Chapter 34: SSH Bastion Hosts and ProxyJump
In this chapter, you'll learn how bastion hosts work, how to configure ProxyJump for multi-hop SSH connections, and how to build secure multi-tier SSH infrastructure.
In the previous chapter, you learned how to use SSH tunnels in real production environments to access remote applications.
You connected to services like MySQL, PostgreSQL, Redis, and an internal web application through SSH tunnels.
Now you are moving into more advanced SSH concepts that change how you think about infrastructure.
So far, many sysadmins just SSH directly into servers from their laptop, which works fine when you only have a few servers, but things start to break down when:
- You have many servers to manage.
- Your security team does not allow direct access to internal machines.
- Your servers are in cloud networks where internal systems do not have public IPs.
At this point, we introduce a bastion host, which is basically a special server that sits in a public network and acts like a controlled entry point into your private infrastructure. Instead of connecting to every server directly, you first connect to the bastion and then move inward from there.
Now doing this manually every time would be annoying, which is where ProxyJump comes in.
ProxyJump lets SSH automatically hop through the bastion host for you. From your point of view, it feels like you are connecting directly to the final server, but behind the scenes, SSH is routing your connection through the bastion safely and transparently.
So instead of juggling multiple SSH steps, ProxyJump makes the whole path invisible and much easier to manage.