Web Access Bastion Best Practices

Web Access Bastion location should be as close as possible to your Gateway to minimize latency. Use SRA Bastion in any environment or region, with a dedicated Gateway. In addition, your Bastion server should run with a dedicated identity in an isolated environment.

Configure TLS - Akeyless Bastion should always be used with TLS. If you are working with Load Balancers or reverse proxies in front of your Bastion, TLS should be used for all network connections to ensure all traffic is encrypted in transit.

Isolation mode - Can be set with list permissions to ensure users will get their access only by way of isolated sessions. In addition, allowlist the relevant domains and force HTTPS connections only to enable credentials injection.

Required resources - Default is set to 1 Gb memory. If your web targets require high resolution or multiple concurrent sessions, increase the resources up to your needs.

Forward Logs - From your bastions to any logging system, to constantly track and monitor your users' activity.