If an Autonomous Database (ADB) is deployed in a private subnet and requires access for analysis or troubleshooting, Azure Bastion provides a secure solution. This guide demonstrates how to connect to an Oracle Autonomous Database@Azure via Bastion while using a locally running VS Code as a SQL editor. In this setup, Azure Bastion is already configured, and both the provisioned Autonomous Database and the vNet jump host do not have public IP addresses. All commands are executed on a Windows machine using PowerShell, with the Azure CLI set up according to the official documentation: How to install the Azure CLI | Microsoft Learn.
This is part three of the Oracle Autonomous Database@Azure blog post series:
- Part 1: Subscription: https://www.martinberger.com/2024/10/getting-started-with-oracle-databaseazure-pay-as-you-go-part-1-subscription/
- Part 2: Provisioning: https://www.martinberger.com/2024/10/getting-started-with-oracle-autonomous-databaseazure-pay-as-you-go-part-2-provisioning/
Why a Bastion
An Azure Bastion is indeed like a secure “jump host” into a private network, but it’s designed to be more secure than exposing individual VMs via public IPs or VPNs. One of the key use case where Azure Bastion is beneficial: You need to SSH or RDP into virtual machines without exposing them to the public internet, as example for troubleshooting:
- VMs stay private (no public IP needed).
- No need for VPNs or direct SSH/RDP exposure.
- Protects against brute force attacks on SSH/RDP ports.
The Setup
In my setup, Azure Bastion serves as the entry point into the private subnet topology. Using Bastion, I establish an SSH tunnel to forward port 1522. An alternative approach would be to deploy a Unix-based jump host with a public IP address and manually configure network rules and routing. While this method requires significantly more effort and introduces additional security considerations, it can be more cost-effective.
A Bastion host with Standard Tier, which supports native client connections, costs approximately $0.29 per hour, translating to around $200 per month if left running continuously. To optimize costs, I recommend deleting the Bastion host after use and recreating the resource only when needed.
- vnet-1-bastion: the Azure provided bastion
- vnet-1-jump: a small Ubuntu host for port forwarding
- Oracle ADB@Azure: the database
Step 1 – Connect via Bastion to Jumphost
In a PowerShell window, execute this command. You can set any port to forward. In this case, SSH port 22 of the Ubuntu jump host will be forwarded to my local machine as 127.0.0.1:52001. This Ubuntu jump host is later on used to tunnel to the Autonomous Database@Azure host. Do not close the PowerShell window.
Learn more: https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows
PS > az network bastion tunnel --name vnet-1-bastion --resource-group <your resource group here> --target-resource-id <your complete path to the jumphost here> --resource-port 22 --port 52001
Opening tunnel on port: 52001
Tunnel is ready, connect on port 52001
Ctrl + C to close
Test the reachability of the jump host via bastion. Your private SSH key for the Ubuntu machine is required. As OS user, azureuser is configured. Example for a Putty connection:
Step 2 – Start SSH Tunnel
The target IP address of the Oracle Autonomous Database@Azure is visible in the Azure dashboard for the selected Autonomous Database or you can get it by Azure CLI. In my example, the database host has private IP address 172.16.120.165.
PS > az oracle-database autonomous-database show -n <your-adb-name-here> -g <your azure resource group here> --query "privateEndpointIp" -o tsv
172.16.120.165
With this IP address information, in another PowerShell terminal window a tunnel can be opened. Your private SSH key for the jump host is required. Use the port you have set in step above.
ssh -i "<your path to the SSH key her>\vm-key-azure-2025-1.pem" -N -L 1522:172.16.120.165:1522 azureuser@localhost -p 52001
Note: there is no feedback when this session is created, the command does not provide any feedback. It “hangs”. As an alternative solution, you can use the tunnel functionality from MobaXterm or any other products.
Step 3 – Download Autonomous Database Wallet and change Hostname
In Azure, download the ADB wallet. Extract the compressed file with the connection information in a local folder, as example in C:\Workspace\oracle\network\admin.
Edit the extracted tnsnames.ora file and replace the provided hostname with 127.0.0.1, save the file.
Step 4 – Configure VS Code
In VS Code, the SQL Developer extension is installed and ready to configure a new database connection. Set the TNS file location to the path where you extracted the Autonomous Database wallet. When properly configured, the ADB service names are available in Network Alias dropdown list. Test the connection. Now you can analyze and fix the issue. If your work is done, close the PowerShell windows and you are disconnected.
And the direct way?
I tried to connect to the ADB resource directly using the resource name, the Azure bastion connection starts but there is no connect for 127.0.0.1:52002. I will try to find out more information in next days.
Summary
Azure Bastion provides a quick and secure way to access resources in private networks, making it an excellent solution for troubleshooting. However, it should not become the default access method for regular operations. Since Bastion incurs costs, it’s best to delete the resource after use and recreate it only when needed.