How to use OCI Bastion Service to connect to your Private Resources

Introduction

Databases and even application servers in the Cloud are usually provisioned in a private subnet that is not accessible from the internet. End users will access applications via a load balancer. To log in to the private machines for management purposes, customers will have to set up their private connection to Oracle Cloud via VPN or FastConnect. However, when you start a PoC and that connection is not yet set up and you are ambitious to start trying things out, you’ll need a way to connect to those private instances, where application servers or databases. Another use case is when you are outside of your organization’s network and need access to private resources.

One way to do so is to provision a compute instance in a public subnet and use it as a jump server. However:

  • Creating an instance with a public IP might violate your organization’s security rules.
  • You have to create and maintain further resources: public subnet, Internet Gateway, Security List, etc.
  • You have to take care of securing the jump sever instance adding more administrative work.

OCI Bastion service eliminates the need for deploying public subnets or jump servers and provides an easy way to build SSH connections to private resources in OCI. The private resources could be Compute VM instances, databases using the virtual or bare metal DB systems, or Exadata Cloud Service virtual machines.

The Environment

  • Exadata Cloud Service virtual machine in OCI with a private IP (10.0.2.2). This could be any other private resource in OCI with a private IP.
  • SSH client (Git Bash) on my local Windows notebook.
  • Database client (SQL Developer) on my local Windows notebook.

Preparation

Step 1: Create a Bastion Service

From the Cloud Console, search for “Bastion” and click on the “Bastion” service in “Identity & Security”.

Click on “Create Bastion”, provide a name for your Bastion Service, select the target VCN and subnet, provide a CIDR block that you want to allow to connect to the target resources, and create the Bastion.

In this case, for simplicity, I’m allowing access from everywhere (0.0.0.0/0)

Step 2: Create a Connection in your Bastion

After the Bastion got created, click on the Bastion name to access the Bastion details page.

Click on “Create Session”. For session type, select “SSH port forwarding session”. Provide a session name. Choose “IP Address” to connect to the target and provide your target IP address. Enter port 22. Choose or paste your SSH public key and create the session.

Create SSH Connection

Step 3: Copy the SSH Command

After the session got created in step 2, click on the dotted menu on the very right side of the session, then click on “Copy SSH Command”.

Paste the SSH command in your favorite text editor and adjust the values for the private key and local port.

ssh -i <privateKey> -N -L <localPort>:10.0.2.2:22 -p 22 ocid1.bastionsession.oc1.phx.amaaaaaahjb7ffias2yie3rfxltbtrshko3df5njw2dopjsr5zza3uh3ohra@host.bastion.us-phoenix-1.oci.oraclecloud.com

ssh -i /c/Users/SPETRUS/.ssh/id_rsa -N -L 22:10.0.2.2:22 -p 22 ocid1.bastionsession.oc1.phx.amaaaaaahjb7ffias2yie3rfxltbtrshko3df5njw2dopjsr5zza3uh3ohra@host.bastion.us-phoenix-1.oci.oraclecloud.com

Step 4: Establish the SSH Connection

Execute the command from step 3 in your terminal session. Here, I’m using Git Bash on my Windows notebook.

The SSH tunnel is established. Keep this session active and open a second terminal window to connect to your private resource.

ssh -i /c/Users/SPETRUS/.ssh/id_rsa opc@localhost

That’s it! We are connected to the target private host in OCI.

Connect to a Database

If case you want to connect to a database directly instead of connecting to the database host, then create a new Bastion session using target port 1521, establish the SSH tunnel, and connect to your database using a database client, e.g. SQL Developer.

Conclusion

The Bastion Service enables you to access private resources in OCI without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access. Security posture is improved by using identity-based permissions and a centralized, audited, and time-bound SSH sessions.

And the cost??? It’s for free! And is also available for the Oracle Cloud Free Tier.

Further Reading

Would you like to get notified when the next post is published?