The SSH Bastion (Jump Host)

Why a jump host

None of the internal VMs accept SSH from the internet. There's exactly one machine you can SSH to...

The ProxyJump pattern

You don't want to manually SSH to the bastion and then SSH again — that's clumsy and breaks tooli...

Hardening, and a host-key surprise

Because the bastion is the one publicly-reachable SSH endpoint, it's the one that gets the most a...

Lessons on bastion access

One way in. Internal VMs expose no SSH to the internet; the bastion is the single public SSH end...