How to control and manage you cloud servers from a bastion server

The idea is very simple. We would like to have one (or more) server that belongs to our cloud account and use it only to execute and orchestrate various execution tasks. A diagram below is showing the concept. From the machine you have to ssh to your bastion (1) and then from it you can run any further tasks (2).



An hardened servers should be used as a bastion host. This server will provide the following functions:

• Act as a secure gateway into the cloud environment 
• You should configure all other server to accept connections from this server only
• From bastion you can lunch tasks that will perform further actions on the other cloud servers

Problem

How to run ssh or scp command over ssh that is initiated by the client and need to be executed from a bastion host on other cloud server.

Solution

This relatively long script written in python that uses paramiko module demonstrates the idea. It can be definitely extended and improved but you get the idea I hope :).