A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. It is named after the bastion, a military fortification, and is generally attributed to a 1990 article discussing firewalls by Marcus J. Ranum. A bastion host is typically placed outside the firewall or within a DMZ (demilitarized zone) and is used to manage access to an internal or private network from an external network such as the internet. It is designed to provide remote access to private networks from an external network, and commonly used as an SSH proxy server to support system administration. The bastion host becomes the only ingress path to those internal resources, and access control becomes easier to manage while minimizing the potential attack surface.

Bastion hosts are used in cloud environments as a server to provide access to a private network from an external network such as the internet. They are also commonly used to proxy and log communications, such as SSH sessions. The bastion host can be started and stopped to enable or disable inbound SSH communication from the internet, and it simplifies authentication via SSO (single sign-on).

In summary, a bastion host is a dedicated server that lets authorized users access a private network from an external network such as the internet. It is designed to withstand attacks and is used to manage access to an internal or private network from an external network. It provides remote access to private networks from an external network and commonly used as an SSH proxy server to support system administration.