AWS Quick Starts

Linux Bastion Hosts on AWS

Secure remote access with Linux bastion hosts on the AWS Cloud

Deploy on AWS into a new VPC

(or deploy into an existing VPC)

View guide — HTML | PDF

Quick Start architecture for Linux bastion hosts on the AWS Cloud

To build an AWS Cloud infrastructure for accessing Microsoft Windows-based instances, see the Quick Start for Remote Desktop (RD) Gateway. For additional Quick Starts, see the complete catalog.


This Quick Start adds Linux bastion hosts to your new or existing AWS infrastructure for your Linux-based deployments. After you deploy this Quick Start, you can layer your cloud environment with additional AWS services, infrastructure components, and applications to complete your Linux environment in the AWS Cloud.

The bastion hosts provide secure access to Linux instances located in the private and public subnets of your VPC. The Quick Start architecture deploys Linux bastion host instances into the public subnets to provide readily available administrative access to the environment. The Quick Start sets up a Multi-AZ environment consisting of two Availability Zones. You can specify the instance type for the bastion hosts and the number of instances you'd like to deploy (1-4).

The Quick Start creates an Auto Scaling group to ensure that the number of bastion host instances always matches the capacity you specify. The Quick Start also sets up AWS CloudWatch Logs for remote storage of shell history logs, for added security. 

  • What you'll build

    Use this Quick Start to set up the following networking environment on AWS:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An Internet gateway to allow access to the Internet. This gateway is used by the bastion hosts to send and receive traffic.*
    • Managed NAT gateways to allow outbound Internet access for resources in the private subnets.*
    • A Linux bastion host in each public subnet with an Elastic IP address to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.
    • A security group for fine-grained inbound access control.
    • An Amazon EC2 Auto Scaling group with a configurable number of instances.
    • A set of Elastic IP addresses that match the number of bastion host instances. If the Auto Scaling group relaunches any instances, these addresses are reassociated with the new instances.
    • An Amazon CloudWatch Logs log group to hold the Linux bastion host shell history logs.
    • Your choice to create a new VPC or deploy into your existing VPC on AWS. The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks (*) above.


    For details, see the Quick Start deployment guide.

  • Deployment details

    Adding a bastion host to your Linux environment on AWS involves a few simple steps and takes about 5 minutes:

    1. Sign up for an AWS account.
    2. Launch the Quick Start to deploy the bastion hosts into a new or existing VPC.
    3. Add other AWS services or your Linux applications.  


    To customize your deployment, you can change your VPC configuration, choose the number and type of bastion host instances, enable TCP or X11 forwarding, and enable a default or custom banner for your bastion hosts.

    For complete details, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the Amazon EC2 pricing page.