Have a private network with servers that required SSH access. Since the instances are in a private subnet, they cannot be accessed directly via SSH and require a public Bastion host to access.
Workstation -> via SSH -> Bastion -> via SSH Forwarding -> private subnet instnce
We use a NAT host as a public gateway to the private network.
User -> via HTTP -> NAT -> via private networking -> private subnet instance
What are the benefits of keeping the Bastion & NAT hosts separate? What are the benefits of combining them?
Best Answer
From a technical point of view you can use your NAT as your bastion host but from an architectural point of view you should never do that. And here is why:
Your bastion host is the entry point to your internal infrastructure and your NAT usually connects important services like your database to the internet. So both should be secured as much as possible.
Your bastion host and your NAT have opposite roles:
Also the bastion host is just a management server so a cheap instance is usually sufficient whereas the NAT must be able to potentially route a large amount of traffic.
There is no rational reason why you should use your NAT as your bastion host except you do not care about security ;-)