What Is OCI Bastion Service and How to Set it Up

OCI Bastion Service has a very meaningful name. Just like the 16th -19th centuries bastions provided extra protection for castles, the OCI Bastion Service provides improved security and additional layers of defense for your private resources in OCI. No mission-critical resources should be facing the public internet.

Previously, when DBAs or Developers had to connect to a database server or application server in the OCI, a bastion host jump server or a bastion host VPN server had to be used. The bastion host would be hardened against attacks, but the setup was pretty complicated and costly. That is until the OCI Bastion Service was introduced! The OCI Bastion Service is a FREE server-less, client-less connectivity service that allows you to connect from anywhere, from any device or platform, to your resources in the OCI, such as the database server or application server. Best practices dictate that your database and application instances are not exposed to the internet, but rather that they reside on a Private Subnet. The way the communications goes out, is through a NAT gateway, which only allows traffic to go out, but no traffic to come in. If no traffic is allowed in, then how do you connect?

One way is to use the OCI Bastion Service! The security of the Bastion Service is unbreakable. It is enforced by the OCI’s Identity and Access Management. To be able to use the service, you must be able to authenticate to OCI, and then  the OCI will take care of the authentication and authorization for you. Now that you have an understanding of the OCI Bastion Service, let’s create it and use it!

First, there are 2 requirements to setup the Bastion Service, the VMs you want to connect to in the OCI, must run the Oracle Cloud Agent, and within the Agent page, the Bastion Service must be enabled. You check this in the OCI console, by going to your compute instance, the Oracle Cloud Agent tab. The Agent should be green and running. Now scroll down to Bastion, which should say Running and Enabled.

To create the Bastion Service you must know some important information: 

1. The public subnet you are placing the Bastion Service on.
2. The accepted incoming CIDRs
3. Ensure appropriate route tables and security lists are in place.

Go to Identify & Security in OCI to find the option to create the service. 

When you click the button to Create, you will need to provide a value for the VCN, which Virtual Cloud Network it will reside on, and the subnet, which in this case should be the public subnet.

With the CIDR block allow list you can specify who can connect to it, from what IPs. By specifying 0.0.0.0/0, you allow anyone to connect from anywhere. You might need to talk to your network administrator, if you want to restrict connections from specific IPs. You can also specify how long a session’s duration can be, how long they can stay connected, by default 3 hours. After a few seconds, the bastion is created.

Once the bastion service is created, you cannot use it yet to connect with it. You must create a session first. Click on the bastion and scroll down to create the session option. There are 2 types of sessions: Managed SSH session (for terminal connections), and SSH port forwarding session (for tunneled connections). Input the username that will connect to the compute instance, which in this case is opc, and then the compute instance you want to connect to.

On the right side of the session you just created, there is a menu, where you can view the SSH command to connect to the target host, which you can copy, and paste into your command prompt on your laptop, to connect to the compute instance in the cloud. In the provided command, you will need to substitute the name of the Private Key in 2 locations, once to authenticate to the bastion service, and once for authenticating to the compute instance. Once you get this command working, save it to a file, for future use, as this is how you will connect to your OCI compute instance.

And that is how you create and use the Bastion Service! Give it a try!

Free Video Tutorial