01The quiet price of a bastion
$43.80 a year. Just for an IP address nobody sees.
Since February 2024, AWS charges $3.65 per month for every public IPv4 address in use. That’s $43.80 a year per bastion host, an EC2 instance sitting there as a jump host into the private VPC. Usually for an IP nobody outside your team ever sees.
The IP cost is the visible part. On top of that:
- Patching cycles (Amazon Linux, sshd, kernel updates)
- SSH key rotation for every developer on the team
- Security compliance overhead (FADP, ISO 27001, SOC 2)
- Monitoring and logging for an instance that waits 23 hours a day
An EC2 doing almost nothing is infrastructure dead weight. You can do better.
02EC2 Instance Connect Endpoint
The free alternative AWS shipped three years ago.
In 2023 AWS shipped the EC2 Instance Connect Endpoint (EIC Endpoint). A managed tunnel into the VPC that can be used directly for database access:
- No public IP needed
- No SSH keys, access gated by IAM
- No patching, no kernel, no sshd update
- CHF 0 per month
For short SQL sessions (psql, mysql, pgbench) it’s the direct replacement for the bastion. No dead weight, no monthly bill.
03The one-hour problem
You open DataGrip in the morning. An hour later, the connection drops.
A few queries run. A meeting in between. You come back, context-switch into a tricky debugging task, type the query you actually need.
And the connection drops.
EIC Endpoint enforces a hard TCP cap at one hour. Every session is disconnected after 3600 seconds. Reconnect, re-enter credentials, navigate the schema again, rebuild the mental context you just lost.
More limits that are easy to miss in the docs:
- Maximum 20 concurrent connections per VPC
- Target reachable only by private IP, not DNS
- No SCP, no file transfer through the endpoint
For ad-hoc queries: fine. For feature work with longer debugging and multiple tools at once: a workflow killer.
04Fargate ephemeral: serverless for dev workflows
The tunnel you launch on demand and that shuts itself down.
The pattern is simple:
- A Fargate task launches on demand (CDK construct or CLI wrapper)
- The task ships with
sshdandssm-agent - The developer tunnels via SSH over SSM Session Manager to the RDS
- The session stays open as long as needed, no hourly cap
- On idle timeout, the task terminates itself
No public IP. No SSH keys on the task (IAM auth via SSM). No one-hour cap. No idle compute burning money at 3 a.m.
The only real costs: 20-40 seconds cold start on first connect, and maintaining the container image in ECR.
05The decision matrix
Pick by workflow, not by hype.
Pick the bastion when: already in use, SSH workflow fits the team, the jump host serves other purposes (deploy gateway, tooling host), long sessions and flexible tooling are needed.
Pick EIC Endpoint when: solo dev or small team, short SQL sessions, no appetite for EC2 patching, minimal attack surface wanted, pure database access (psql, mysql).
Pick Fargate ephemeral when: 20+ engineers, multi-VPC, strict compliance (FADP, ISO 27001), sessions longer than an hour, zero idle resources accepted.
06The pragmatic 2026 answer
Start with EIC Endpoint. Reach for Fargate when sessions outlive the hour.
Both cost basically nothing. Both avoid the patching, the key rotation, and the idle instance sitting there at 3 a.m.
That’s serverless applied to developer workflows, the same principle you already apply to production. The difference: now it also applies to the tooling you may never have thought of as infrastructure.