Configuring Oracle Cloud Infrastructure (OCI) Bastion Service
Oracle Cloud Infrastructure Bastion provides restricted and time-limited access to target resources that don’t have public endpoints. Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. The target instance can be a compute instance or a DB system, an Autonomous Database for Transaction Processing or a Mixed Workload Database.
In this session, we will look at the steps involved to connect to a Compute Instance using a Bastion Service.
On a high-level, the following steps are involved :
1. Create Virtual Cloud Network(VCN)
2. Create Private Subnet
3. Create a Compute Instance under the Private Subnet
4. Create Bastion Service
5. Create a Session
6. Allow Network Access from Bastion
7. Allow Compute Instance using Bastion
So lets begin!!!
Create Virtual Cloud Network(VCN)
Login to your OCI Console. Navigate to Networking > Virtual Cloud Network.
Click on Create VCN.
Enter a valid name for the VCN. Enter an IPV4 CIDR Block. I have entered 10.0.0.0/16. Click on Create VCN.
Create Private Subnet
Once the VCN is available, we will create a subnet under the VCN. Click on the Create Subnet button.
Add a valid Name for the Subnet. Make sure t chose the correct compartment. Add an IPv4 CIDR Block.
Select Private Subnet.
Now, click on Create Subnet.
The Subnet should be created and will be available in a couple of minutes.
Once the Subnet is created, the next step would be create a Compute Instance under the Private Subnet we just created.
Create a Compute Instance under the Private Subnet
To create a Compute Instance, from the main menu, navigate to Compute > Instances.
Next, click on Create instance.
Provide a valid Name for the Compute Instance. Here, I have used the Always Free Availability Domain and OS.
Under Primary VNIC info, make sure you edit and select the VCN and Subnet, you have created above.
Under Add SSH keys, make sure the option Generate a key pair for me is selected. Download the Private and Public keys. These keys would be needed, when creating the Bastion service.
Click on Create.
Once the Compute Instance is successfully created, note down the Private IPv4 address.
Next step is to create the Bastion Service.
Create Bastion Service
To create the Bastion Service, navigate to Identity & Security > Bastion.
Click on Create Bastion.
Provide a valid name to the Bastion service. Under network configuration, select the VCN and subnet. Under CIDR block allowlist, add the IP addresses or address ranges that should be allowed to connect to the target through SSH connections through the bastion service.
Click on create bastion. The bastion service would be created in a few minutes.
Create a Session
Now that the Bastion Service is created, we will go ahead and create a session for the Bastion Service. To do that, click on the Bastion Service you created and then click on Create session. Additionally note down the Private endpoint IP address, as highlighted below.
Since we are interested in a SSH session, we will select the Session Type as SSH port forwarding session. Next provide a valid name for the session. Since we have already created a compute instance, select instance name for the the option Connect to the target host by using. Select 22 as the default port. Under Add SSH key, select Choose SSH key file and upload the upload the public key that you had downloaded earlier[while creating the Compute Instance].
Now click on Show advanced options.
Now enter the Private endpoint IP address that you had noted down when you created the Bastion Service, under Target compute instance IP address. Note that the sessions are valid for only 3 hours. The sessions are auto deleted after 3 hours and you will have to create another session.
Now click on Create session.
The session would be created within a acouple of minutes.
Allow Network Access from Bastion
This is the final step of the configuration. Navigate to the Bastion Service you created. Note down the Private endpoint IP address again. Then, click on the Target subnet as shown below.
This should directly take you to the Subnet that you created. Under Security List, click in the Default Security list for your VCN.
Delete the entry for Protocol type TCP, by clicking on the Remove button under Ingress Rules.
Confirm.
Now, click on Add Ingress Rules.
Add Source Type = CIDR. Under Source CIDR, enter the Private endpoint IP address. Add Destination Port Range = 22. And finally click on Add Ingress Rule button.
Now we are all set to connect to our Compute Instance, using Bastion.
To do that, open up the Bastion Service that you created. For the session you created, click the 3-dots at the right hand side of your session, and click on View SSH command.
Copy the SSH Command.
Paste the SSH command in a notepad.
ssh -i <privateKey> -N -L <localPort>:10.0.0.01:22 -p 22 ocid1.bastionsession.oc1.uk-london-1.amaaaaaavo3jsdyajztw55kkewvuhgazeczljvrg4rncwtudn6vtpxs5leoa@host.bastion.uk-london-1.oci.oraclecloud.com
Replace <privateKey> with the name of the file containing the private key [ you had downloaded the a private and a public key when you created the Compute Instance].
Additionally, replace <localPort> by 22, since we are using Port 22 for the SSH connection.
ssh -i ssh-key-2024-05-25.key -N -L 22:10.0.0.01:22 -p 22 ocid1.bastionsession.oc1.uk-london-1.amaaaaaavo3jsdyajztw55kkewvuhgazeczljvrg4rncwtudn6vtpxs5leoa@host.bastion.uk-london-1.oci.oraclecloud.com
Once you have framed your SSH command, open a command prompt and navigate to the folder where you have downloaded your SSH keys.
Now paste the ssh command and hit enter. When prompted, enter yes to continue with the connection.
And there you have the tunnel created. DON’T CLOSE this session.
Open another command prompt. Now, enter the following command to connect to your Compute Instance.
ssh -i ssh-key-2024-05-25.key opc@localhost
Notice that we are already in the compute instance.
Confirm the path using the pwd command.
Hope this helps. Happy learning!!!
References
RishOraDev's Oracle Blogs 