There are several OCI tools in place for securely accessing compute resources located in a VCN’s private subnet. One that is very efficient is the OCI Bastion service, which is a managed service by Oracle Cloud Infrastructure. Another very secure, faster and efficient way is using the Oracle Cloud Shell.

The Oracle Cloud Shell is a web browser-based terminal in the OCI Console that provides access to a Linux shell, with a pre-authenticated OCI Command Line Interface (CLI). It now includes a new feature enhancement, which is Network Private Access. This new feature allows you to specify the VCN and Private subnet where the resources are located, creating an endpoint in the subnet. This endpoint is governed by the rules in the subnet’s Security List(s). Additionally you can specify a Network Security Group.

There is one restriction; this feature is supported only in the tenancy’s home region. However, with Regular Remote Peering connections you can extend the accessibility to other regions.

Screenshot - Access Compute Instances in a Private Subnet with the Oracle Cloud Shell_1

To demonstrate how Private Network Access works we will create a VCN, a Private Subnet, a Compute Instance, and we will launch Cloud Shell.

Create a VCN and Private Subnet

  1. Login to your OCI account
  2. Make sure you are in your home region (Top Right)
  3. Click on the main menu (Top Left)
  4. Select Networking, Click on Virtual Cloud Networks
  5. Under List Scope, select your preferred compartment
  6. Click Create VCN
    1. Name: DemoVNC_1
    2. IPv4 CIDR Block: 10.0.0.0/16
    3. Leave everything else as is.
    4. Click the Create VCN button
  7. Your VCN will open
  8. Click Create Subnet
    1. Name: DemoPrivateSubnet_1
    2. In IPv4 CIDR Block enter 10.0.0.0/24
    3. For Subnet Access select Private
    4. Leave everything else as is.
    5. Click the Create Subnet button

Create a Compute Instance

  1. Click on the main menu (Top Left)
  2. Select Compute, Click on Instances
  3. Under List Scope, select the same compartment as above
  4. Click Create Instance
    1. Leave all default values as they are and scroll down to Networking
    2. Make sure that you select DemoVCN_1 and DemoPrivateSubnet_1
    3. Click Show advanced options
    4. In Private IPv4 address enter 10.0.0.173
    5. Scroll down to SSH Keys
    6. Click the Save Private Key button (this will download the private key to your workstation)
    7. Click the Create button
  5. In your workstation, open the private key you downloaded with an editor (like Notepad, or Notepad++)
  6. Select all the content and copy it to memory

Launch Cloud Shell and configure the Private Network Access

  1. In the top right, click on the Developer Tools icon, select Cloud Shell (it might take two minutes to launch)
  2. In the Cloud Shell menu, Network:Public select Private Network Setup
    1. Select VCN DemoVNC_1
    2. Select Subnet DemoPrivateSubnet_1
    3. Click the Connect to this Network button (it might take two minutes to launch)
  3. In the Cloud Shell command line, type the following command: vi ocikey (This will open the vi editor for a file named ocikey).
    1. Type i (Insert mode in vi)
    2. Paste the content of the Private Key file you have in memory
    3. Press the <esc> key in your keyboard (For exiting insert mode)
    4. Press the : key
    5. Type wq! and hit the <enter> key (this saves your file and exits vi)
  4. Type the following command: chmod 400 ocikey (this hardens the ocikey permissions)

Now you are ready to access your Compute Instance using its private IP address

Connect to your Compute Instance

  1. Type: ssh –i ocikey opc@10.0.0.173

Screenshot - Access Compute Instances in a Private Subnet with the Oracle Cloud Shell_2

You are now connected to the Compute Instance in the Private Subnet!