Sunday, October 30, 2022

Connect to private instance in OCI using bastion service

By Gowthami | apps-dba.com | Oracle Cloud Infrastructure Series

Connecting to private OCI compute instances without a public IP is a common security requirement. OCI Bastion Service provides a fully managed, secure way to access private resources without requiring a jump server or VPN. This post walks through setting up and using OCI Bastion to connect to a private instance.

What You Will Learn: How to create an OCI Bastion, create a managed SSH session, and connect to a private compute instance using the OCI Bastion Service—no public IP or VPN required.

What Is OCI Bastion Service?

OCI Bastion is a managed service that provides restricted, time-limited SSH access to private resources in your VCN. Key features:

  • No need for a public IP on the target instance
  • Sessions are time-limited (max 3 hours by default)
  • Access is logged and auditable via OCI Audit
  • Supports SSH port forwarding for database connections

Prerequisites

  • A private OCI compute instance (no public IP)
  • OCI CLI installed and configured on your local machine
  • An SSH key pair
  • IAM policy allowing Bastion use

Step 1: Create the Bastion

  1. Navigate to Identity & Security > Bastion in OCI Console
  2. Click Create Bastion
  3. Provide:
    • Name: e.g., demo-bastion
    • Target VCN and subnet (must be in same VCN as private instance)
    • CIDR allowlist: your local IP (e.g., 203.0.113.0/32)
  4. Click Create Bastion and wait for Active state

Step 2: Create a Managed SSH Session

  1. Select your Bastion and click Create Session
  2. Session type: Managed SSH session
  3. Enter:
    • Username: opc (Oracle Linux) or ubuntu
    • Compute instance: select your private instance
    • SSH public key: paste your public key content
    • Session TTL: up to 10800 seconds (3 hours)
  4. Click Create Session

Step 3: Connect Using the SSH Command

Once the session is Active, OCI provides a ready-to-use SSH command. Copy it from the session details. It looks like:

ssh -i <private_key_file>   -o ProxyCommand='ssh -i <private_key_file> -W %h:%p -p 22 ocid1.bastionsession.oc1...@host.bastion.<region>.oci.oraclecloud.com'   -p 22 opc@<private_instance_ip>

Paste and run this command in your local terminal.

Step 4: Port Forwarding for Database Access

To connect to a private Oracle Database (port 1521) through Bastion:

  1. Create a Port Forwarding Session instead of Managed SSH
  2. Target: private instance IP, port 1521
  3. Use the provided SSH command with local port forwarding:
ssh -i <private_key>   -N -L 1521:<DB_PRIVATE_IP>:1521   -p 22 ocid1.bastionsession...@host.bastion.<region>.oci.oraclecloud.com

Then connect SQL*Plus to localhost:1521 as if it were local.

IAM Policy Required

Allow group DBAs to manage bastion-family in compartment <compartment_name>
Allow group DBAs to manage bastion-session in compartment <compartment_name>

Master Oracle Exadata

This post is part of our Oracle Cloud Infrastructure series. Get our comprehensive Exadata guide with OCI deployment patterns, security best practices, and performance tuning techniques.

Get the Exadata PDF Guide
on
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)