Because each of these four servers are exposed to the internet they should be security hardenered and have additional security measures in place such as audit logging and firewall rules.If an attacker is able to gain unauthorised access to one of these servers, what else will they be able to access? Every one of these servers could be used by an attacker to try and gain access to your cloud infrastructure.Each server is publicly exposed to the internet via the public IP.One way that you can provide your developers with SSH access, will be to ensure that each server has a public IP address and runs SSH so that a developer can directly connect to each server.
![bastion server bastion server](https://ci3.googleusercontent.com/proxy/xHJ9h4gVnF3XLxQnlnJ7FOMAdr3r_MW7Mbtyf3fl_LoZza_N_m7gqirDjP-BjhUk2qlykaMNXz7JWT6f4AYXGjn673jf5bw1VWLdhjKD7t9M7owGPbz_BdA=s0-d-e1-ft#https://static.javatpoint.com/tutorial/aws/images/aws-bastion-host.png)
![bastion server bastion server](https://docs.microsoft.com/en-in/azure/includes/media/bastion-vm-rdp/connection.png)
Let’s assume you have 4 servers running in an AWS account, and that you need to provide your developers with SSH access to these servers. Whilst we’ll pick a specific example to illustrate the usefulness of a Bastion host, it is worth noting that these techniques can be applied to any of the major cloud providers such as Amazon AWS, Microsoft Azure and Google Cloud Platform. A Bastion host is used to allow operational or internal access to resources within your cloud account, without requiring you to publicly expose these resources to the internet. The idea of a Bastion host is fairly simple. Using a Bastion or gateway host can be one of the quickest security measures that you can use to reduce the attach surface of resources running within your cloud environment.