Jump!
In our Trivadis Oracle Cloud Infrastructure training environments, we never use direct access to an application or database server by a public IP address. For this case, we use an Oracle Linux based bastion host which acts as a jump host. For security reasons, I never put any SSH keys on a bastion host to connect from there to the target instances. If your bastion host is compromitted, your SSH keys are lost! In one of the last trainings, some participants had problems with. So I decided to blog about. This blog post shows you the different methods to connect to an Oracle Cloud Infrastructure private/public network by using a bastion host.
SSH Keys
Oracle Cloud Infrastructure Linux based offerings like compute instances and virtual machines for databases are accessible by SSH key as per default. For working with these machines, I use these three types of SSH keys:
- id_rsa_oci – Private key generated by ssh-keygen
- id_rsa_oci.pub – Public key generated by ssh-keygen
- id_rsa_oci.ppk – Puttygen-converted private key
This gives me the flexibility, to connect to running OCI instances on different ways like Putty, MobaXterm, Windows Subsystem for Linux, WinSCP etc.
Oracle Cloud Infrastructure Sample Setup
Host | Public IP | Private IP | Accessible by |
Bastion Host | 140.238.216.114 | 10.0.0.2 | SSH |
Windows Application Server | 10.0.1.2 | RDP | |
Oracle Database Server | 10.0.2.2 | SSH |
Reminder: In OCI only SSH port 22 is open in the subnet security lists as per default when the VCN is created by the VCN Wizard. If you want to allow connection from the public to the private subnet by RDP and Oracle Net, then port 3389 and 1521 must be added in the security list for the private subnet. Create stateful ingress rules and restrict the source connections to the bastion host private IP range.
Build your own SSH Tunnel
There different ways to build a SSH (tunnel) configuration to Oracle Cloud Infrastructure instances on a Windows based platform, my favourites:
- Windows Subsystem for Linux (WSL)
- MobaXterm
- Putty
Here are some connection examples how to work with instances in a private subnet via bastion host with this three methods. As a Windows 10 user, for some connections I d’ like to use WSL Ubuntu more and more – now available in version 20 🙂
1. Connect by using Windows Subsystem for Linux (WSL)
Test: Verify the Connection to the Bastion Host public IP Address
$ ssh -i .ssh/id_rsa_oci opc@140.238.216.114 Last login: Mon Apr 27 15:47:54 2020 from 139.178.22.30 [opc@bastion-host ~]$ oci-metadata | grep hostname hostname: bastion-host
Database Server: SSH Connect via Bastion Host
This opens a session on the database server as user opc.
$ ssh -i .ssh/id_rsa_oci -o ProxyCommand="ssh -i .ssh/id_rsa_oci -W %h:%p opc@140.238.216.114" opc@10.0.2.2 Last login: Mon Apr 27 15:51:32 2020 from 10.0.0.2 [opc@dbsrv01 ~]$ sudo su - oracle Last login: Mon Apr 27 15:51:47 UTC 2020 on pts/0 [oracle@dbsrv01 ~]$ . oraenv ORACLE_SID = [DB0427] ? The Oracle base has been set to /u01/app/oracle [oracle@dbsrv01 ~]$ sqlplus / as sysdba SQL*Plus: Release 19.0.0.0.0 - Production on Mon Apr 27 15:52:14 2020 Version 19.6.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Connected to: Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production Version 19.6.0.0.0 SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 PDB01 READ WRITE NO
Database Server: Create a new SSH Tunnel to forward port 1521 as port 15210
This opens a connection to the bastion host.
$ ssh -i .ssh/id_rsa_oci -A -L 15210:10.0.2.2:1521 opc@140.238.216.114 Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30 [opc@bastion-host ~]$
Database Server: Connect to the Database by SQL Developer
Use port 15210 and localhost as hostname.
Verify the Oracle Net service name from the DBA panel menu.
Application Server: Create a new SSH Tunnel to forward port 3389 as port 33890
This opens a connection to the bastion host.
$ ssh -i .ssh/id_rsa_oci -A -L 33890:10.0.1.2:3389 opc@140.238.216.114 Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30 [opc@bastion-host ~]$
Application Server: Connect to the Windows Desktop by Remote Desktop Connection
Use port 33890 and localhost as hostname.
2. Connect by using MobaXterm
Database Server: SSH Connect via Bastion Host
This opens a session ion the database server as user opc.
Fill in Remote Host, Specify username and Port. Activate Use private key and select the local private SSH key in Putty format.
Activate Connect through SSH gateway, fill in Gateway SSH server, Port, User. Activate Use private key and select the local private SSH key in Putty format.
Start the session.
As you can see in the MobaXterm Header, X-Forwarding works too.
Database Server: Create a new SSH Tunnel to forward port 1521 as port 15210
Open MobaXterm Tunneling menu and add a New SSH tunnel. Fill in Forwarded port, Remote server, Remote port, SSH server, SSH login and SSH port. Save the tunnel settings. For an application server tunnel, just replace Remote server, Remote port and Forwared port settings.
Add the private SSH key in Putty format by click on the key icon. Start the tunnel.
Database Server: Connect to the Database by SQL Developer
Use port 15210 and localhost as hostname.
Verify the database control file settings from the DBA panel menu.
3. Connect by using Putty
Database Server: SSH Connect via Bastion Host
As prerequisite, I have created a Putty session called OCI Bastion Host for the jump host connection with the SSH private key in Putty format and user opc. This session is now used as Proxy.
Fill in database server private IP. The red one is the already existing session.
Add proxy command and save session settings. Optioanl enable proxy diagnostics.
plink "OCI Bastion Host" -agent -nc %host:%port
Open the new created session to connect to database server with user opc.
Application Server: Create a new SSH Tunnel to forward port 3389 as port 33890
This opens a connection to the bastion host. Fill in bastion host public IP.
Add private key file in Putty format and enable checkbox Allow agent forwarding.
Add a port forwarding rule for RDP. Save session.
Open the new created session to enable port forwarding for Remote Desktop Protocol.
Application Server: Connect to the Windows Desktop by Remote Desktop Connection
Use port 33890 and localhost as hostname.
Alternative Method – Start Putty from Command Line
Start Putty with the port forwarding settings by command line. This opens a Putty session and port 3389 can be used. No addtional settings are required.
C:\> putty.exe -ssh -A -i C:\oci\ssh\id_rsa_oci.ppk -L 33890:10.0.1.2:3389 opc@140.238.216.114
Summary
A bastion host is an “easy-to-setup” alternative to a VPN connection without any huge infrastructure overhead. There are several ways how to connect & tunnel to the target servers. Use the method which are you familiar with it, but NEVER place SSH keys on a bastion host.
And now: click here to make some noise – Jump by Van Halen