So what is a bastion host anyways?
It has become the norm these days to have what is called a bastion host (or perhaps more commonly known as a Jumpbox). This machine generally lives in a public subnet and serves as an SSH gateway into the private subnet/network. See below image.
Proxy traffic via the bastion
I’ve always used the ProxyCommand before to achieve this. A quick example would be adding the following to your
Host my-bastion HostName bastion.machine.ip User bastion-user IdentityFile ~/.ssh/bastion.machine.key.pem ForwardAgent yes Host my-private-machine HostName private.machine.ip User user IdentityFile ~/.ssh/private.machine.key.pem ProxyCommand ssh user@my-bastion -W %h:%p
So what’s happening here?
In our terminal window, when we run the command…
… we are first connecting to our bastion host, and then connecting to our private machine. This is dictated by the
ProxyCommand line above. In the background, the SSH protocol is forwarded by
nc (netcat) instead of
This is all well and good, and it worked for me until I discovered
A cleaner way using ProxyJump
Starting from OpenSSH 7.3, released on August 2016,
ProxyJump is by far the easiest way to proxy traffic via a bastion host. In fact, it’s so useful that it has an entire section dedicated to it in the docs.
Here’s the basic usage:
ssh -J my.bastion.host my.private.host
That’s it. Seriously.
What’s cooler, is that in the background, the SSH protocol is now forwarded by
ssh and not
nc. And what’s even cooler is that you can now do
ProxyJump chaining. Like this.
Host my-private-machine ProxyJump my-bastion-1, my-bastion-2
Bonus: Copying files to your private machine via a bastion host
You can even copy files to a private machine.
scp -o 'ProxyJump my.bastion.host' my-file.txt my.private.host:/tmp/my-file.txt
That’s it for now.