What is Bastion Host

Assume that you are creating a cluster or setting up some infrastructure in a public cloud environment. The public cloud environment allows you to provision a private, isolated section of the Cloud where you can launch various services and other resources in a virtual network that you define. We refer to this private network as a virtual private cloud (VPC).
The next important part of creating an infrastructure in the cloud is to provide a mechanism for secure connection and a communication channel to your VPC resources. There are a variety of considerations to design a secure communication channel to your VPC. The first decision that you might want to take is to provide an external IP address. You might want to assign an external IP address to some of the machines and services as your users would need to access them over the internet.
However, there are a variety of scenarios, when you do not want to assign an external IP to some of the instances in your VPC. For example, I created a Hadoop cluster for my development team in a VPC. I want my development teams to connect to some of these machines using an SSH tool. However, I don’t want to assign an external IP address to any of these machines to avoid various security risks. However, that gives me a new problem.
When instances do not have external IP addresses, they can only be reached by some other instances on the network. How to allow my development teams, sitting in a corporate network, to access these machines over an SSH connection?
The most convenient method is to provide an instance in your network to act as a trusted relay for inbound connections. We call that instance a Bastion Host.

What is Bastion host?

Anything that provides perimeter access control security can be considered as the Bastion Host or Bastion Server. In fact, a Bastion host also known as a Jump Box is a particular purpose computer on a network that acts as a proxy server and allows the client machines to connect to the remote server. The Bastion hosts are used in cloud environments as a server to provide access to a private network from an external network such as the Internet. Since it is exposed to potential attack, a Bastion host must be protected against the chances of penetration.

How Bastion host works?

Bastion hosts are there to provide a point of entry into a network containing private network instances. The following figure shows the details of how a Bastion server works.

bastion server architecture — Fig.1- Bastion Server Architecture

As shown in the figure, all your isolated instances have only internal IP addresses in your VPC. However, the Bastion host instance has an external IP address as well as an internal IP address. If you need to access instances on the internal network that do not have an external IP address, you can connect to a Bastion host and then connect to your internal instances from that Bastion host. This method uses a two-step SSH connection. Since the Bastion host uses a two-step SSH connection, it allows you to connect to the development environment without external IPs and additional firewall rules. When using a bastion host, you log into the bastion host first, and then into your target private instance. Because of this two-step login, the bastion hosts are sometimes called "jump servers."
The Bastion host can be started and stopped to enable or disable inbound SSH communication from the Internet.

Bastion Host Best Practice

By default, SSH on your private instances as well as Bastion server is configured to use private keys for authentication. When you connect to some other cases from a bastion host instance, you still require a private key. The easiest method is to keep a copy of the private key of the users in the bastion host. This method is simple but not a recommended, because if the bastion host is compromised, all the private keys associated with the users will also be compromised. The answer to the problem is to use the SSH agent forwarding in the implementation of bastion hosts.
The best practice is to use the ssh-agent forwarding instead of storing the target machine's private key on the bastion host. You must use the ssh-agent forwarding even if you are using the same key-pair for both bastion and target instances.
Other than the use of Agent Forwarding, you should also take great care of hardening the security for the Bastion server. You must remove all unnecessary packages and installations from the Bastion host. It should only host that is essential.

How SSH Agent Forwarding works?

The ssh-agent is a helper program that keeps track of user's identity keys such as SSH private key. The agent can then use the keys to log into other servers without having the user type in a password. By default, the agent uses SSH keys stored in the .ssh directory under the user's home directory. The ssh-add command is used for adding new private keys to the agent that are stored outside the .ssh directory.
Furthermore, the SSH protocol implements agent forwarding. Agent forwarding is a mechanism for single sign-on that can progress transitively. The SSH single sign-on works independent of organizational boundaries and geography. SSH agent forwarding can easily implement single sign-on to servers on the other side of the world, in cloud services, or at customer premises. No central coordination is needed. All you need to do is to set the ForwardAgent option as yes on the client, and the AllowAgentForwarding option set to yes on the server. That’s it. Everything else works seamlessly.
You can use the following sequence of activities to use the SSH Agent forwarding from a Linux machine.

Make sure that your Public SSH Key is configured to both the Linux Bastion host and to the instancesthat do not have an external IP address. You can follow your Cloud provider’s document to get this configured.
Start the ssh-agent on your local machine. On most Linux systems, ssh-agent is automatically configured, and no additional actions are required to use it.
Use the ssh-add command to load your private SSH key from your local computer into the agent.

Connect to the Linux bastion host instance and forward your private keys with ssh. The -A argument sets the ForwardAgentoptions to yes and enablesprivate key forwarding.

Connect to the instance that does not have an external IP address by using SSH.

If the connection is successful, you can use the terminal to run commands on the instance that does not have an external IP address.When you are done, you can use the exit command to close each instance connection and return to your local workstation.

SSH Agent Forwardingon Windows

If you are using a windows machine, you might have to use an SSH tool such as Putty. The process is the same as Linux machine.

Start Putty and enter your Bastion Host IP address.
Go to connections, SSH, Auth and browse your Private Key file.
Select the Allow agent forwarding to checked state.
Connect to your Bastion server.
Connect to the instance that does not have an external IP address by using SSH.

ssh agent forwarding — Fig.2- ssh Agent Forwarding

Advantages & Disadvantages

The Bastion Host has the following advantages.

It provides a single point for the logins in the network. This makes the firewall rules simple.
It would be easier to log all the attempts and take necessary measures for failing attempts.
It simplifies authentication via SSO.
It is an easy and quick method for small to medium sized teams.

The Bastion Host has following limitation.

It is generally used only for SSH access to remote servers. To access applications running on a private network, for example, on port 8080, Bastion is not the solution

Bastion Alternatives

Bastion Host is just one alternative to provide a secure connection to your VPC resources. Cloud VPN is the other most commonly used alternative toextend your existing network to theVPC. The VPN allows direct routing of traffic from your premises to the private IP interfaces of VPC. The traffic is encrypted transmitted over public links to the Cloud.

What is Bastion Host