High-performance and highly available VPS/VDS with automatic installation and full root access to the OS. The ordered resources are guaranteed to be reserved for you.
Fortify your operational continuity with our resilient disaster recovery solutions, ensuring swift recovery and minimal downtime in the face of unforeseen challenges.
A bastion host is an intermediary server through which administrators access cloud VMs, especially when the working machines themselves do not have public IP addresses. Google Cloud describes a bastion host in exactly this way: as an external point of entry for connecting to VMs over their internal IPs.
In practice, that means a simple model: first, the administrator connects to the bastion host, and only then, through it, to the required virtual machine inside the private segment. This makes it possible to avoid exposing SSH or RDP directly on every VM.
A bastion host is most often useful when it is important to:
Task
Why a bastion host helps here
Hide working VMs from direct Internet access
Connections go through one controlled entry point
Reduce the attack surface
There is no need to publish SSH or RDP on every machine
Centralize administrative access
It becomes easier to control who enters the internal environment and how
Provide access to private VMs
You can work with machines that are reachable only over internal addresses
But a bastion host is not always necessary. In many scenarios, it is replaced by a VPN, a managed Bastion service, or tools like AWS Systems Manager Session Manager, which allow teams to manage instances without open inbound ports and without a classic bastion host. Azure Bastion follows the same general idea as well: secure access to VMs without exposing a public IP on the machines themselves.
That is why the main practical question here is not whether you have cloud VMs, but how exactly you want to organize administrative access. If what you need is a simple, controlled path into private VMs, a bastion host can be a good solution. But if the cloud platform already provides a more convenient managed mechanism, a separate bastion can sometimes do nothing but make the setup more complicated.
Bastion Host: What It Is and Why It Is Used at All
A bastion host (also often called a jump host or jump server) is a separate server through which administrators connect to virtual machines inside an internal network segment.
It is usually used where the working VMs themselves should not accept SSH or RDP directly from the Internet. Instead, one controlled entry point is exposed externally, and from there traffic continues onward to the required machine over its internal address.
Put simply, the logic looks like this:
The administrator connects to the bastion host
The bastion host sits inside the required network
From there, access continues to the private VM
The working machines themselves do not need to be exposed externally
That is the core idea: not to hand out external access to every VM individually, but to concentrate administrative entry into a single point.
This approach is usually needed not for architectural elegance, but for clearer control. When you have dozens of machines, it is much easier to monitor one entry point than to keep public SSH or RDP enabled on every single one of them.
Here is a short table that makes the role of a bastion host immediately clear:
What is being compared
A regular VM with a public IP
A bastion host
Ingress from the Internet
Directly to the VM itself
Through a separate entry point
Public access to working VMs
Often required
Usually not required
Control over administrative access
Spread across multiple VMs
Concentrated in one place
Attack surface
Broader
Narrower, if the design is configured properly
The table shows the main point: a bastion host is useful not because cloud VMs cannot be accessed without it, but because it helps organize access in a cleaner and safer way.
How a Bastion Host Differs from a Regular VM with a Public IP
Now let us look at the difference more directly. At first glance, it may seem small: in both cases, there is a server you can reach over SSH or RDP.
But a regular VM with a public IP is simply a machine that is reachable from the outside. A bastion host is a deliberately dedicated entry point whose purpose is not to run business workloads, but to provide controlled access to internal resources.
That is exactly why a bastion host is usually kept as narrow in role as possible: minimal services, strict access rules, a limited group of users, login auditing, and carefully defined security rules. Azure Bastion, for example, is built entirely around this idea as a managed service: it provides RDP and SSH access to VMs over their private IPs without requiring public IPs on the machines themselves.
Do You Actually Need a Bastion Host to Access Cloud VMs
The short answer is no, not always.
A bastion host is not inherently required for access to cloud VMs. Virtual machines can be accessed in several different ways: directly, through a VPN, through a managed Bastion service, through identity-aware access, or through agent-based services such as Session Manager.
AWS explicitly states that Session Manager makes it possible to manage instances without open inbound ports and without bastion hosts. Azure Bastion and Google Cloud bastion scenarios show the same broader point: what matters here is not one single tool, but the chosen model for administrative access.
That is why the better question is not, “Do we have VMs in the cloud?” but rather, “How exactly do we want to organize access to them?”
When You Can Do Without One
In many cases, a separate bastion host really is not necessary.
If you have a small environment, one or two VMs, a limited group of administrators, and no strict requirement to remove the working machines from public reach, then another option may simply be easier. This is especially true where the cloud already provides a built-in managed mechanism, and the team does not want to maintain a separate jump server, track its updates, logging, and access rules.
Here is a short summary of the situations where a bastion host is often unnecessary:
Situation
Why you can often do without a bastion host
A small number of VMs
There is little value in introducing a separate intermediate server just for one or two machines
There is already a VPN into the required segment
Access is already organized at the network level
A managed Bastion service is being used
The cloud provider takes over the entry point itself
Session Manager or a similar service is available
You can connect without inbound ports and without a jump server
VMs are allowed to have public IPs with strict ACLs
In some cases, direct access is simply easier and sufficient
The main point this shows is simple: a bastion host is needed not for the mere fact of connecting to a VM, but for a specific way of making that connection more centralized and more isolated.
When a Bastion Host Is Genuinely Justified
There are also the opposite scenarios, where a bastion host no longer looks like unnecessary extra layering, but like a perfectly logical choice.
Most often, it is justified when you need to:
Give administrators access to private VMs without public IPs
Concentrate SSH or RDP entry into one controlled point
Reduce the number of external entry points into the internal environment
EU Cloud Infrastructure You Control
Run production workloads on dedicated resources across EU data centres. Transparent pricing, no hidden costs.
Full control over compute, storage, and networking.
Create a stricter separation between working machines and external access
Simplify audit, logging, and control of administrative connections
Avoid exposing direct access to every VM individually
Pass internal or external access reviews more easily
Better support regulatory and compliance requirements, where access to systems and data must be controlled and traceable
That is exactly the kind of environment where a bastion host shows its value most clearly. It is especially appropriate in infrastructures where there are already many working VMs, those VMs live in private subnets, and the team needs a clear and predictable administrative entry gateway. This is particularly useful where companies need not only to limit external access, but also to demonstrate who connected, when, and to which resources.
A bastion host is justified because it helps build a cleaner access model. If that is the actual goal, then it is useful. And if that goal is combined with audit, compliance, or regulatory requirements such as GDPR, the value of such an entry point becomes even more obvious. But if the cloud platform already provides a more convenient way to solve the same problem, then a separate bastion can end up adding only another unnecessary layer to the architecture.
What the Alternatives Are
A bastion host is not the only way to organize access to cloud VMs.
In many modern environments, it is either complemented by other approaches or replaced by them altogether. The reason is simple: a separate jump server also has to be administered, updated, logged, and secured. That is why teams are increasingly looking not only at the classic bastion model, but also at more manageable alternatives.
Below are the most common options.
VPN, Managed Bastion, Session Manager, and Identity-Aware Access
A bastion host has several viable alternatives, and the difference between them is not only in the name, but in the entire access model.
In some cases, the administrator first connects into the network itself. In others, access goes through a provider-managed entry point. And in some models, access is organized without a bastion host at all and without open inbound ports.
There is also a more mature layer of solutions: PAM systems (Privileged Access Management). These do not solve only the problem of entering the internal environment, but also the problem of controlling what privileged users actually do after they get access.
A comparison of the main approaches:
Approach
How access is organized
Main strength
Limitation
Bastion host
The administrator logs into a separate jump server and then reaches the private VM through it
A clear and controllable classic model
The bastion itself must be administered and secured separately
VPN
The administrator first connects to the private network as a whole
Convenient when access is needed not just to one VM, but to an entire segment
Often grants broader network access than is actually needed
Managed Bastion
The provider offers a managed entry point to VMs over private IPs
No need to maintain your own jump server
Depends on provider capabilities and service limitations
Session Manager
Access goes through an agent and a cloud management service
No need for inbound ports, a bastion host, or permanent SSH key handling
Does not fit every scenario and depends on the supported ecosystem
Identity-aware access
Access is built around identity and policy rather than direct network exposure
More granular control and often SSH/RDP access without public IPs
Requires a mature IAM model and is not implemented equally across providers
PAM system
Access goes through a centralized privileged-access layer with policies, RBAC, and session control
Provides not only one entry point, but mature control over administrator actions
More complex and heavier to introduce than a regular bastion host
PAM systems are especially useful where it is no longer enough for the business simply to concentrate SSH or RDP in one place. In those environments, it matters not only to restrict external access, but also to control exactly who obtained privileged access, to which systems, on what basis, and what they actually did during the session.
Depending on the implementation, PAM can add RBAC, detailed logging, session recording, restrictions or filtering of individual commands, and alerts for the security team when suspicious actions occur. At that point, the discussion is no longer only about protecting the entry point from outside threats, but about a more mature level of control over administrative activity inside the environment itself.
The right choice usually depends on how much control, isolation, and operational effort the team needs. In some cases, a classic jump server under your own control is enough. In others, a managed or identity-driven model is more practical because it reduces manual maintenance and avoids building extra infrastructure around the entry point.
And when the company has higher requirements for auditability, compliance, and control over privileged activity, it becomes logical to look toward a PAM-based approach. In those situations, what matters is not only the entry point itself, but also much more mature control over who does what, how, and where inside an administrative session.
Conclusion
A bastion host is not a mandatory component for access to cloud VMs, but one of the ways to organize administrative entry into an internal environment in a clean and controlled way. It is especially useful where working machines should not have direct public exposure and the team needs a single controlled entry point to private VMs.
But it should not be treated as a universal solution. In many scenarios, the same goal is more conveniently handled by a VPN, a managed Bastion service, Session Manager, or identity-aware access — especially when the team wants less manual maintenance and less self-managed infrastructure around the entry point.
That is why the main conclusion is simple: a bastion host is not something you need “for every VM in the cloud,” but only when it genuinely fits your access model and your required level of control.
FAQ
Are a bastion host and a jump host the same thing?
They are often used almost interchangeably. In practice, a bastion host is essentially the same kind of jump server, but with stronger emphasis on being a secure and controlled entry point into an internal environment. Google Cloud describes a bastion host in exactly that way: as an external point of entry for VMs without external IP addresses.
Do you need a bastion host if the VM already has a public IP?
Not necessarily. Technically, you can connect directly to such a VM. A bastion host makes sense when you do not want to expose external access on every machine individually and instead want to concentrate administrative entry into a single point.
Can you do without a bastion host and without any open inbound ports at all?
Yes. AWS Systems Manager Session Manager is explicitly positioned as a way to manage instances without inbound ports, without bastion hosts, and without managing SSH keys.
If I have only one or two cloud VMs, won’t a bastion host be excessive?
Sometimes it will. In a very small environment, a separate jump server can add more operational overhead than practical value. In that case, it is often more reasonable to look at a managed Bastion service, Session Manager, or another built-in access mechanism if the provider offers one.
Is a bastion host only for SSH?
No. The idea is not limited to SSH. Azure Bastion, for example, is designed for RDP and SSH access to VMs, while Google Cloud IAP TCP forwarding can proxy SSH, RDP, and other TCP traffic to instances.
What is better to choose: a bastion host, a VPN, or identity-aware access?
That depends on the access model. A bastion host is convenient as a single controlled entry point. A VPN is useful when access is needed to the entire private segment. An identity-aware model is especially helpful when access should be built around identity and IAM policies rather than just around a network entry point. Google Cloud IAP specifically emphasizes granular control over who can establish tunnels to which VMs.
Subscribe to our newsletter to get articles and news
Cookie consent
This site uses cookies to ensure it works properly and to track how you use it. By clicking 'Accept', you agree to these technologies. For more details, please see our Privacy Policy and Cookies Policy
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.