Managed bastion hosts
🚧 This building block reference page is a draft.
If you want to be notified when the building block reference page is finished, click here.
Managed bastion hosts are essential for running a “public” networking model (cloud only connected to internet). Risks are high when application teams with little cloud skill build their own access solutions (e.g. vulnerable SSH implementations, weak ciphers etc.). Public IP ranges are continuously scanned and attacked.
Cloud foundation teams may get away not offering dedicated bastion hosts when running in a private or hybrid networking model (connections always come from on-premise). Still recommended for security and auditing though.
There’s two main implementation strategies for building bastion hosts
leveraging cloud-native services like Azure Bastion by pre-configuring them to integrate with your landing zone’s network infrastructure (see Virtual Network Service)
building a custom bastion host, possibly on top of an already existing Virtual Machine Service and with PAM software components on top like boundary or CyberArk
Currently no tool implementations documented. Contributions welcome!