A Bastion Host (sometimes called "Jump Box") is a single server that does permit login from the public Internet, but it is the only such server in your network that permits direct login.
This allows you to harden a single server, versus every server. Some examples of extra hardening on this server include permitting access only from specified IP addresses and even setting up two-factor authentication with tools like Duo (https://www.duosecurity.com/)
Ideally, your infrastructure is automated enough that you rarely need to directly login to a server. But when you must login, it's too risky to open login ports (22 for Linux SSH, 3389 for Windows Remote Desktop) directly to the public Internet.
One option is to lock down each server's ports to the specific IP address logging in, but since you will manage many servers, this quickly becomes cumbersome to maintain.
A Bastion Host (sometimes called "Jump Box") is a single server that does permit login from the public Internet, but it is the only such server in your network that permits direct login.
This allows you to harden a single server, versus every server. Some examples of extra hardening on this server include permitting access only from specified IP addresses and even setting up two-factor authentication with tools like Duo (https://www.duosecurity.com/)
Ideally, your infrastructure is automated enough that you rarely need to directly login to a server. But when you must login, it's too risky to open login ports (22 for Linux SSH, 3389 for Windows Remote Desktop) directly to the public Internet.
One option is to lock down each server's ports to the specific IP address logging in, but since you will manage many servers, this quickly becomes cumbersome to maintain.