Skip to main content

Why a jump host

None of the internal VMs accept SSH from the internet. There's exactly one machine you can SSH to from outside — the jump host (or bastion) at 10.100.100.254, which also holds a public address. From there, you hop to anything internal.

you  --SSH-->  Jump host (public)  --SSH-->  any internal VM
                10.100.100.254               10.100.100.x  (private)

The internal VMs simply don't expose SSH to the outside world at all. The only way in is through the one box whose job is to be the way in.

Why we use this: it shrinks the remote-access attack surface from "every VM" to "one VM." You harden, patch, and watch one front door instead of fifteen. Every other machine gets to assume any SSH session it sees originated from inside the network — a much simpler thing to secure.

No comments to display

Back to top