Skip to main content

Connect to private instance in OCI using bastion service

By Gowthami | apps-dba.com | Oracle Cloud Infrastructure Series

Connecting to private OCI compute instances without a public IP is a common security requirement. OCI Bastion Service provides a fully managed, secure way to access private resources without requiring a jump server or VPN. This post walks through setting up and using OCI Bastion to connect to a private instance.

What You Will Learn: How to create an OCI Bastion, create a managed SSH session, and connect to a private compute instance using the OCI Bastion Service—no public IP or VPN required.

What Is OCI Bastion Service?

OCI Bastion is a managed service that provides restricted, time-limited SSH access to private resources in your VCN. Key features:

  • No need for a public IP on the target instance
  • Sessions are time-limited (max 3 hours by default)
  • Access is logged and auditable via OCI Audit
  • Supports SSH port forwarding for database connections

Prerequisites

  • A private OCI compute instance (no public IP)
  • OCI CLI installed and configured on your local machine
  • An SSH key pair
  • IAM policy allowing Bastion use

Step 1: Create the Bastion

  1. Navigate to Identity & Security > Bastion in OCI Console
  2. Click Create Bastion
  3. Provide:
    • Name: e.g., demo-bastion
    • Target VCN and subnet (must be in same VCN as private instance)
    • CIDR allowlist: your local IP (e.g., 203.0.113.0/32)
  4. Click Create Bastion and wait for Active state

Step 2: Create a Managed SSH Session

  1. Select your Bastion and click Create Session
  2. Session type: Managed SSH session
  3. Enter:
    • Username: opc (Oracle Linux) or ubuntu
    • Compute instance: select your private instance
    • SSH public key: paste your public key content
    • Session TTL: up to 10800 seconds (3 hours)
  4. Click Create Session

Step 3: Connect Using the SSH Command

Once the session is Active, OCI provides a ready-to-use SSH command. Copy it from the session details. It looks like:

ssh -i <private_key_file>   -o ProxyCommand='ssh -i <private_key_file> -W %h:%p -p 22 ocid1.bastionsession.oc1...@host.bastion.<region>.oci.oraclecloud.com'   -p 22 opc@<private_instance_ip>

Paste and run this command in your local terminal.

Step 4: Port Forwarding for Database Access

To connect to a private Oracle Database (port 1521) through Bastion:

  1. Create a Port Forwarding Session instead of Managed SSH
  2. Target: private instance IP, port 1521
  3. Use the provided SSH command with local port forwarding:
ssh -i <private_key>   -N -L 1521:<DB_PRIVATE_IP>:1521   -p 22 ocid1.bastionsession...@host.bastion.<region>.oci.oraclecloud.com

Then connect SQL*Plus to localhost:1521 as if it were local.

IAM Policy Required

Allow group DBAs to manage bastion-family in compartment <compartment_name>
Allow group DBAs to manage bastion-session in compartment <compartment_name>

Master Oracle Exadata

This post is part of our Oracle Cloud Infrastructure series. Get our comprehensive Exadata guide with OCI deployment patterns, security best practices, and performance tuning techniques.

Get the Exadata PDF Guide
Labels:

Comments

Post a Comment

Popular posts from this blog

Data Safe - Introduction

Oracle Data Safe - Practical Guide Oracle Data Safe learner guide Oracle Data Safe Assess risk, discover sensitive data, audit activity, and mask safely It focuses on what Data Safe helps you do operationally: review security posture, find risky identities, centralize auditing, locate sensitive data, and produce safer non-production copies. Contents 01 Why Data Safe matters 02 Where it fits 03 Capability map 04 Assessments 05 Activity Auditing 06 Discovery and Masking 07 Operating model 08 First 30 days 09 Knowledge check Section 01 Why Data Safe matters Database security work is often fragmented. One process checks configuration drift, another stores audit logs, another team scans for PII, and another team writes masking logic for test refreshes. Data Safe is useful because it turns those separate jobs into one security workflow. Key idea The best way to think about Data Safe is as a control plane for database security posture: assess the target, identify risky accounts, d...
Post a Comment
Read more

Testing Different Access Paths : Concatenated Index

Oracle Concatenated Indexes - Practical Deep Dive Oracle concatenated index deep dive Concatenated Indexes How composite indexes really work, why column order matters, and when skip scan changes the story Concatenated indexes, also called composite indexes, are easy to explain badly and surprisingly rich to explain well. The usual summary is “Oracle can use the index only when the leading column is present,” but that is only the starting point. To design them properly, you need to think about leading portions, equality versus range predicates, ordering requirements, skip scan eligibility, covering behavior, and whether one composite index can replace several single-column indexes in a given workload. Contents 01 What concatenated indexes are 02 Leading edge and leading portion 03 Why column order matters 04 Skip scan and when it helps 05 Access patterns and plan reading 06 Covering and sort elimination 07 Design rules that actually hold 08 Common mistakes 09 End-to-end demo 1...
Post a Comment
Read more

Database Replay - Real Application Testing (RAT)

Oracle Database Replay and RAT - Practical Deep Dive Oracle Database Replay deep dive Database Replay and Real Application Testing How to validate upgrades, patches, migrations, and risky changes with real workload behavior Database Replay is one of the most practical risk-reduction tools in the Oracle DBA toolbox. Instead of trusting synthetic benchmarks, isolated SQL tests, or intuition, you capture a real production workload, restore a test system to the same logical starting point, replay that workload, and analyze whether performance, errors, timing, and transactional behavior still look safe. Contents 01 What RAT actually is 02 Why Database Replay matters 03 End-to-end workflow 04 Capture design and prerequisites 05 Preprocess, calibrate, replay 06 Reading the results well 07 Pitfalls and unreplayable work 08 Database Replay vs SPA 09 Practical playbooks 10 Knowledge check Section 01 What Real Application Testing actually is Real Application Testing, usually shortened...
Post a Comment
Read more