The bastion host is a server, though, and would be exposed to the internet.
It can run a firewall and forward to internal traffic as well.
It can run a firewall and forward to internal traffic as well.