Connecting to Sessions in Bastion
This topic describes how to connect to bastion sessions.
For information about how to create and manage bastion sessions, see Managing Sessions in Bastion. For information about creating and managing bastions, see Managing Bastions.
Bastions are Oracle-managed services. You use a bastion to create Secure Shell (SSH) sessions that provide access to other private resources. But you can't connect directly to a bastion with SSH and administer or monitor it like a traditional host.
When connecting to a bastion session, we recommend that you follow the SSH best practices described in Securing Bastion.
You can connect to the following types of sessions:
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
To use all Bastion features, you must have the following permissions:
- Manage bastions, sessions, and networks
- Read compute instances
- Read compute instance agent (Oracle Cloud Agent) plugins
- Inspect work requests
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
If you're new to policies, see Getting Started with Policies and Common Policies.
Allowing Network Access From the Bastion
The VCN (virtual cloud network) that the target resource was created in must allow incoming network traffic from the bastion on the target port.
For example, if you want to use a session to connect to port 8001
on a compute instance from a bastion with the IP address 192.168.0.99
, then the subnet used to access the instance needs to allow ingress traffic from 192.168.0.99
on port 8001
.
To learn more, see Security Lists.