Application teams can use a managed service to access resources on private cloud networks using managed bastion hosts or gateway services. These gateways are hardened and centrally audited.

🚧 This capability reference page is a draft.

If you want to be notified when the capability reference page is finished, click here.

Managed bastion hosts are essential for running a “public” networking model (cloud only connected to internet). Risks are high when application teams with little cloud skill build their own access solutions (e.g. vulnerable SSH implementations, weak ciphers etc.). Public IP ranges are continuously scanned and attacked.

Cloud foundation teams may get away not offering dedicated bastion hosts when running in a private or hybrid networking model (connections always come from on-premise). Still recommended for security and auditing though.

There’s two main implementation strategies for building bastion hosts

• leveraging cloud-native services like Azure Bastion by pre-configuring them to integrate with your landing zone’s network infrastructure (see Virtual Network Service)

• building a custom bastion host, possibly on top of an already existing Virtual Machine Service and with PAM software components on top like boundary or CyberArk

Related Tools

Currently no tool implementations documented. Contributions welcome!

Did this page help you?