Jump Hosts

A jump host (or bastion host) is a server that acts as the single entry point to a private network. Instead of exposing every server directly to the internet, only the bastion has SSH open publicly. All other servers are accessed by first connecting to the bastion, then tunneling through it to the target. Modern SSH handles this transparently with ProxyJump — it looks like a direct connection but routes through the bastion automatically.

What is a bastion/jump host?

Internet
    ↓ SSH (port 22)
bastion.example.com  (public IP: 203.0.113.1)
    ↓ SSH (internal network)
 ├─ web-01 (10.0.1.10) — private, no public SSH
 ├─ db-01  (10.0.1.20) — private, no public SSH
 └─ cache-01 (10.0.1.30) — private, no public SSH

Security benefit:
  - Only ONE host needs to be hardened and monitored for SSH attacks
  - Private servers have no internet exposure

Connecting through a jump host

# -J flag: specify jump host(s)
# Format: user@jumphost:port
ssh -J irfan@203.0.113.1 irfan@10.0.1.20    # Connect to db-01 via bastion

# Multiple jump hosts in sequence:
ssh -J user@bastion1,user@bastion2 user@target

# Combining with other SSH options:
ssh -J irfan@bastion -i ~/.ssh/internal_key irfan@10.0.1.20

ProxyJump in ~/.ssh/config

nano ~/.ssh/config

~/.ssh/config with jump host configuration

# The bastion host
Host bastion
    HostName 203.0.113.1
    User irfan
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 60

# Private servers — all route through bastion automatically
Host web-01
    HostName 10.0.1.10
    User irfan
    ProxyJump bastion

Host db-01
    HostName 10.0.1.20
    User irfan
    ProxyJump bastion
    IdentityFile ~/.ssh/db_key    # Can use different key for the jump

# All servers in the private subnet
Host 10.0.1.*
    User irfan
    ProxyJump bastion

# With this config, all these work transparently:
ssh db-01         # Automatically jumps via bastion
scp file.txt db-01:/tmp/
rsync -av data/ web-01:/opt/app/

Chaining multiple jump hosts

# Sometimes you need to jump through multiple bastions
# (e.g., production network requires two security zones)

Host prod-db
    HostName 10.100.1.20
    User irfan
    ProxyJump bastion-public,bastion-private

# OR use nested ProxyJump:
Host bastion-private
    HostName 172.16.1.1
    User irfan
    ProxyJump bastion-public

Host prod-db
    HostName 10.100.1.20
    User irfan
    ProxyJump bastion-private

Copying files through a jump host

# scp through jump host (uses ~/.ssh/config ProxyJump automatically)
scp file.txt db-01:/tmp/

# Explicit jump host with scp:
scp -o "ProxyJump irfan@bastion" file.txt irfan@10.0.1.20:/tmp/

# rsync through jump host:
rsync -av -e "ssh -J irfan@bastion" data/ irfan@10.0.1.20:/backup/

# Or via ~/.ssh/config (ProxyJump auto-applies):
rsync -av data/ db-01:/backup/

Conclusion

Jump hosts are essential for secure data center access. The -J flag and ProxyJump in ~/.ssh/config make multi-hop connections transparent — after configuring it, you just type ssh db-01 and SSH handles the bastion routing automatically, including for scp and rsync. The key security principle: the bastion host is the only server that needs to be internet-reachable; harden it aggressively and monitor its SSH logs closely.

FAQ

Is Jump Hosts important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support