Managed bastion hosts
🚧 This building block reference page is a draft.
If you want to be notified when the building block reference page is finished, click here.
Managed bastion hosts are essential for running a “public” networking model (cloud only connected to internet). Risks are high when application teams with little cloud skill build their own access solutions (e.g. vulnerable SSH implementations, weak ciphers etc.). Public IP ranges are continuously scanned and attacked.
Cloud foundation teams may get away not offering dedicated bastion hosts when running in a private or hybrid networking model (connections always come from on-premise). Still recommended for security and auditing though.
There’s two main implementation strategies for building bastion hosts
Currently no tool implementations documented. Contributions welcome!