What is a Bastion Host?
Architecture of Bastion Host
In the above architecture, we have public and private subnet. NAT instance exists behind the security group, and NAT Gateway exists after the security group as NAT instance is configured with the security group while NAT Gateway does not require any security group and it is also redundant. When an instance in a private subnet wants to access the internet, they do so either by NAT instance or NAT Gateway. Now, if we want to administer an environment, what typically happens?. We have got SSH or RDP where SSH is for Linux and RDP is for windows. It is going through internet gateway, router, route table, network ACL, security group, and finally to the Bastion server. Bastion server creates a connection to a private EC2 instance through SSH or RDP. We need to harden the Basten host and harden the Basten host as strong as possible, then we do not have to worry about hardening our instances as long as Bastion host is hardened. Hardening a Bastion host reduces the surface area that we want to harden.
Some Key Points related to Bastion Host