This image shows two methods of accessing a private subnet from an on-premises workstation.

• The workstation uses local host and port A to connect to the bastion server through a dynamic routing gateway using secure shell (SSH) and a public IP address. The bastion server connects to the private subnet using private IP1 and port B and to the target VM using private IP2 and port C.
• The workstation uses a SSH tunnel and port forwarding to communicate first with Linux firewall 1 servicing the bastion public subnet and then with Linux firewall 2 servicing the private subnet.