Common practice uses bastion servers, or jump hosts, to access private resources in Oracle Cloud Infrastructure (OCI). A bastion host needs to be hardened, which requires proper care, maintenance, and security posture to eliminate any vulnerability. What if the added overhead of maintaining and paying for the bastion server is taken care of and is provided as a secure service? Considering that OCI is created from the ground up with security and performance in mind, we’ve done exactly that. Bastion is available as a service in OCI.
This blog clarifies how to use Bastion service securely using the Oracle Command Line Interface (OCI CLI). For more information, see the Bastion service page.
Bastion creation process
The following diagram provides the snapshot of what Bastion service is and what it enables. For more details, see the documentation.
Creating Bastion Service with OCI CLI in 3 easy steps
For this blog, we use the use case of needing to access Linux Compute instances in a private subnet. You can accomplish this task with the OCI Console and CLI. For creating and managing Bastion service from the Console, refer to this blog.
OCI CLI offers the same command line functionality that you use in the Console. This functionality lends to the plethora of automation opportunities. Let’s create a bastion with OCI CLI.
The creator of the bastion needs the following privileges:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
Step 1: Creating the bastion
We use the following syntax:
oci bastion bastion create \
--bastion-type standard \
--compartment-id
\
--target-subnet-id
\
--client-cidr-list file://clientjson.json \
--name
The following code block gives an example:
oci bastion bastion create \
--bastion-type standard \
--compartment-id oci bastion bastion create \
--bastion-type standard \
--compartment-id ocid1.compartment.oc1..aaaaaaaamjxynn55q2nddbeur3zwnkzis4yogjtqkd6zzyoafngyv3747pfa \
--target-subnet-id ocid1.subnet.oc1.iad.aaaaaaaakkgwfe7uikxcxa6tc7ks7aaiv56hpgr4cpqcr3wam7ntw43pbemq \
--client-cidr-list file:///Users/seshadri/clientsubnet.json \
--name seshbast27 \
--max-session-ttl 3600 \
--query data.id --raw-output
ocid1.bastion.oc1.iad.amaaaaaaxkh5s6iae6ttysqpsvvmib6g53mmr3ckcyhrwqdgubm6y7yoau2a
In the CLI command, clientsubnet.json refers to the client CIDR from where the session is initiated to the bastion. Specify the client CIDR as an array with the following command:
cat clientsubnet.json
[ "173.172.187.13/32" ]
Max-session-ttl refers to the time a bastion session is active. In the example case, the bastion session can’t extend beyond one hour. This value supersedes any value given during the session creation. The bastion provides access to private resources specified in the target-subnet-id. For more information on getting OCIDs for subnets, see my other blog post.
Step 2 Create a session to the bastion server
Now that the bastion server has been created, let’s create the session to the bastion server with the following command:
oci bastion session create \ --bastion-id ocid1.bastion.oc1.iad.amaaaaaaxkh5s6iae6ttysqpsvvmib6g53mmr3ckcyhrwqdgubm6y7yoau2a \ --target-resource-details ’{"sessionType": "MANAGED_SSH","targetResourceId": "ocid1.instance.oc1.iad.anuwcljsxkh5s6icvo7lbnlcfl6jkfivavj6doxsiqxfg6nbqzq7mz2wpcsq","targetResourceDisplayName": "seshtest","targetResourceOperatingSystemUserName": "opc","targetResourcePort": 22,"targetResourcePrivateIpAddress": "172.16.52.96"}’\ --display-name seshbastion36 \ --key-type PUB \ --ssh-public-key-file /Users/seshadri/.ssh/id_rsa.pub \ --wait-for-state SUCCEEDED --query ’data.resources[0].identifier’ --raw-output Action completed. Waiting until the work request has entered state: (’SUCCEEDED’,) ocid1.bastionsession.oc1.iad.amaaaaaaxkh5s6iaefvlti7fsxrz4m4p6ctpyg5onjl3llbpcduxtqlts3ra Target-resource-details is a complex type that can be better used as a json file. The JSON has been expanded for ease of explanation. In the target-resource-details, I’m specifying the private IP address of the Compute instance, to which I’m creating the session, the user name, and the port. So far, we have created the bastion server and a session that enables us to SSH to the instance with a private IP of 172.16.52.96.
Many more options for creating sessions exist and you can refer to the documentation by using the command, oci session create -h.
Step 3 Creating the SSH session to the Compute instance
The proof is in the ability to create an SSH session. Taking the OCID of the bastion session created, we can easily SSH to the private compute with the following string:
ssh -o ProxyCommand="ssh -W %h:%p -p 22 ocid1.bastionsession.oc1.iad.amaaaaaaxkh5s6iaefvlti7fsxrz4m4p6ctpyg5onjl3llbpcduxtqlts3ra@host.bastion.us-ashburn-1.oci.oraclecloud.com" -p 22 opc@172.16.52.96The Bastion service is local to the region where the private resource is located. In our example, I’m accessing a Compute instance in OCI Ashburn region. Appropriately change the region, based on your private resource access needs. The following screenshot shows the actual login:
The bastion only allows client-to-server forwarded sessions, acting as pass-through only. This configuration leaves no chance of security compromise by someone logging into the bastion server directly and accidentally leaving secure files in the bastion.
Extending the process to other use cases
This blog post focuses on enabling bastion access to a private Linux Compute resource. You can also use Bastion service for the following use cases:
- Compute instance (managed-SSH for virtual machine and bare metal instances)
- Accessing Kubernetes PODS securely
- Windows instance (RDP)
- Connecting to Autonomous Database and MySQL (using port forwarding)
Oracle Cloud Infrastructure Bastion service significantly increases the security posture of an enterprise by providing enterprise grade bastion access. The process of the actual bastion and session creation is audited and logged, providing unprecedented governance and control needed for the modern enterprise to focus on value creation. For details, see the Bastion service documentation.