All posts
August 25, 20223 min read

Bastion Host Replacement with Open Policy Agent (OPA)

Bastion hosts have been a long-standing solution for secure, controlled access to cloud infrastructure. They act as gateways, limiting direct access while applying basic authentication and logging. However, as systems grow in complexity, this approach faces challenges: scalability issues, hard-to-enforce fine-grained access control, and potential security gaps. Enter Open Policy Agent (OPA)—an alternative that modernizes access control. Rather than relying on a single point of entry like tradit

Free White Paper

Open Policy Agent (OPA) + SSH Bastion Hosts / Jump Servers: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Bastion hosts have been a long-standing solution for secure, controlled access to cloud infrastructure. They act as gateways, limiting direct access while applying basic authentication and logging. However, as systems grow in complexity, this approach faces challenges: scalability issues, hard-to-enforce fine-grained access control, and potential security gaps.

Enter Open Policy Agent (OPA)—an alternative that modernizes access control. Rather than relying on a single point of entry like traditional bastion hosts, OPA enables you to define and enforce access policies programmatically and distributed across your infrastructure.

In this post, we'll explore how OPA can replace bastion hosts and why it’s worth considering for teams looking for stronger and more manageable access control.

Problems with Bastion Hosts

Bastion hosts might seem like the simplest way to secure infrastructure access, but they come with significant drawbacks. Here's why:

  • Centralized Access Points: A bastion host acts as a single gateway. If compromised, your entire infrastructure is at risk.
  • Manual Management: Bastion host configurations often require manual updates to manage user accounts, keys, and permissions, introducing delays and human errors.
  • Lack of Contextual Access Control: Bastion hosts generally have limited ability to enforce context-based policies (e.g., access limited by time, environment, or request details).
  • Scalability Issues: Managing bastion hosts for distributed systems or multi-region cloud environments can become unreasonably complex as your infrastructure grows.

These limitations make them less effective in today’s dynamic, cloud-native architectures.

Continue reading? Get the full guide.

Open Policy Agent (OPA) + SSH Bastion Hosts / Jump Servers: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How Open Policy Agent Replaces Bastion Hosts

Open Policy Agent takes a completely different approach by embedding policy enforcement directly into your services and APIs. Here’s how this works:

  1. Distributed Policy Enforcement
    OPA is not a central gateway. Instead, it integrates with services directly. This allows policies to be enforced locally at the point where decisions are made—for example, inside Kubernetes admissions controllers, API gateways, or custom applications.
  2. Policy Flexibility with Rego
    OPA uses a policy language called Rego, which makes it possible to define fine-grained, context-aware policies. For example:
  • Developers can define rules like "Users from Group A can access servers only during business hours."
  • Policies can leverage environmental context, such as IP ranges, device type, or API request details.
  1. Scalability
    Since OPA operates as a sidecar or library, you avoid bottlenecks like those caused by a single access point. Policies can scale horizontally with your infrastructure.
  2. Auditable Decision Logs
    Every decision made by OPA can be logged, providing transparency and insights into who accessed what and when, making compliance far easier than with a traditional bastion host.

Benefits of Replacing Bastion Hosts with OPA

Transitioning away from bastion hosts to OPA can modernize your access control strategy, offering key advantages:

  • Improved Security: By decentralizing access policies, there's no single compromise point.
  • Faster Deployment: Automated policy updates ensure that access changes take effect instantly without tedious manual steps.
  • Increased Visibility: Centralized logging from distributed policy checks enables deeper insights into access patterns.
  • Cloud-Native Integration: OPA integrates seamlessly with Kubernetes, Terraform, API gateways, and CI/CD pipelines.

Steps to Implement OPA as Your Access Control Solution

Thinking about leaving bastion hosts behind? Here’s a simplified plan to integrate OPA into your infrastructure:

  1. Define Your Policies in Rego
    Start by specifying the access control requirements you currently enforce with bastion hosts. Break these down into logical policies.
  2. Integrate OPA into Your System
  • For Kubernetes, use OPA as an admission controller.
  • For APIs, deploy OPA in-line as a policy sidecar.
  • With Terraform, validate configuration changes against OPA policies during the CI pipeline.
  1. Test & Audit
    Run tests to see how OPA enforces your policies. Use simulation mode to verify rules before rolling them out globally.
  2. Monitor & Evolve
    Continuously analyze OPA decision logs to detect patterns and optimize policies.

See It in Action with Hoop.dev

Replacing a bastion host may sound complex on paper, but it doesn't have to be. Hoop.dev makes it effortless to see OPA-driven access control in action. With simple, user-centered workflows, you’ll achieve secure, context-aware access that’s both scalable and efficient in minutes. Skip the setup headaches and try it live—start a secure connection instantly with no complex integrations.

Switching from bastion hosts to Open Policy Agent might just be the modernization your infrastructure needs. Validate every access request with policies tailored to your environment, all while avoiding the limits and risks of legacy approaches.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts