REW

How To Transfer Files Using Bastion?

Published Aug 29, 2025 6 min read
On this page

File transfer via a bastion host is a critical skill for securely moving files to and from private network resources.

A bastion host, or "jump host," is a hardened server that sits at the edge of a network, acting as a gateway for administrative access to internal systems that are not exposed to the public internet. This guide details several common methods for file transfer through a bastion, with explanations of the underlying technology and step-by-step instructions.

Prerequisites

  • SSH Client: You will need an SSH client on your local machine (e.g., OpenSSH on Linux/macOS, or PuTTY/native SSH on Windows).
  • SSH Keys: Using SSH key pairs for authentication is highly recommended for security. Ensure your public key is on both the bastion and the final destination host.
  • Permissions: You must have the necessary SSH access permissions to connect to both the bastion and the target host.

Method 1: Using the ProxyJump option in SSH

The ProxyJump (-J) command-line option is the most modern and straightforward method for transferring files through a bastion host. It tells your SSH client to first establish a connection to the bastion and then "jump" from there to the final destination. This single command encapsulates the entire process.

Step-by-step instructions

  1. Transferring files with scp (secure copy): This command copies a file from your local machine to the target host.

    • Syntax:scp -J <bastion_user>@<bastion_ip> <local_file_path> <target_user>@<target_ip>:<remote_file_path>

    • **Example:**sh

      scp -J [email protected] ~/documents/report.pdf [email protected]:/home/ec2-user/reports/

      Use code with caution.

    • Explanation:

      • -J [email protected]: Directs the connection to first jump through the bastion at 198.51.100.10 using the user ubuntu.
      • ~/documents/report.pdf: The file you want to copy from your local machine.
      • [email protected]:/home/ec2-user/reports/: Specifies the user, internal IP address, and destination path on the target server.
  2. Downloading files with scp: To copy a file from the target host to your local machine, simply reverse the source and destination paths.

    • Syntax:scp -J <bastion_user>@<bastion_ip> <target_user>@<target_ip>:<remote_file_path> <local_file_path>

    • **Example:**sh

      scp -J [email protected] [email protected]:/var/log/application.log ~/logs/

      Use code with caution.

  3. Using rsync for more advanced transfers: For synchronizing directories, rsync is a more robust tool than scp.

    • Syntax:rsync -avzh -e "ssh -J <bastion_user>@<bastion_ip>" <source_path> <target_user>@<target_ip>:<destination_path>

    • **Example:**sh

      rsync -avzh -e "ssh -J [email protected]" /var/www/my-app/files/ [email protected]:/var/www/backups/

      Use code with caution.

      • -e "ssh -J ...": Explicitly tells rsync to use the ProxyJump method for its SSH connection.

Method 2: Configuring SSH client for transparent access

For frequent file transfers, you can configure your SSH client to handle the bastion hop automatically. This makes your connections feel seamless, as if you were connecting directly to the internal host.

Step-by-step instructions

  1. Edit your SSH configuration file:
    • On your local machine, open the ~/.ssh/config file in a text editor. If it doesn't exist, create it.
  2. Add host entries:

    • Add an entry for the bastion host and another for the target host, specifying the ProxyJump directive for the latter.

    • **Example configuration:**config

      Host bastion-host
    HostName 198.51.100.10
    User ubuntu
Host internal-server
    HostName 10.0.1.5
    User ec2-user
    ProxyJump bastion-host

      Use code with caution.

  3. Transfer files seamlessly:

    • With this configuration, you can now use scp and rsync with the alias internal-server instead of the full IP addresses.

    • **Example scp commands:**sh

      # Copy a file to the internal server
scp ~/documents/report.pdf internal-server:/home/ec2-user/reports/
# Copy a file from the internal server
scp internal-server:/var/log/application.log ~/logs/

      Use code with caution.

Method 3: Using a local SSH tunnel

This method creates a secure, temporary tunnel from your local machine to the final destination, forwarding a local port to a remote one via the bastion. It's useful for using graphical clients or tools that don't natively support a jump host.

Step-by-step instructions

  1. Open the tunnel via the bastion:

    • Run the following command in a terminal, which will block until you close the tunnel.

    • Syntax:ssh -L <local_port>:<target_ip>:<target_port> <bastion_user>@<bastion_ip> -N

    • **Example:**sh

      # Forward local port 2222 to the target's port 22
ssh -L 2222:10.0.1.5:22 [email protected] -N

      Use code with caution.

      • -L: Defines the local port forwarding.
      • -N: Prevents a remote command from being executed, keeping the connection open for the tunnel.
  2. Use scp or sftp through the tunnel:

    • Open a second terminal window to perform the file transfer. Connect to localhost using the local port you specified (2222 in this example).

    • **scp example:**sh

      # Copy a file to the target host through the tunnel
scp -P 2222 ~/documents/report.pdf [email protected]:/home/ec2-user/reports/

      Use code with caution.

    • **sftp example:**sh

      # Connect to the target host with an SFTP client
sftp -P 2222 [email protected]

      Use code with caution.

      • -P 2222: Specifies the local port for the connection.
      • 127.0.0.1 (localhost): The local address to which your port is forwarded.

Method 4: Using cloud provider-specific native clients

Cloud providers like Microsoft Azure offer integrated solutions for file transfer via their Bastion services using native RDP or SSH clients.

Step-by-step instructions (Azure Bastion)

  1. Ensure Standard SKU: Your Azure Bastion must be configured with the Standard tier and Native Client support enabled.
  2. Open a tunnel via Azure CLI:

    • Sign in to your Azure account using az login.

    • Use the az network bastion tunnel command to open a secure tunnel to your VM.sh

      az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"

      Use code with caution.

  3. Transfer files with scp or sftp:

    • With the tunnel active, use scp or sftp in another terminal window, just as you would with the generic SSH tunnel method.

    • **scp example:**sh

      scp -P <LocalMachinePort> <local_file_path> <username>@127.0.0.1:<target_vm_file_path>

      Use code with caution.

Best practices for secure file transfer via bastion

  • Principle of Least Privilege: Users should not have sudo or root privileges on the bastion host itself. It should be used only for forwarding connections.
  • Use SSH Key Authentication: Avoid password-based authentication for both the bastion and target hosts. Use SSH keys and, optionally, SSH Agent Forwarding for convenience.
  • Audit Logging: Configure robust logging on the bastion to create an audit trail of all access attempts and connections.
  • Restrict Egress: Use network security groups or firewalls to restrict the bastion's outbound traffic to only the necessary ports and internal IP ranges.
  • Alternative Solutions: For large-scale data transfers, consider using cloud-native services like object storage (e.g., AWS S3, Azure Blob Storage) with secure upload methods (AzCopy or aws s3 cp) instead of a bastion. This offloads the file transfer from the bastion and is more efficient for big jobs.
Enjoyed this article? Share it with a friend.