Mobatek’s MobaXterm is my favorite terminal for the daily work. It supports a lot of protocols like SSH, RDP, VNC, integrates X11 and SFTP and many more. And, MobaXterm can be used to connect to your OCI compute instance by the Oracle Cloud Infrastructure Bastion Service and the Managed SSH Session feature.
Prerequisites
- OCI Compute Instance running in a private subnet
- OCI Bastion plugin enabled on Compute Instance – be patient when you enable it for the first time and fulfill the requirements for the agent
- The VCN has a Service Gateway attached
- The Subnet allows network connection from the Bastion Service private endpoint IP address – See Allowing Network Access From the Bastion (oracle.com)
Link: Oracle Cloud Infrastructure Documentation – Bastion Overview (oracle.com)
Create a Bastion
Create a new bastion and select your target VCN and subnet. In this example, I added my public IP in the CIDR block allow list to allow only connections from my client. I do not recommend to add 0.0.0.0/0 there.
Create Session
Fill in the details to create a bastion host session. After some minutes, the session is ready to use. The SSH key is the key you use to connect to the bastion host. NOT to the target compute instance. Do not use the same key for both connections.
View SSH command
Here you can see the details of the connection. Oracle creates a random generated username for a login to a bastion service host in your region. In my example the host host.bastion.eu-zurich-1.oci.oraclecloud.com was created.
To configure a MobaXterm session, we need these information:
- Bastion hostname – host.bastion.eu-zurich-1.oci.oraclecloud.com
- Bastion host username – ocid1.bastionsession.oc1.eu-zurich-1.amaaaaaasij123456789
- Target host IP- 192.168.220.16
MobaXterm Configuration
Basic SSH settings
- Remote Host = Target host IP
- Specify Username = opc
Note: The username is based on the selected operating system in Oracle Cloud Infrastructure. In this example, for the Oracle Linux 8 Compute Instance, it’s just user opc.
Tab Advanced SSH settings
Enable Use private key and select the SSH key which is used for Compute Instance provisioning
Tab Network settings
Create a new SSH gateway (jump host).
Define one or several SSH jump hosts
- Gateway host = Bastion gateway provided by OCI
- Username = Bastion username provided by OCI
- Use SSH Key = SSH which we have uploaded for session creation
Connection Test
Finally the session can be used to connect to the Oracle Cloud Infrastructure Compute Instance via Bastion Service.
Some Blog Posts about the Bastion Service
- Simo Vilmunen: Go Bastion(less!) on OCI | That Finnish Guy
- Oracle A-Team: OCI Bastion As A Service (ateam-oracle.com)
- Tim Hall: ORACLE-BASE – Oracle Cloud Infrastructure (OCI) : Create a Bastion
- Sinan Petrus Toma: How to use OCI Bastion Service to connect to your Private Resources – Database Heartbeat (database-heartbeat.com)
Summary
A bastion host is a nice opportunity to connect into a private subnet as an external user. The bastion session duration of 3 hours is absolute ok for me to do some maintenance or support tasks. Take care to set a correct CIDR allow list and protect your SSH keys, a bastion host can be a backdoor into your network! #safetyfirst