All posts
September 5, 20252 min read

The bastion host is dead.

It died the slow death of every brittle, manual, single‑point gateway before it. Now, teams running workloads in a VPC private subnet need a faster, safer, and simpler way to give engineers access without keeping a publicly exposed jump box alive. The replacement is not a bigger bastion host. It’s a lightweight, ephemeral proxy deployment that vanishes when it’s not in use. A VPC private subnet proxy deployment removes the public endpoint entirely. You turn on secure, zero‑trust access at the n

Free White Paper

SSH Bastion Hosts / Jump Servers: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

It died the slow death of every brittle, manual, single‑point gateway before it. Now, teams running workloads in a VPC private subnet need a faster, safer, and simpler way to give engineers access without keeping a publicly exposed jump box alive. The replacement is not a bigger bastion host. It’s a lightweight, ephemeral proxy deployment that vanishes when it’s not in use.

A VPC private subnet proxy deployment removes the public endpoint entirely. You turn on secure, zero‑trust access at the network edge. No static IPs. No permanent attack surface. The proxy spins up only when traffic needs to flow to your private resources. Tear it down and it’s like it was never there.

With this design, you avoid storing SSH keys on developer laptops. You cut the admin overhead of patching and rotating credentials on a shared bastion. Every connection is authenticated, logged, and authorized in real time. Policies can be tied directly to user identity and group membership, not to IP ranges or subnet whitelists that rot over time.

Deploying a bastion host replacement is also faster than you think. A containerized proxy runs inside the private subnet. It connects outbound through a single, controlled egress path. You can run it on ECS, EKS, or any compute element inside your VPC. Pair it with an identity‑aware access layer and you have end‑to‑end encryption, isolated routes, and completely private workloads with no exposed ports.

Continue reading? Get the full guide.

SSH Bastion Hosts / Jump Servers: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

This shift is more than convenience. It is resilience. Bastion hosts are a maintenance debt and a breach risk. Ephemeral VPC private subnet proxies are self‑cleaning infrastructure. They scale with demand, adapt to outages, and respect the security boundaries your network is designed to enforce.

The migration path is clean:

  1. Remove the public bastion from your route tables and security groups.
  2. Deploy the proxy container in the target private subnet.
  3. Integrate it with an access gateway or orchestrator that can handle fine‑grained policies.
  4. Automate spin‑up and teardown through CI/CD or on‑demand triggers.

Once in place, the difference is immediate. No permanent inbound routes to your VPC. No dangling EC2 instances idling as targets. No manual SSH key management. Just short‑lived, auditable connections to the exact resources required, exactly when needed.

The bastion host era is over. See how a full bastion replacement with an ephemeral VPC private subnet proxy can be live in minutes. Watch it in action at hoop.dev and move your team beyond the risks of the public internet for good.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts