The Bastion is a compute instance that deploys in your cloud environment within the sandbox and provides a remote gateway capability into all the other instances in your environment. The feature has an internet connection via SSH or RDP in order to communicate to the other instances.
Enabling the Bastion feature incurs an infrastructure cost from your cloud-provider, although it's designed to minimize costs while maximizing your troubleshooting efficiency. If using Azure, deploy a Standard D2s, v3. AWS provides different sizes dependent on the region where the sandbox is deployed. The Bastion requires an AWS c5.large, m5.large, or m4.large instance.
Once a sandbox is deployed, the Bastion can be turned on or off. However, if the Bastion isn't enabled before deployment, then it doesn't exist in the sandbox, and therefore cannot be turned on or off.
To learn more, see the following articles: