Guide: SSH Bastion Host


SSH Bastion Host


The Idea of the SSH Bastion Host is having a well-secured, regularly patched entry point that is the only service that is exposed to the internet, which has a sole purpose - allowing users to connect to the instances which have not an external IP address. This will give you the flexibility to connect to your environment, without exposure to the internet.

On WEkEO, we have provided a CentOS 7.5 image that has built-in SSH Bastion functions. To create an instance with this image, select "SSH BASTION HOST" in the "Type" tab in the new instance creation form.

Next steps to create a new instance are described in the guide here:

For example, we have created 2 instances. The first one was created from the image SSH Bastion Host and associated public IP address.

This instance has 2 Security Groups attached:

  • wekeo-tenant_security_group - this group allows to access the instance via SSH,

  • default - allows internal traffic in the private network.

The guide about using Security Groups is described here:

And a second instance which was created from a regular Ubuntu image with no public IP address attached.

This instance has only the "default" Security Group attached because this instance will be accessed through the SSH Bastion.

It should be remembered that in order for the instances to communicate in the private network they must have the "default" Security Group attached.


Access via SSH Bastion

In order to access your virtual machines with your bastion you can use the -J flag of the ssh command.

First, add your key to the SSH Agent on your local machine. You have to add the key every time you restart your machine.

ssh-add your.ssh.key

Then you can connect:

ssh -J

For example:

$ ssh-add user

$ ssh -J user@ user@

Or, create a configuration file in your .ssh directory (.ssh/config) and set all the configurations there;

## Bastion Config

Host name.of.your.bastion

        HostName bastion.ip

        User your.username


        Port 22


## Remote Host

Hostname your.internal.vm.ip

        User your.username


        ProxyJump name.of.your.bastion

For example:

Host bastion


        User user

        IdentityFile /home/abuiquoc/keys/morph/user

        Port 22



        User user

        IdentityFile /home/abuiquoc/keys/morph/user

        ProxyJump bastion

After such configuration, you can just execute the command:

$ ssh

If you want to gain access only to the SSH Bastion, you can perform the following commands e.g:

$ ssh user@
### Or if you have the appropriate configuration in .ssh/config
$ ssh bastion