reference deployment

Linux Bastion Hosts on AWS

Secure remote access with Linux bastion hosts on the AWS Cloud

This Quick Start adds Linux bastion hosts to your new or existing Amazon Web Services (AWS) infrastructure for your Linux-based deployments. The bastion hosts provide secure access to Linux instances located in the private and public subnets of your virtual private cloud (VPC).

The Quick Start sets up a Multi-AZ environment and deploys Linux bastion host instances into the public subnets. You can specify the instance type for the bastion hosts and the number of instances you want to deploy (1–4).

An Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group ensures that the number of bastion host instances always matches the capacity you specify. For added security, the Quick Start also sets up Amazon CloudWatch Logs for remote storage of shell history logs. After you deploy this Quick Start, you can add more AWS services, infrastructure components, and applications to complete your Linux environment in the AWS Cloud.


This Quick Start was developed by
AWS solutions architects.


  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to set up the following networking environment on AWS:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to allow access to the internet. This gateway is used by the bastion hosts to send and receive traffic.*
    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • A Linux bastion host in each public subnet with an Elastic IP address to allow inbound SSH (Secure Shell) access to Amazon EC2 instances in public and private subnets.
    • A security group for fine-grained inbound access control.
    • An Amazon EC2 Auto Scaling group with a configurable number of instances.
    • A set of Elastic IP addresses that match the number of bastion host instances. If the Auto Scaling group relaunches any instances, these addresses are reassociated with the new instances.
    • An Amazon CloudWatch Logs log group for the Linux bastion host shell history logs.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To add bastion hosts to your Linux environment on AWS, follow the instructions in the deployment guide. The deployment process takes about five minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign into your account.
    2. Launch the Quick Start by choosing from the following options. Before you create the stack, choose the Region from the top toolbar.
    3. Add other AWS services or your Linux applications.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregates the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?