OCI Bastion Service
Connecting Remotely & Securely
To access private resource in OCI via secure ssh we usually create jumphost in public network and access it. With Bastion Service you can ditch jumphost !!!
With the complex networking architecture public-private subnets or dependency on 3rd party for access can be costly and complicated from the maintenance point of view.
Notable Points
- OCI Bastion service removes the public and private virtual cloud network (VCN) hassle that needed in Jump Host.
2. You dont need a Public-IP so no surface attack area.
3. OCI Bastion integrates with OCI Identity and Access Management (IAM)
4. OCI Bastion health, capacity, and performance can be monitored with matrix.
Before we check the Setup we need to enable Bastion
Here is how we can set up
- Centralized bastion control via IAM user/groups.
- Allowlist — Access to bastion service is restricted to this IP range
3. Create Bastion and restrict access as shown
4. Next is you need to Create Session
5. You can define TTL — Time to Live — Default is 30 mins . It is the maximum session time-to-live sets an upper limit for the length of time that this session can be used to connect to the specified target host. Port you can mentioned which port it should be able to connect. Thats it
Bastion Service Session Types
Managed SSH sessions : For Linux Images which runs Oracle cloud agent for propagating keys to the host.
Port forwarding/SSH Tunneling : Creates a secure connection between a specific port on the client machine and a specific port on the target resource. Used for Windows RDP over SSH, MySQL, ATP, OKE v2 etc.
Bastion Plugin
One plugin which you might have to enable it will be Bastion Plugin else you will see below message :
How to enable Bastion Plugin ?
Open the Compute instance details page and Navigate to Agent Tab and Enable Bastion Plugin as shown
SSH command — How it looks like
This is all about Bastion Service !!! Hope you enjoyed !!!
