases, app servers, and internal tools have no public IP and accept no inbound connections from the internet. The only thing an attacker can even see is the bastion. You went from defending dozens of doors to defending one.
- A single point to harden. Because there’s only one entry point, you can pour your effort into making it bulletproof: key-only authentication (no passwords), multi-factor authentication, OS hardening, minimal installed software, and aggressive patching.
- A single point to monitor and audit. Every session into your environment flows through one place. That makes logging, session recording, and “who accessed what, and when” auditing far easier — which matters enormously for SOC 2, PCI-DSS, HIPAA, and similar compliance requirements.
- Centralized access control. Grant or revoke a person’s access in one place instead of across every server. When an employee leaves, you cut them off at the door.
- Network segmentation that actually holds. Your private subnets stay private. Even if a public-facing web app is compromised, the attacker still can’t freely SSH around your backend.
What a good bastion setup looks like
A bastion is only as strong as its configuration. Best practices include:
- Key-based authentication only — disable password logins entirely.
- Multi-factor authentication (MFA) on top of keys.
- Locked-down firewall rules — allow inbound access only from known IP ranges (your office, your VPN) where possible.
- Minimal footprint — no unnecessary services or software running on the box.
- Full session logging and, ideally, session recording.
- Automatic patching and short-lived, regularly rotated credentials.
- No long-term data stored on the bastion — it’s a doorway, not a workspace.
The alternatives — and how bastions rank against them
A bastion is a great tool, but it is not the only one, and in 2026 it is often not the best one on its own. Here’s an honest comparison of the main approaches.
1. Public IPs on every server (the anti-pattern)
What it is: Exposing SSH/RDP directly to the internet on each machine.
Verdict: Don’t. This is the baseline a bastion exists to replace. Highest risk, no centralized control, no real audit trail.
2. VPN (Virtual Private Network)
What it is: Engineers connect into your private network through an encrypted tunnel (OpenVPN, WireGuard, IPsec), then reach internal resources as if they were on the local network.
Strengths: Mature, well-understood, covers more than just SSH (databases, internal web apps, file shares).
Weaknesses: Once you’re “on the VPN,” you often have broad network access — a flatter, more trusting model. Managing a VPN, its certificates, and its access rules adds operational overhead.
vs. bastion: VPNs and bastions solve overlapping problems and are frequently used together (VPN for network reach, bastion for a controlled, audited SSH choke point).
3. Zero Trust Network Access (ZTNA) / Identity-Aware Proxies
What it is: Modern services (Cloudflare Access, Google BeyondCorp, Teleport, StrongDM) that grant access per-application, per-user, based on verified identity and device posture — “never trust, always verify.” No broad network access is implied.
Strengths: Fine-grained, identity-based access; excellent auditing; great user experience; no flat network to over-trust.
Weaknesses: More moving parts; often a paid SaaS; requires more upfront design.
vs. bastion: This is where the industry is heading. ZTNA can replace much of what a bastion does while granting less implicit trust. For mature or compliance-heavy environments, it often ranks above a plain bastion.
4. Cloud-native session managers
What it is: Tools built into the cloud platform itself — AWS Systems Manager Session Manager, Azure Bastion, GCP Identity-Aware Proxy — that broker access to instances without you running or exposing a server at all.
Strengths: No bastion to patch or manage; no open ports (not even to a bastion); access governed by cloud IAM; logging built in. Often the lowest-maintenance, most secure option if you’re on that cloud.
Weaknesses: Cloud-specific (lock-in); occasional feature gaps for unusual workflows.
vs. bastion: For teams already on AWS, Azure, or GCP, these often outrank a self-managed bastion — you get the bastion’s benefits without owning the box.
5. Mesh VPN / overlay networks
What it is: Tools like Tailscale or WireGuard that create a private, encrypted mesh between your devices and servers, with identity-based access controls.
Strengths: Simple to set up, no open inbound ports, strong encryption, good access controls, low cost.
Weaknesses: Newer operational model for some teams; you’re trusting a coordination service.
vs. bastion: For small-to-mid teams, a mesh VPN often delivers bastion-level (or better) security with far less maintenance.
So — where do bastions rank?
Here’s the honest summary we’d give a client:
| Approach | Security | Maintenance | Best for |
|---|---|---|---|
| Public IP everywhere | ❌ Poor | Low | Nobody |
| Bastion host | ✅ Good | Medium | Teams needing a simple, proven SSH choke point |
| VPN | ✅ Good | Medium–High | Broad network access needs |
| Mesh VPN (Tailscale/WireGuard) | ✅✅ Strong | Low | Small–mid teams wanting low-ops security |
| Cloud session manager (SSM/Azure Bastion/IAP) | ✅✅ Strong | Very Low | Teams already on a major cloud |
| ZTNA / identity-aware proxy | ✅✅✅ Strongest | Medium | Mature, compliance-driven orgs |
Bottom line: A bastion host is a solid, time-tested upgrade over exposing servers directly, and for many teams it is exactly the right amount of security for the cost. But it is no longer automatically the best option. If you’re already on AWS, Azure, or GCP, a cloud-native session manager usually gives you the same protection with almost no maintenance. If you want the strongest, most future-proof model, Zero Trust access ranks highest. The right choice depends on your cloud, your team size, your compliance needs, and how much operational overhead you want to own.
How PLECCO helps
Choosing and implementing the right access model is exactly the kind of unglamorous-but-critical infrastructure work that gets deferred until something breaks. At PLECCO, we help fast-moving businesses lock down their infrastructure, pay down tech debt, and put the right access controls in place — whether that’s a hardened bastion, a migration to cloud-native session management, or a full Zero Trust rollout — without the overhead of building an internal platform team.
Wondering whether a bastion is right for your setup — or whether you’ve already outgrown one? Let’s talk.
