In today’s world, keeping your cloud systems safe is super important because cyber threats are becoming more common. One way to boost security is by setting up something called a Bastion Host. In this blog will show you how to make one in Oracle Cloud Infrastructure (OCI), which acts like a secure gateway for getting into your cloud stuff.
Topics to be covered:
- What is Bastion Host?
- Bastion Host in OCI
- Step 1:Create Bastion Host and Private Instance
- Step 2:Using ssh-agent to Connect through Bastion Host to Private instance
- Conclusion
What is a Bastion Host?
A Bastion Host, sometimes referred to as a “jump server” or “jump host,” is a special-purpose server designed to provide secure access to a private network from an external or less secure network, such as the internet. It acts as a gateway through which authorized users can access and manage resources within the private network without exposing them directly to external threats.
Bastion Host in OCI:
In Oracle Cloud Infrastructure (OCI), a Bastion Host serves as a secure entry point into your virtual cloud network (VCN) and other resources within your environment. OCI Bastion enables you to securely access your cloud infrastructure without exposing your critical assets to the public internet.
Step 1:Create Bastion Host and Private Instance
In this section, we will first create the bastion host, that is, the VM that will be in the public subnet. Notice that this VM will have a public IP address. We will then create another instance in private subnet. This second VM will be associated with a private subnet, it will not have a public IP Address. In other words, we cannot reach it from the Internet.
1. Open navigation menu, under Core Infrastructure, click on Compute > Click Create Instance.
2. In the Create Instance dialog, Enter the details.
- Name: <name>
- Create in Compartment: <Choose compartment>
Configure placement and hardware
- Availability Domain: AD 3
- Image: Oracle Linux 7.9
- Shape: Standard.E2.1.Micro
Configure Networking
- Virtual Cloud Network Compartment: <Choose Compartment>
- Virtual Cloud Network: Demo_VCN
- Subnet Compartment: PoC_Compartment
- Subnet: Public_Subnet
- Public IP address: Select Assign a public IPv4 address
- Add SSH Keys: Select Generate SSH Keys or SSH key file or paste your Public key, Click Create
If you don’t know how to generate SSH keys, Click Here
3. Once your instance is successfully created then the display will look like the below screen and you would see status as Running
4. Repeat steps 1-4 for creating an instance in private subnet.Change the following entries:
- Name: Private_Instance
- Subnet: Private_Subnet
- Public IP address: Select Do not assign a Public IPv4 address
- Add SSH Keys: Add public ssh key for private instance
- Click Create
Step 2:Using ssh-agent to Connect through Bastion Host to Private instance
By default, access to the private instance is configured to use only SSH public key authentication. We will be using ssh-agent instead of storing SSH keys (especially without a passphrase) on the bastion hosts. This way, private SSH keys exist only on your computer and can be safely used to authenticate to the next server (or compute instance)
1.Open WinSCP in your system and under Tool click on Run Pageant.
Note: If you don’t have winscp download it from below link : https://winscp.net/eng/index.php
2. Once you click on Run Pageant, it will start running in background. Right Click on this icon and click on Add Keys and add your private key of the private instance which you created in previous section.
3. Once you click on add keys, browse your private keys and cross-check it whether it has been added successfully or not by clicking into View Keys
4. Connect to your Bastion Host in Public subnet via Putty.
5. Expand SSH and then Select Auth as shown in image, browse the private key of bastion host and check all the boxes as shown in image and click Open
6. Once connected to bastion host using putty,
7. Then try to ssh the private IP of your private instance and check whether you are able to connect or not.
In this blog we are connecting successfully to a private instance through bastion host using ssh-agent.
Conclusion
In conclusion, creating a Bastion Host in Oracle Cloud Infrastructure (OCI) is pivotal for bolstering security. By following this blog, you can establish a fortified gateway to your OCI resources, mitigating risks and ensuring secure access. Prioritizing isolation, access controls, logging, and maintenance is key to maintaining a resilient defense against cyber threats. Investing in a Bastion Host underscores your commitment to security in OCI.
FAQs
How does a Bastion Host work in OCI?
It acts as an intermediary between external networks and OCI resources, allowing authorized users to securely access and manage them.
Can a Bastion Host access resources in multiple compartments or VCNs?
Yes, with proper network routing and security configurations.
How to ensure the security of a Bastion Host in OCI?
Deploy in a dedicated subnet, implement access controls, enable logging and monitoring, update regularly, and use strong authentication.
Are there any limitations to using Bastion Hosts in OCI?
Some limitations include network bandwidth constraints, potential single point of failure, and the need for proper configuration to ensure security.
Can Bastion Hosts be used for non-SSH protocols in OCI?
Yes, Bastion Hosts can be configured to support various protocols beyond SSH, depending on the specific use case and requirements.
Related/Further Readings
- Create Compute (Linux/Windows Machine) On Oracle Cloud (OCI)
- [Video 3 of 5] Oracle Cloud: Create VCN, Subnet, Firewall (Security List), IGW, DRG: Step By Step
- [Troubleshooting] Compute (Linux/Windows) & Database Instance Connectivity Issue in Oracle Cloud (OCI)
- Networking In Oracle Cloud (OCI): VCN, Subnet, Gateways, Peering, Transit Routing
Begin Your Cloud Journey
Begin your journey towards becoming an Oracle Cloud Expert and earn a lot more in 2024 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects, Admins in the market, and what to study Including Hands-On labs you must perform to get the Higher Paying jobs.
Click on the below image to Register for Our FREE Class on MASTERING ORACLE CLOUD FOR DBAs, APPs DBAs, ARCHITECTS & SYS ADMINS
Leave a Reply