OCI Bastion service

-

 

OCI announced their Bastion service which is great addon! Now you don’t need that server provisioned anymore, or you don’t need a public subnet.

You have possibility to use either managed session or port forwarding session to connect to servers. Managed sessions requires Agent enabled on the compute and ssh port forwarding requires IP on your subnet where you’re connecting to and port. OCI documentation says on new compute instances Agent should be enabled by default but you’ll see further down that I had to enable the agent.
How it works?

In short everything is controlled through OCI and you can manage who can do what via normal IAM policies. What you’ll need first is an Bastion “resource”. Resource defines name, VCN and subnet (where you’re connecting to) and who can login from which IP addresses to Bastion.   

After you have Bastion created you need to create a session. If you’re using managed SSH session then you need to define SSH key (for the session!), username and which compute you are connecting to.

Remember you always need either Service Gateway or NAT GW for the private subnet so connection can be made!

Here my compute is on private subnet which I defined earlier, from the dropdown you could choose any compute running on that subnet. In the additional settings you can define some additional details like TTL (time-to-live, max 3 hours in May, 2021) after which you need to create new session. You can also define server port you are connecting to or IP address.

Once I’ve created session I can click on three dots on the right and get the SSH command I can use to login.

 

Remember I allowed connection from 0.0.0.0/0, you’d still need my bastion key for session, server key and have the bastion OCID to login so allowing CIDR block doesn’t straight away give you access to login.

Let’s try it!

I’ll just replace the first key with Bastion key and second key with my server key.

 

It’s as simple as that. No public subnet needed.
What about SSH port forwarding?

Well it’s like it says, SSH port forwarding. Now I can define server name or IP where I’m connecting to and target port! So if you want to use RDP you just define target port 3389.

SSH command is slightly different so you need to define local port which you will use to connect.

When I connect, I give my Bastion key and port (5500 for example). It will establish SSH session to Bastion. After that you’ll connect with browser, SSH, RDP to localhost 5500 port and it will forward your connection to specified private IP and port.

Unless you have some other security requirements, using Bastion service is in my opinion the way to go from now forward. It gives better control overall who can access your OCI network and from where. Administrators can control Bastion itself and users can create their own sessions if IAM policies are set correctly.

Many times you might not have VPN or FastConnect available from day one and you still want to be able to connect to your systems, now you can do it without public subnets.

Official Bastion documentation is available here.

source: Finnish Blog

Comments

Post a Comment

Popular posts from this blog

Oracle Cloud Infrastructure(OCI) - Part2

-
Image
In my earlier post (OCI -Part1 ), we have gone through OCI basic details, let's dive deep more into it. Before that, we need to u nderstand the following concepts and terminology to help you get started with Oracle Cloud Infrastructure.  Note: OCI is re-branding of Bare Metal Cloud Service (BMCS) BARE METAL HOST Oracle Cloud Infrastructure provides you control of the physical host (“bare metal”) machine. Bare metal compute instances run directly on bare metal servers without a hypervisor. When you provision a bare metal compute instance, you maintain sole control of the physical CPU, memory, and network interface card (NIC). You can configure and utilize the full capabilities of each physical machine as if it were hardware running in your own data center. You do not share the physical machine with any other tenants. REGIONS AND AVAILABILITY DOMAINS  Oracle Cloud Infrastructure is physically hosted in regions and availability domains. A region is a localized geographic area, an...
Read more

Script to display the SQL text for a specific SQL_ID

-
--> Purpose:    Script to display the SQL text  for a specific SQL_ID. -->             It returns the SQL_TEXT. --> Parameters: sql_id --> To Run:     @sqltext.sql sql_id --> Example:    @sqltext.sql 27b3qfm5x89xn --> --> Copyright 2020@The Ultimate SQL Tuning Formula set echo off set define '&' set verify off define _sql_id=&1 set verify off set feedback off set linesize 200 set heading on set termout on col sqltext format a100 word_wrapped select  sql_text as sqltext from gv$sqltext where sql_id = '&_sql_id' order by piece; **************************************************************************************** --> Purpose:    Script to display the SQL text  for a specific SQL_ID. -->             It returns the SQL_TEXT. --> Caution:  ...
Read more

How to Change Your EnterpriseOne Environment Color

-
Image
Sometimes users start working and then forget which EnterpriseOne environment they are logged into. Can you tell which environment you are logged into? Luckily, there is a new UDC that allows you to change your EnterpriseOne environment color. You can now set up environments to be color-coded for when you need a clear visual distinction as to which environment you are logged into. This enables you to quickly identify the non-production environments by color. The new UDC is 98/CO and is available in EnterpriseOne Tools Release 9.2.4 with Applications Release 9.1 and 9.2. The image below shows the default EnterpriseOne environment color. However, you can easily change the color to reflect different environments. For example, DV could be red, PY could be green, and PD could be yellow, as shown below. To do so, just add a new row in the User Defined Codes section, enter the EnterpriseOne environment name and the HEX value of the color you want the environment to be, and ...
Read more