LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • Client Connections
  • Target Connections
  1. Admin Guide

Target and Connection Management

Administrators' guide to managing your BastionZero targets and connections

PreviousAuditingNextPasswordless Database Access

Last updated 7 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

BastionZero manages the lifecycle of both connections and targets. There are features in place for different connection types, such as shells, SSH tunnels, and k8s clusters, as well as targets, which may be long-lived, shutdown and restarted, or ephemeral.

Client Connections

BastionZero clients and targets make websocket connections to the service. Across the websockets, users make shell, SSH tunnel, HTTP, or native TCP connections based on the access technology. All of these connections transparently use technology.

Shell connections can be made using the zli. The shell terminal runs in the BastionZero SaaS. This provides users the ability to run a long-lived shell connection, like during a database migration, without concern for keeping the end user's device active. Idle shell connections are maintained by BastionZero for up seven days or until the user or administrator closes them. Future versions of BastionZero will provide the administrator the ability to control this time frame.

SSH tunnels or shell sessions run over an SSH tunnel are unique in that the data sent through BastionZero is fully encrypted to BastionZero. Thus command logs and session recordings are not available for any connections that run over this type of connection. SSH tunnels are only supported by the zli. When a user logs out of BastionZero, all SSH tunnels are terminated. In addition, if a user's authentication token is invalidated by the SSO provider for any reason (like a 1 hour ID_token expiration), SSH tunnels will also be invalidated.

SSH tunneling is a very powerful feature. It can be used to forward any protocol to any destination behind a perimeter like a database, webserver, or any legacy application, or target not natively supported by BastionZero. By default, all BastionZero target access policies disable SSH tunnels.

Native TCP connections are used for database and webserver targets (in lieu of SSH tunnels) where an administrator wants simplified deployment as well as connection and query logs for these types of targets. This feature is offered through the zli, and like SSH Tunnels, the native TCP connection is terminated by a user logout or SSO token expiration.

Target Connections

After successfully completing the registration process, all targets make a websocket connection to BastionZero. This outbound connection to the BastionZero SaaS is the only connection that is made from the target to BastionZero. All other connections are initiated by a client request and go through this websocket.

The target will maintain a keepalive across the websocket. This keepalive is used to determine whether the target is online or offline by the BastionZero SaaS. If a target goes offline no new connection attempts are made and all existing connections are closed.

A targets online / offline status also plays a role in its target table appearance. Recall that groups of targets may be placed in an environment. Environments have a target lifecycle management feature called the Offline Target Removal Policy. This is an expiration timer that can be set from 1 hour to 90 days. Any target that is offline for that time period will be removed from the target table. An administrator may set this time by visiting the ( page.

Access for Infrastructure
MrZAP
Client connections on the web app
Manage environments
View all targets on the web app