All posts
August 25, 20222 min read

Bastion Host Alternative: VPC Private Subnet Proxy Deployment

Setting up secure and efficient environments in your AWS infrastructure often brings up a common requirement: accessing resources within a private VPC subnet. Traditionally, bastion hosts have been the go-to solution for this use case. However, introducing a public-facing bastion comes with its own complexities and risks. What if there was a better way? In this article, we’ll explore a lightweight, modern alternative for deploying a proxy to a VPC private subnet without relying on a bastion hos

Free White Paper

Database Proxy (ProxySQL, PgBouncer) + SSH Bastion Hosts / Jump Servers: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Setting up secure and efficient environments in your AWS infrastructure often brings up a common requirement: accessing resources within a private VPC subnet. Traditionally, bastion hosts have been the go-to solution for this use case. However, introducing a public-facing bastion comes with its own complexities and risks. What if there was a better way?

In this article, we’ll explore a lightweight, modern alternative for deploying a proxy to a VPC private subnet without relying on a bastion host. By implementing a more secure and automated solution, you can improve access control while reducing attack surface and operational overhead.

Why Move Away from Bastion Hosts?

Bastion hosts (sometimes called jump boxes) allow you to SSH into instances in private subnets, acting as a gatekeeper. While effective, they introduce several challenges:

  • Public Exposure: Bastion hosts require a public-facing IP, opening the door to potential attacks if not locked down properly.
  • Manual Management: SSH key distribution and bastion configuration can create operational bottlenecks.
  • Access Complexity: Scaling access for teams often leads to configuration drift and makes audits harder.

These challenges highlight the need for an alternative. Instead of using bastion hosts for securing private subnet access, implementing an on-demand, more secure proxy offers a cleaner and more scalable approach.

A Secure Alternative: Proxying into Private Subnets

Instead of relying on a permanent on-demand access point, you can opt for a proxy setup that runs in the private VPC subnet itself. This eliminates public endpoints while offering robust security and automation. Here’s how it works:

1. Proxy Deployment in a Private Subnet

Run a lightweight proxy server in the private subnet that can provide controlled access to the resources you need. By avoiding public IPs entirely, you significantly reduce attack vectors.

  • High Availability: Use a load-balanced setup with AutoScaling Groups for redundancy.
  • Isolation: Ensure strict IAM roles and VPC Security Group rules to limit the scope of the proxy.

2. Temporary On-Demand Access

Instead of keeping a bastion or proxy running 24/7, only spin up the proxy for short-lived periods when access is needed. Automated workflows like AWS Systems Manager (SSM) and Lambda functions can handle starting and stopping the proxy instances programmatically.

Continue reading? Get the full guide.

Database Proxy (ProxySQL, PgBouncer) + SSH Bastion Hosts / Jump Servers: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

3. Authentication and Access Control

Leverage IAM-based authentication for secure access management. Token-based access or temporary credentials can meet enterprise-grade compliance requirements without introducing SSH key management complexities.

Benefits of this Approach:

  • No Public IPs: Everything stays private within the VPC.
  • Audit-Ready: Automating access via roles makes audit trails more accurate.
  • Cost-Effective: Run your resources only when required, reducing idle costs.

Steps to Deploy a Bastion Host Alternative

Step 1: Define Security Groups

Create Security Groups that allow inbound access only from specific trusted IP ranges or IAM-identified sessions. Attach this group to the proxy server.

Step 2: Provision the Proxy

Deploy a proxy service like Nginx, HAProxy, or a custom Go-based proxy within the private subnet. Ensure routing to backend services is restricted to the internal network.

Step 3: Automate Lifecycle with AWS Tools

Use AWS System Manager Document (SSM Documents) to control the proxy’s lifecycle. Scripts can run on an event basis—for instance, spinning the proxy up for active sessions and terminating it once finished.

Step 4: Test Access Path

Validate access by connecting to the private subnet through the proxy endpoint. Tools like OpenSSH or web proxies can securely forward traffic to internal resources without exposing sensitive data.

Why It’s Time for an Upgrade

Bastion hosts have served their purpose well in the past, but modern alternatives align better with today’s demand for automation, tighter security, and cost reduction. By implementing an on-demand proxy deployment model for private subnets, you can achieve greater agility, save time, and lower your operational risks.

See how Hoop.dev simplifies these processes even further. Explore our solutions and see how you can implement a bastion host alternative in minutes—try it live today! Securely streamline access to your private subnets without the hassle.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts