Which traffic must be permitted through the external-facing firewall to set up remote connections to Windows bastion hosts?

To establish remote connections to Windows bastion hosts, the correct choice is RDP (Remote Desktop Protocol). RDP is a proprietary protocol developed by Microsoft specifically for remote management and access to Windows desktops and servers. It allows users to connect to a remote Windows machine and operate it as if they were physically present.

When configuring an external-facing firewall, allowing RDP traffic (typically operating over port 3389) is essential for enabling users to manage the Windows bastion hosts remotely.

While SSH is a commonly used protocol for remote access to Linux systems, it is not applicable for direct connections to Windows hosts in the context of this question. DNS is necessary for resolving hostnames to IP addresses but does not facilitate remote desktop connections. IPSec is used to secure Internet Protocol communications but does not inherently provide remote desktop capabilities. Thus, for remote access to a Windows bastion host, RDP is the requisite traffic to permit.